When are you permitted to collect personal data?

The page was last modified:

You must be supported by the law in order to collect personal data. It is called having a legal basis. There are different types of legal bases. One might for example be a contract between you and a customer. This gives you the right to collect the information needed in order to fulfill the contract. In order for you to be permitted to collect certain other information you need consent, in other words you need to ask the person for permission first.

Film: What is a legal basis?

Lenght: 1:37 minutes

 

Personal data can only be collected for “specific, expressly stated and justified purposes and not later be processed in a way that is not compatible with these purposes”.  Thus, data that is collected for a certain purpose may not be used later on for entirely different purposes.

For example, a company can equip its cars with special GPS equipment that is used for electronic driving records in order to simplify its statement to the Swedish Tax Agency. However, the employer is not permitted to use the data that the GPS collects in order to check for how long the employees take breaks.

One must have support in the data protection regulation in order to process personal data. It is called having a legal basis. There are different types of legal bases that a company can use. The most important ones are:

Back to top

Legal obligation

In certain cases companies are obliged to register personal data, for example to fulfill their bookkeeping obligation according to the Bookkeeping Act.

Back to top

Contract

Employment contracts, customer contracts and supplier contracts are examples of contracts that entail that the company must register and process personal data. However, the company can only register the data that is needed to fulfill the contract.

Back to top

Consent

Another legal basis is consent, which means that you ask the person in question if you can register information relating to him/her. Consent according to the data protection regulation is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

If your company is going to collect information the person must first receive clear information about what data will be collected and what purpose it will be used for, in order to then give their consent.

Back to top

Balancing of interests

It is also possible to process personal data after a so called balance of interests. This is the case if the company can show that it has a legitimate interest in processing the data and that this interest carries more weight than the individual person’s right to protection of the data.

Back to top

Examples of legal bases

Here are some examples of legal bases that can be used when the personal data is processed in different IT systems:

  • Pay roll system, legal basis = contract and legal obligation
  • Customer directory, legal basis = contract (consent is needed for certain data)
  • Website, legal basis = consent or balance of interests

Did you find this information helpful?

Thank you for your feedback!

Please help us improve verksamt.se by telling us what you think about the page.

Processing of personal data

When you fill in the form, the personal data you include will be collected by the Swedish Companies Registration Office (Bolagsverket). Bolagsverket is responsible for this data. We store the data so that we can contact you. The data is not used for any other purpose.

More about personal data, your rights and how to complain

Responsible: Swedish Agency for Economic and Regional Growth

Back to top