Go to main content

Processing personal data

GDPR applies to all businesses operating in the EU and aims to ensure the safe processing of personal data. As a business owner, you are responsible for the personal data of your customers, employees and suppliers and for compliance with the law.

Personal data are any information that can be directly or indirectly linked to a living person. Common personal data include personal identification numbers, names and addresses. Photos of people are also classified as personal data. 

A company registration number is personal data if the company is a sole trader. The licence number of a car is personal data if it can be linked to a person, while the licence number of a company car used by several employees is not personal data. 

In some cases, different types of electronic identities, such as IP addresses, are also considered personal data if they can be linked to a specific person. 

Personal data at the Swedish Authority for Privacy Protection (IMY) 

You must have a legal justification for collecting personal data - this is called having a lawful ground. Different types of lawful grounds exist. For example, if there is a contract between you and a customer, you have the right to collect the data necessary to fulfil the contract. In order to collect certain other data, you need consent, i.e., you need to ask the person's permission first. 

See film on what constitutes a lawful ground at IMY´s website (in Swedish) 

Data may only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation). In other words, data collected for one purpose cannot be used for completely different purposes. 

For example, a company can equip its cars with special GPS equipment used for electronic driving records to simplify reporting to the Tax Agency. However, employers are not allowed to use the data collected by the GPS to check the length of employee breaks. 

Processing of personal data must be supported by the General Data Protection Regulation (GDPR). This is called having a lawful ground. There are different lawful grounds that companies can use. The main ones are: 

Legal obligation 

In some cases, companies are required to register personal data, such as to fulfil the accounting obligation in the Swedish Bookkeeping Act. 


Employment contracts, customer contracts and supplier contracts are examples of contracts that require companies to record and manage personal data. However, the company may only record the data needed to fulfil the contract. 


Another lawful ground is consent, which means that you ask the person in question to register their data. Consent under the GDPR is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". 

If your company collects data, the person must first be clearly informed about what data is being collected and what it will be used for, and then must give his or her consent. 

Weighing of interests 

It is also possible to process personal data after a so-called weighing of interests, if the company can demonstrate that it has a legitimate need to process the data and that this need outweighs the individual's right to data protection. 

Examples of lawful grounds 

Here are some examples of lawful grounds that can be used when personal data are processed in different IT systems: 

  • salary management, lawful ground = contract and legal obligation 
  • customer register, lawful ground = contract (certain data require consent) 
  • website, lawful ground = consent or weighing of interests. 

Lawful grounds at the Swedish Authority for Privacy Protection (IMY) 

IMY can order a company that does not comply with the rules of the Regulation to pay a sanction fee, which is a form of fine. 

The penalty can be up to EUR 20 million or 4% of global annual turnover. The amount of the fine depends, among other things, on the seriousness of the breach of the rules, the extent of the damage caused, the sensitivity of the personal data and the intentionality of the breach. 

The risk of heavy fines has prompted many companies to review how they collect and process personal data. The fact is, however, that, in Sweden, previously-existing legislation, namely the Personal Data Act, regulates and limits how companies can use personal data. 

Information on fines and warnings  at the Swedish Authority for Privacy Protection (IMY) 

Accurate personal data ensure security and order 

Apart from the threat of fines for illegal processing of personal data, why should your company give any thought to personal data processing? 

By keeping only accurate and relevant data on existing customers in your customer register, business owners need not worry about the reliability of the data in the register. 

All companies, regardless of their business, benefit from keeping their production processes, their customer contacts, their accounts and their personal data processing in order. A basic principle of GDPR is to only collect personal data for a specific, pre-determined purpose, such as managing contracts, deliveries and billing for your customers. You may only collect the data necessary to fulfil the specified purpose and the data may only be kept for as long as necessary. 

Another important principle of GDPR is that personal data held by a company must be protected against theft, accidental deletion or unauthorised access. Information about your company's customers, suppliers and employees is obviously important from a competitive point of view. You probably want to prevent competitors from accessing your customers' data. 

In some cases, hackers have stolen large amounts of personal data, often including credit card details. Regardless of their size, companies that lose control of, e.g., customer data, can expect to incur costs in the form of badwill, not least from those who provided their data to the company in the belief that it would be processed responsibly and legally. 

In several sectors, codes of conduct and certifications have become a way for companies to demonstrate, e.g., that they are operating in an ethical, social or environmental manner. For many companies, meeting a certain code of conduct or holding a certain certification has become a competitive advantage. 

Codes of conduct are encouraged by the GDPR. If your company adheres to a code of conduct on personal data processing in the future, customers and suppliers can feel confident about how you handle their data, which can be a competitive advantage. 

In the same way that unprotected personal data can cost your business in badwill, you can count on goodwill if you can clearly demonstrate your compliance with the GDPR. 

One aim of GDPR is to ensure that the same rules on personal data processing apply across the EU. This makes it easier for companies to expand and operate in several EU countries. A Swedish company that complies with GDPR need not worry that the rules on, e.g., customer data processing are different in another EU country. If you have your company's personal data processing in order now, you are prepared for future expansion. 

The GDPR contains a wide range of rules and requirements for how personal data can be processed in an organisation. However, these rules do not provide much guidance on how small business owners can process personal data about customers, suppliers, employees and others. 

But all rules, recitals and other legal text in the Regulation are based on a few basic principles: 

  • Collect and process personal data only where authorised. 
  • Inform the people whose data you collect. This can include, for example, data on customers, suppliers and employees. 
  • Decide in advance what personal data will be used for and do not use the data for any other purpose. 
  • Do not collect more personal data than necessary. Never collect personal data "because it might be useful". 
  • Ensure that personal data are accurate and up to date. 
  • Delete personal data that is no longer needed. 
  • Protect data from unauthorised use and access. 
  • Document your approach to personal data processing. 

If you want to simplify these basic principles further, following these three points will take you a long way: 

  • Collect no more personal data than necessary and only for a specific, pre-determined purpose. 
  • Do not keep personal data longer than necessary. 
  • Protect the personal data you process in your business. 

Fundamental principles for GDPR at the Swedish Authority for Privacy Protection (IMY) 

When you collect data about a person, you must inform the person in question. GDPR provides a long list of information to be provided, but in short, you must inform them that you are collecting personal data, what data you are collecting and why you are collecting it. 

If you will share data with others, you must say so. Keep in mind that your statements must be clear and comprehensible and preferably in writing. 

The information you provide to individuals whose date you use must include the following: 

  • Who is responsible for the processing of personal data. This is usually your company. It is not a person, except for in sole trader businesses. Information should include contact details for the company. 
  • Why the data are collected and how they will be used. 
  • What the lawful ground is (e.g., to fulfil a contract with the customer). 
  • How long you will keep the data (for example, a maximum of one year after the end of the customer relationship). 
  • If you have indicated consent as the lawful ground (for example, to be able to send marketing material to the person), then you must also inform them that they always have the right to withdraw their consent, which means that you must stop sending them marketing material. 
  • That the person whose data you register has the right to request an extract from the register in order to check what information is registered about them. 
  • That your company is obliged to correct data that is inaccurate, incomplete or misleading. 

Data subjects' rights at the Swedish Authority for Privacy Protection (IMY)