Processing of personal data relating to criminal offences in Sweden – New regulatory guidance on the interpretation of Article 10 of the GDPR

On the 8^th of December 2021, the Swedish Authority for Privacy Protection (IMY) issued a regulatory statement (Sw. rättsligt ställningstagande)^[1] regarding the meaning of the concept “personal data relating to criminal offences” in Article 10 of the GDPR.^[2] This article summarises IMY’s position.

Introduction

In Sweden, the general rule is that personal data relating to criminal (convictions or) offences referred to in Article 10 of the GDPR can only be processed by public authorities. The scope for organisations other than public authorities to process personal data relating to criminal offences is limited. Examples of when organisations other than public authorities are allowed to process such data include if the processing is necessary to i) establish, exercise or defend legal claims, or ii) in order to fulfil an obligation under law or regulation (exceptions apply to these criteria).

Summary of the regulatory statement

IMY concludes that information concerning legal proceedings which have been initiated against an individual constitutes personal data relating to criminal offences within the meaning of Article 10 of the GDPR. Consequently, the protection afforded by Article 10 extends to information that discloses whether a person is or has been the subject of a police report, preliminary investigation, prosecution or proceedings in criminal cases. The latter also includes verdicts of acquittal in criminal cases.

Personal data relating to criminal offences could include data regarding whether an individual is or has been suspected of committing a criminal offence, even though legal proceedings have not been initiated. IMY considers this interpretation to be in line with the findings issued by the Court of Justice of the European Union (CJEU) in the case Latvijas Republikas Saeima^[3], in which the CJEU stated that the objective behind Article 10 should be taken into account. According to the CJEU, the objective is to protect the data subject from processing that could risk leading to serious interference with his or her private or professional life, for example if the public access to such data would lead to social disapproval or stigmatisation of the data subject.

However, not all data regarding suspected criminal offences are covered by Article 10 of the GDPR. According to IMY, the data must be concrete to a certain degree to qualify as personal data relating to criminal offences, which they are if they concern a certain crime or category of crime. This is also the case if data are compiled in such a way that the data correspond to the objective criteria in a penal provision. If the purpose of the processing is wholly or partly to process data related to criminal offences, this indicates that the data is covered by the scope of Article 10 of the GDPR.

According to IMY, data relating to actual observations or the mere passive processing of a course of events where objective criteria in a penal provision may be met e.g., filming of possible law violations through camera surveillance, is normally not considered processing of data within the meaning of Article 10 of the GDPR.  However, it will be considered such processing if the course of events is separated afterwards in order to document, follow-up or file a police report regarding the crime.

What is the status of IMY’s regulatory statement?

IMY’s regulatory statements clarify IMY’s standpoint on legal issues where no guidance is provided by case law or the European Data Protection Board (EDPB). IMY’s regulatory statements provide guidance to the public and govern IMY’s operations. The regulatory statement is valid until further notice, although it may be revoked or amended in the event of new case law or guidance from the EDPB.

Magnusson’s data protection team

Magnusson’s data protection team advises on legal and regulatory aspects of privacy and data protection. Please do not hesitate to reach out to Caroline Landerfors or Christina Johansson to learn more about how Magnusson can assist your company in GDPR-related matters.

[1] Full text here: https://www.imy.se/globalassets/dokument/rattsligt-stallningstagande/imyrs-2021-1-lagovertradelser.pdf (in Swedish).

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[3] Judgement of 22 June 2021, Latvijas Republikas Saeima, C-439/19, EU:C:2021:504.