Processing of special categories of personal data
In addition to the exemptions for processing a special category of personal data according to Art. 9 of the GDPR, Chapter 3 of the Swedish Data Protection Act includes rules regarding the necessary processing of personal data in the area of:
- employment law,
- health and medical care,
- social care,
- important public interest,
- archiving and statistical activities.
Thus, sensitive data may be processed under Art. 9(2)(h) GDPR, if the processing is necessary for:
- preventive healthcare and occupational medicine
- assessment of employee working capacity
- medical diagnosis
- provision of health care or treatment
- social care
- management of health-care services, social care and their systems.
Processing sensitive data for the above-mentioned reasons (a-f) is allowed, if the mandatory confidentiality stipulated in Art. 9(3) GDPR is maintained.
Processing of data relating to criminal convictions and offences
Regarding the processing of personal data on criminal offences, authorities are still able to process personal data on criminal conviction and offences or coercive measures and criminal law. Processing of such data may also be carried out by others who
are not official authorities, where the processing is necessary for the data controller to comply with provisions on archiving (Chapter 3(8) DPA) or where the government has appointed
other parties to process such personal data (Chapter 3(9) DPA).
Processing of personal identity numbers
Regarding the processing of personal identity numbers (personnummer och samordningsnummer), such data may be processed only if the data subject has given consent. However, exemptions apply where processing is clearly justified by the purpose of the processing, the importance of positive identification or any other significant reason (Chapter 3(10) DPA).