The Swedish Data Protection Authority (IMY) has been taking an active role in this area recently. IMY has published guidance on how private organisations may process personal data relating to criminal convictions and offences and has participated in panel discussions on the topic within the business community. IMY has also launched its first inspection of whether a background check company is complying with the conditions of its authorisation to process such data.
The topic has also reached the courts. In a March 2026 ruling, the Swedish Labour Court considered whether an employer had processed personal data under the GDPR by receiving and reading a criminal record extract. The court found that it had not. Under the GDPR, manual handling of data is only covered by the regulation if the data is stored in, or intended to be stored in, a filing system, and that was not the case here. For companies that do store or record such information, however, the rules under Article 10 of the GDPR apply. This article, which is based on guidance published by IMY, explains which businesses are affected by these rules, what they mean in practice, and what steps you can take to make sure your procedures are on solid legal ground.
Which businesses are affected?
More businesses than might be expected are caught by these rules. Common situations in which this legislation apply include:
- Background checks on staff, consultants or contractors
- Internal investigations into suspected irregularities or fraud
- Whistleblowing schemes where suspected offences are reported
- Checks of customers or counterparties against sanctions lists
- Incident documentation where suspected offences are recorded
The general rule
Under Article 10 of the GDPR, data relating to criminal convictions and offences (such as suspected crimes, police reports, preliminary investigations, prosecutions and convictions) is subject to extra protection. Generally, such data may only be processed under the supervision of a public authority, or where there is a clear legal basis in law. Private companies are therefore not permitted to process such data however they choose.
Information indicating that a person has committed, or may have committed, an offence may constitute data relating to criminal convictions and offences, even where no legal proceedings have yet been initiated. However, the data must be sufficiently specific, meaning it must relate to a specific offence or a particular category of offence.
Routes to lawful processing
- Legal claims or legal obligations: Personal data relating to criminal convictions and offences may be processed by parties other than public authorities where the processing is necessary for the establishment, exercise or defence of legal claims, or for compliance with a legal obligation.
- IMY’s regulations: IMY has adopted regulations (IMYFS 2024:1) permitting the processing of personal data relating to offences in certain specified situations without the need to apply for authorisation. One example is checks against sanctions lists for companies under the supervision of the Swedish Financial Supervisory Authority, though the regulations cover several other situations as well.
- Archiving: Personal data relating to criminal convictions and offences may be processed by private entities where such processing is necessary to comply with archiving regulations.
- Constitutionally protected media: Exceptions apply to media protected by the Swedish constitution, such as daily newspapers and other journalistic activities.
- Authorisation from IMY: Those who cannot rely on any of the above may apply to IMY for authorisation to process data relating to criminal convictions and offences.
A signal from IMY – and ongoing legislative work
In 2024, IMY noted that there is a growing demand for the ability to check whether individuals have committed crimes or may, for other reasons, pose a risk. At the same time, background checks are associated with significant privacy risks and can lead to serious negative consequences. IMY has assessed that the current regulatory framework is not sufficient to ensure an appropriate balance between these interests.
IMY has therefore made a request to the government to appoint a commission tasked with reviewing the need for further regulation of the ability to carry out background checks. The framework in this area may therefore change in the future, which is yet another reason to review your procedures now.
Obtaining authorisation may take time
In 2025, the average processing time for authorisation applications relating to the processing of this kind of personal data was 427 days, and only 26 per cent of the cases were concluded within six months. If your business requires authorisation, it is therefore important to begin the process in a timely manner and to ensure that your application is well founded and complete from the outset.
How can we help?
Navigating these rules and identifying the right legal basis before a problem arises is often more straightforward with early legal advice. We offer support in two concrete ways:
- Assessment of legal basis: We analyse whether your current practices are already supported by existing legislation, without the need to apply for authorisation.
- Authorisation application: If authorisation is required, we will help you prepare a complete application that maximises the prospects of a swift and positive decision.
The consequences of processing this data without a legal basis can be significant, both in terms of administrative fines and damage to your organisation’s reputation. Please do not hesitate to contact us if you would like to know more.
For further information, please contact:
Ariana Sohrabi, Bird & Bird
ariana.sohrabi@twobirds.com
