When are you permitted to collect personal data?

The page was last modified:

You must be supported by the law in order to collect personal data. It is called having a legal basis. There are different types of legal bases. One might for example be a contract between you and a customer. This gives you the right to collect the information needed in order to fulfill the contract. In order for you to be permitted to collect certain other information you need consent, in other words you need to ask the person for permission first.

Film: What is a legal basis?

(Lenght: 1:37 minutes.)

The content of the film corresponds to the text on this page. 

Personal data can only be collected for “specific, expressly stated and justified purposes and not later be processed in a way that is not compatible with these purposes”.  Thus, data that is collected for a certain purpose may not be used later on for entirely different purposes.

For example, a company can equip its cars with special GPS equipment that is used for electronic driving records in order to simplify its statement to the Swedish Tax Agency. However, the employer is not permitted to use the data that the GPS collects in order to check for how long the employees take breaks.

One must have support in the data protection regulation in order to process personal data. It is called having a legal basis. There are different types of legal bases that a company can use. The most important ones are:

Legal obligation

In certain cases companies are obliged to register personal data, for example to fulfill their bookkeeping obligation according to the Bookkeeping Act.


Employment contracts, customer contracts and supplier contracts are examples of contracts that entail that the company must register and process personal data. However, the company can only register the data that is needed to fulfill the contract.


Another legal basis is consent, which means that you ask the person in question if you can register information relating to him/her. Consent according to the data protection regulation is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

If your company is going to collect information the person must first receive clear information about what data will be collected and what purpose it will be used for, in order to then give their consent.

Balancing of interests

It is also possible to process personal data after a so called balance of interests. This is the case if the company can show that it has a legitimate interest in processing the data and that this interest carries more weight than the individual person’s right to protection of the data.

Examples of legal bases

Here are some examples of legal bases that can be used when the personal data is processed in different IT systems:

  • Pay roll system, legal basis = contract and legal obligation
  • Customer directory, legal basis = contract (consent is needed for certain data)
  • Website, legal basis = consent or balance of interests

Lawful grounds for personal data processing at the Swedish Authority for Privacy Protection (IMY)

Did you find this information helpful?

Responsible: Swedish Agency for Economic and Regional Growth

Back to top