The legal obligations and responsibilities set out in the Swedish Personal Data Act (PDA) differ depending on what role one has in relation to the processing of personal data. To ensure compliance with PDA, it is important to keep track of whether one’s business falls under the definition of data subject, data controller, data processor or third party.
The data subject is the person of whom the data is collected and/or processed. In order to protect the interests of data subjects, PDA provides several rights for data subjects such as a right to access information about what data is being processed and how.
The data controller is a natural or legal person, an authority or an agency, which determines the purposes and means of the processing of the personal data. The data controller is liable for any violations of the PDA. This entails, inter alia, the responsibility to solely process personal data for clearly defined purposes, collecting consent from the data subjects when necessary, ensuring the security of the processing, and entering into contracts with any other parties taking part in the processing.
The data processor is any natural or legal person that processes personal data on behalf of the controller. The data controller is obliged to enter into a written agreement with the processor to ensure that the data is being processed lawfully, in a secure manner and in accordance with the established purposes of the processing.
The third party is any party who does not fall under the definition of a data subject, a data controller or a processor and neither falls under direct authority of the controller or authorized processor.
If you wish to know more about key players in personal data processing, please contact Ida Häggström.