1.7 Further laws

The General Data Protection Regulation does not control the processing of personal data alone but is supplemented by Swedish laws that we have in place and others that come into effect at the same time as the regulation (180525). Previously, we are accustomed to Arkivlagen (the Archives Act (1990: 782)) governing the preservation and erasure of public documents and Tryckfrihetsförordningen (the law regulating access to public documents and freedom of speech (1949: 105)), as well as Offentlighets- och sekretesslagen (the law that governs access to public documents (2009: 400)). Regarding personal data, Arkivlagen and Tryckfrihetsförordningen are of particular importance in terms of the right to be forgotten, as there may be provisions in those that prevent data from being deleted. Confidentiality issues are governed by Offentlighets- och sekretesslagen. It also states that public records must be registered, which usually includes the processing of personal data. When a request for information is received, it must be tested against this as well as the General Data Protection Regulation.

In many cases, the legal basis for personal data processing in our operations is the requirements of Högskolelagen (the Higher Education Act (1992: 1434)) or Högskoleförordningen (the Higher Education Ordinance (1993: 100)), especially regarding student data. Legal requirements that may constitute a legal basis for the processing of personal data are also found in Förvaltningslagen (the Public Administration Act (1986: 223 or 2017: 900 from 180701)). This act primarily regulates how to organize our work in connection with our obligations to serve and inform members of the general public. There are also additional provisions about the right to access data about yourself.

In addition to the laws and regulations already in force, additional laws will come into effect at the same time as the regulation and here we find Dataskyddslagen (the Data Protection Act) that complements the regulation with certain national provisions (for example, the age limit for consent is 13 years) and special laws that regulates the use of personal data in research. The latter co-operates with Lagen om etikprövning (the Ethics Assessment Act (2003: 460)) which governs the handling of sensitive personal data for research purposes.