Different ways to claim responsibility for wrongfully processing personal data

27 March 2020

The personal integrity is considered worth protecting. It is difficult to define exactly what the personal integrity is, but it involves personal information regarding a person and the persons personal life. This information should be protected from attacks by external parties. But how is the personal integrity protected by law and can individuals somehow be punished for violations of these laws?


Published March 27th 2020


Different ways to responsibility

If someone process personal data regarding e.g. someone else´s personal life in a wrongful way, there are mainly three different ways claim responsibility: administrative fine in accordance with GDPR, damages in accordance with GDPR or criminal sanctions in accordance with the Swedish Penal Code. This blog post will describe these three ways to enforce accountability.


1. GDPR – administrative fine

An administrative fine is similar to fines imposed on someone driving too fast: it is a public authority that imposes the fine, in Sweden Datainspektionen, and the amount accrues to the State. However, it is as a main rule not possible to impose an administrative fine on a natural person. Generally, administrative fines can only be imposed on legal persons. This means that if an employee in e.g. a company process personal data wrongfully, it is the company that have to pay the administrative fine and not the employee. It is usually the company that is the controller or the processor and, according to the GDPR, fines are imposed on the controller and/or the processor.

Administrative fines can be imposed on a natural person, if the natural person is considered to be the controller. This can be the case with sole proprietors. Natural persons can also be the controller for certain processing’s that do not occur within a company, e.g. if a natural person spreads pictures by publishing them on social medias.

An administrative fine has to be effective, proportionate and dissuasive. For private entities, the amount of an administrative fine can be up to 20 million euros or 4 % of the total annual worldwide turnover. For public entities, the amount can be up to 10 million euros (in Sweden).


2. GDPR – damages

A natural person has right to damages following one or several infringements of provisions in the GDPR. Just like fines, damages are mostly imposed on a legal person. However, there are some very important differences between damages and administrative fines:

  • A fine accrues to the state, whereas damages are payed to the person or persons afflicted.
  • The process to receive damages does not involve Datainspektionen or any other supervisory authority. Instead, the afflicted person can go directly to the entity responsible or sue the party in a District Court (in Swedish: tingsrätt). The person entitled to damages can make their claim towards either the controller or the processor.

In most cases, both the controller and the processor can be forced to pay the total amount of the damages. This means that, even if more than one controller and/or processor is involved, the person afflicted can make one of them pay for the whole damage. This is to ensure that the individual actually can receive the damage he or she is entitled to. The controller and the processor can regulate how to manage the cost internally.

The amount of the damage depends on how great the damage that the individual has suffered is. If there are many afflicted, the total amount of the damage can be very large.

Read more about damages here.


3. The Swedish Penal Code – penalties

Natural persons are generally not controllers or processors. This means that administrative fines or damages are most often not imposed on natural persons. However, a natural person can be punished according to the Swedish Penal Code for crimes that involves processing personal data. Criminal law protects against violations of privacy between individuals. One example of a crime that protects people’s integrity is the crime “unlawful breach of privacy”. The provision was added to the Swedish Penal Code last year to adjust the legislation to the digital development.

Unlawful breach of privacy means that someone spreads images or other information, e.g. information in writing. The information or images must be of a particular character, e.g. pictures of someone in a very vulnerable situation or information regarding someone’s health. It can, in other words, not be just any type of images or information, but only the ones mentioned in the legislative text.

For someone to be convicted of this crime, the information or image have to be spread. This means that the information or image have to be made available to more than a few people. However, these people do not need to actually take part of the information or the image. It is enough that they have the possibility.

The crime unlawful breach of privacy must be denounced for criminal prosecution by the plaintiff or prosecution can be of general interest. If one of these two situations apply, the public prosecutor is in charge of the process. If someone is sentenced for unlawful breach of privacy, the penalty can be fines or imprisonment for up to six months.

Except for the crime unlawful breach of privacy, the Swedish Penal Code contains crimes such as:

  • Slander, which means that someone identifies someone else as criminal, without this being true.
  • Insult, which among other things mean that someone expresses something derogatory about someone else and that this is meant to be offensive.
  • Offensive photography, which means that someone e.g. illegally and in secret takes a picture of someone located in a housing.


Publication License – how companies can avoid responsibility

With these three different ways to claim responsibility, people´s personal integrity can be considered well protected. However, GDPR does not extend to all processing’s of personal data.

In Sweden, it is possible to receive a so called Publication License, which means that a business can receive protection by constitutional law for a database. If a business receives this protection, GDPR does not apply to the database. A Publication License is issued by the Authority for press, radio and television (Myndigheten för press, radio och TV). Mass media is automatically included in this protection through the Swedish Law on the Freedom of the Press, whereas other businesses have to apply to be included. The other businesses are then included in the voluntary protection by constitutional law because of the Publication License.

There are no demands for the business to have a specific purpose to be granted a Publication License.


Further questions?

We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email info@gdprhero.se or phone 046 – 273 17 17.

Are you interested in our tool for recording of processing activities? Book a free demo here.


Josefin Karlström



The content presented in this blog contains general information and is not to be considered as legal advice.
The content presented in this blog contains general information and is not to be considered as legal advice. Please reach out to us if you have any questions.

Related articles

Data processing agreements

Data processing agreements

Data processing agreements (DPA) are an essential part for organisations which transfers or collects personal data...