SWEDEN Trends and Developments Contributed by: Niclas Rockborn, Astrid Svensson and August Hansson, Gernandt & Danielsson
Interpretation of Article 10 In IMY’s regulatory statement, IMY clarified its stance on the interpretation of Article 10 of the GDPR concerning personal data relating to crim - inal convictions and offences. Article 10 of the GDPR shall, according to IMY, be interpreted to apply to information that discloses if a person is or has been the subject of a police report, prelim - inary investigation, prosecution or proceedings in criminal cases. This also includes acquittals in criminal cases, for example, if a person has been released from accusation and freed from obli - gation regarding the charges. IMY’s statement further clarifies that information indicating that a physical person has or may have been sus - pected of criminal activities can be considered to be included under the scope of Article 10 of the GDPR, regardless of whether legal proceed - ings have been initiated or not. However, this shall not be interpreted to include all information since there is a certain threshold of specificity to be considered. Additionally, IMY clarifies that observations or passive events where the objective criteria for a crime may be met are normally not considered processing of personal data relating to criminal convictions and offences. Simply put, if a sur - veillance camera captures a robbery through passive recording of a certain area, this would generally not be considered data processing under Article 10 of the GDPR. On the other hand, if the sequence of events is separated at a later stage for legal action, it will fall under the scope of Article 10 of the GDPR. Checks against sanction lists Another development concerns the legality of conducting checks against sanction lists. The processing of personal data concerning criminal convictions and offences was to some extent already permissible under the Swedish Money
Laundering and Terrorist Financing (Prevention) Act ( Lag (2017:630) om åtgärder mot penningt - vätt och finansiering av terrorism ) to the extent necessary to assess and manage the risks asso - ciated with a customer relationship. However, there was no explicit legal basis for conducting checks against sanction lists. Organisations within, eg, the financial, dual-use and military sectors, frequently need to perform checks against various international sanction lists for compliance reasons, such as sanction lists from OFAC, OFSI and the EU. As a con - sequence, unless other applicable laws author - ised checks against sanction lists, for example, through EU regulations, businesses in Sweden have been required to seek specific permission from IMY to be able to conduct checks against sanction lists since sanction lists may contain information about criminal offences. This result - ed in IMY receiving an excess of applications from entities within the financial sector seeking permission to process such personal data to comply with anti-money laundering and terror - ism financing obligations, as well as from organi - sations involved in the export of dual-use goods or military equipment to adhere to international export restrictions. IMY’s updated regulation and related guidelines aim to facilitate the processing of personal data relating to criminal convictions and offences by certain sectors. This will allow certain entities within the financial sector and military industry to process personal data relating to criminal convictions and offences when checking (for example, customers, suppliers, and employees against sanctions lists). The legislation provides a legal basis for certain organisations engaged in financial services and subject to anti-money laundering and terror -
412 CHAMBERS.COM
Powered by FlippingBook