SWEDEN Trends and Developments Contributed by: Jenny Welander Wadström, Björn Johansson Heigis, Andreas Hallbeck and Säde Märgel, Roschier
and adopted appropriate policies. It can also relate to the adequacy of follow-up measures, including ques - tions of timeliness, impartiality, sharing of information and documentation. In June of 2025, a first ruling was issued by the Labor Court concerning the Whistleblower Act (which in 2021 replaced a previous statute regarding whistle- blowing). An employee claimed to have been subject - ed to retaliatory measures upon reporting irregularities within the employer’s business. While the reporting was made before the Whistleblower Act came into effect, the Labor Court referred to preparatory works of the Whistleblower Act and concluded that it applied as the alleged retaliation took place after it came into force and replaced the previous statute. The Labor Court assessed whether the reported irregularities were of public interest and thus were covered by the Whistleblower Act. It found that irregularities are not of public interest if they are not serious enough, and that the Whistleblower Act does generally not cover personal conflicts such as that reported. The reporting person was not considered to have proven that the irregularities were of public interest and, consequently, the alleged retaliatory acts were not covered by the Whistleblower Act. As case law and supervisory practice develop, what constitutes a public interest is expected to become clearer. Further, other expectations under the Whistle - blower Act are likely to become more granular, includ - ing in relation to how investigations are to be struc - tured, and how applied procedures comply with the Whistleblowing Act’s demands and data protection requirements. Data Protection Considerations The Swedish Authority for Privacy Protection and the significance of data protection regulations Data protection is a defining feature of Swedish inter - nal investigations. The GDPR applies to investigative activity that involves the processing of personal data. The Swedish Authority for Privacy Protection ( Sw. Integritetsskyddsmyndigheten ) acts as Sweden’s supervisory authority for data protection matters and is tasked with monitoring compliance, conducting inspections, issuing enforcement decisions and pro - viding guidance.
Previously, the authority paid special attention to issues relating to the processing of employees’ per - sonal data, including monitoring of employees and use of new technology for such monitoring. Further - more, employers’ use of AI in employment contexts and while carrying out background checks have been indicated as focus areas. Even though the authority’s explicit focus areas for 2026 are connected to the processing of personal data within the public sector, the above-mentioned areas relating to the process - ing of employees’ personal data are still likely to be considered focus areas by the authority, potentially increasing enforcement risk. Background checks Conducting background checks has for a long time been a common feature in employers’ internal inves - tigations. However, conducting background checks in the absence of a legal obligation to do so is a legally complex issue in Sweden. Background checks are often carried out using spe - cialised databases offered by private companies that make extensive information about individuals, includ - ing criminal convictions, addresses and income, eas - ily searchable. Companies maintain and publish such databases by relying on the extensive right to access public documents and making the retrieval and cat - egorisation of such information in a searchable data - base possible. Historically, these databases have also – under certain circumstances – been exempt from the GDPR due to special constitutional protection, which has made the publication of personal data possible without the restrictions stipulated in the GDPR. Organisations have widely relied on these databas - es to conduct cost-efficient and informal – or more extensive and formal – background checks. However, a recent judgment from the Swedish Supreme Court restricts the possibility of constitutionally protected databases making personal data available to their cus - tomers or the general public, due to potential infringe - ments of the GDPR when the retrieved personal data is processed further by users of the databases. While the issue of the availability of personal data needed to conduct background checks is evolv - ing due to recent case law, the general principles
376 CHAMBERS.COM
Powered by FlippingBook