In this blog post, we will comment on what impact this new legislation will have in Sweden from a digital marketing perspective.

On April 27th 2016, the European Parliament and Council adopted Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation (GDPR). GDPR will be valid as law in Sweden from May 25th, 2018. The same day, The Swedish Data Protection Act (1998:204) “PUL” that is currently in force will be repealed.

In this blog post, we will comment on what impact this new law will have in Sweden from a digital marketing perspective. The goal of GDPR is to harmonize the legislation across the European union. Some national exceptions are approved, and due to this, we are only commenting the legislation from a Swedish perspective. It should also be mentioned that the Swedish law is currently in draft, so it might still change before May 25th, 2018.

Similar to PUL, the goal of GDPR is to safeguard personal privacy and to protect against offensive and all-encompassing processing of personal data. With this in mind, there will not be any major changes in GDPR compared to PUL. However, GDPR brings several clarifications of the rules, as well as clearer responsibility for the managing personal data, as well as significant penalties for those who abuse them.

GDPR contains the same rules as PUL regarding the processing of personal data, which is only allowed if the processing is legal and takes places for one expressed purpose. Furthermore, the treatment should be correct and open to the registrant, meaning that the registrant has an extended right to access information about the processing both during and after the data is collected. The processing is legal if it’s based on one of the following legal grounds:

  • Clear consent from the registrant;
  • Processing is necessary to  carry out an agreement or for taking action on the registrant’s request before agreement is reached;
  • Processing is necessary to fulfil a legal obligation;
  • Processing is necessary to protect interests of fundamental importance to the data subject or to another natural person;
  • Processing is necessary to carry out a task of general interest; or
  • Processing is supported by a legitimate interest

The legal bases are to a certain extent equivalent to the provisions of Section 10 in PUL, but some of the basics have a clearer meaning in GDPR. For example, the new rules impose higher requirements on what constitutes a valid consent from the registrant. There are also more, and to some extent higher, demands to how the treatment is carried out.

It is also stated that the processing should not be too extensive, meaning that only the information needed to achieve the purpose can be processed. Furthermore, the processing may only occur during a certain period of time. According to the general rule, the registrant must be informed in advance of how long the processing will continue, but if it is not possible to specify a defined period of time, the registrant will have to receive information on the principles that determine how long the data will be processed. An example of this is that customer data is stored as long as the registrant is a customer of the company, that employee data is processed during the term of employment, or that billing information is processed until the final payment is made.


The European Data Protection and Data Protection Expert Group (Article 29 Group) stated that direct marketing, profiling, and similar use of personal data to track behaviour and the like are allowed, but consent must be obtained from the registrant. This is not new in relation to PUL, but what is new is that the consent has to be considered valid (more about this below).

The personal data controller must also ensure that no more data is processed than necessary, that the data is not used for a longer period than is justified, and that it is not used for any purpose other than those specified. It is also important that the registrant is informed of his or her rights at any time to oppose the processing.


According to GDPR, consent can only be given in relation to a predetermined purpose. This means that if personal data is to be processed for multiple purposes, several separate consents may need to be obtained. It is further stated that consent should be “voluntary, specific, informed and unambiguous”, which imposes a requirement that personal data controllers provide complete information regarding the intended treatment in a clear manner. It is therefore important that you inform about what processing you intend to perform when obtaining the consent, but also what processing that may be carried out in the future.

Today it is common with somewhat sweeping phrasing to indicate some of the purposes for which the information may be used, such as: “Your personal information will be used for newsletters, marketing of new products and the like.”. Such phrasing will not be allowed when the new rules come into force because it does not give the registrant a clear idea of what the data will actually be used for, which means that the registrant can not give informed consent to such treatment.

Agreements may not be unnecessarily enforced, as they will not be considered voluntary. An example of this would be that the use of a service is conditional upon the individual agreeing to an extensive processing of personal data when such processing is not actually necessary to use the service. This could often include the approval of cookies. In some cases, the use of cookies entails a better service to be provided to the user, but few services are dependent on cookies being allowed. There must, therefore, be an opportunity for the user to use the service even if cookies are not allowed. In this context, it should be emphasized that the quality of service may be impaired if cookies are not allowed, as long as it is still possible to use the service. An example of this may be that a web shop may have a different, less attractive appearance, but it is still possible to make purchases as easily without the permission of cookies.

It is also stated that consent should be as easily revoked as it was obtained. The registrant must, therefore, have clear information about how to revoke the consent, and as soon as it has been revoked, the processing of personal data must be discontinued, as long as the personal data controller cannot demonstrate that there is a legitimate reason for the continuation of the processing. However, such reasons would never be for marketing or profiling purposes.


Unlike what has been mentioned to some extent in media, the new rules do not mean that the use of personal data for marketing and profiling purposes will be prohibited. Instead, clearer (and stricter) requirements are imposed on when and how usage is allowed. What should be displayed to the registrant:

  • What personal data is collected;
  • That the personal data will be used for profiling, marketing, tracking user behavior, or similar;
  • That the personal data will be processed or handed to a third party for processing in accordance with the purpose specified;
  • How long the personal data will be stored (example: “Your personal data will be stored as long as you have your user account with us and no longer than 10 days after you close your account”);
  • That the consent to the treatment may be revoked at any time and in what manner the consent may be revoked; and
  • The data subject’s rights to information, registry extracts, correction, deletion, processing limitation, data deprivation, and opposition rights.


Already today, clear information should be given about what kind of cookies are used and why, what kind of information is collected and stored by what type of cookie, and how the registered user can change their browser settings to stop such storage. This will remain the same, but with even higher demands on the information being provided. It must also be clearly stated if the service in question may be used without authorizing the use of cookies, as otherwise the consent will be deemed enforced and thus not voluntarily given.


Google Analytics and similar technologies will be allowed under the new rules if the user agrees to such use. However, in the absence of consent to the use, you will need to obtain this before the tracking via Google Analytics or similar technologies is taking place. Through GDPR, a personal information officer can be held liable for improper processing, which means that if you do not clearly inform your users about the management of personal data, you will not be able to use that data for marketing purposes.

Christoffer Lötebo Partner & Group CEO