|Article Title: The Virtual Law Firm|
0, Average Rating: 0 (10 Max)
Part 1 In order to establish close relations with clients and customers worldwide, it is necessary for VLF to make an inventory of various national rules that may have an impact on this development. The purpose of this report is therefore to establish what effects the Data Protection Regulation has on the Internet activities of VLF in respect of the regulations in Sweden. BACKGROUND Since the 1970s several Member States of the European Union have passed legislation protecting the rights of individuals and particularly their right to privacy. Many international institutions, for example the United Nations and the Council of Europe, have produced legal texts concerning these issues. A Council of Europe convention contains the basic principles regarding the protection of individuals with regard to the processing of personal data (Treaty 108:1981). Many of these principles can be found in the data protection laws in Europe. On October 24, 1995, the European Parliament and the Council adopted directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data. The national data protection laws are to a certain extent similar, but there exists differences between them. The level of guaranteed protection to the citizens in the Member States varies a lot. This situation creates a lot of obstacles to the free flow of information. In order to remove the obstacles to the free movement of data and at the same time guarantee the protection of the right to privacy, directive 95/46/EC aims to harmonize the national provisions in this field. The right to privacy of citizens will therefore have equivalent protection across the Union. To accomplish this the Member States of the EU were required to get their national legislation in line with the provisions of the directive by October 24, 1998. The implementation process of the directive started in 1996 in all the Member States and at European level. In Sweden the committee in charge of the official examination of the data protection law proposed new data protection legislation during spring 1998. The Swedish Data Act was introduced in Sweden in 1973, being the first regulation in this field in Europe. The act was amended in 1988 with effect from January 1, 1989. Nearly ten years later the Swedish Personal Data Protection Act, enacted April 29, 1998, entered into legal force on October 24, 1998. Through this law Sweden fulfils the obligation to enact national law that is conformed to the European Union's Data Protection Directive, which took effect on October 25, 1998. The new law builds on the Swedish Data Act of 1973. The purpose of the new act is to protect people against the violation of their personal integrity by processing of personal data. The law covers all types of processing of personal information, whether automated or not. Data processing by individuals for their own private use is exempted. In order to collect and process data, it is not necessary any more to obtain a license or a permit from the Swedish Data Inspection Board (Datainspektionen). According to the Personal Data Act, there is a primary obligation to notify all data processing to the supervisory authority, which must maintain a register for the notifications. In regard to processing of personal data, which began before October 24, 1998, the act applies first as of October 1, 2001. The Data Act is applicable until that date. THE PERSONAL DATA PROTECTION ACT Definitions All kind of information that is directly or indirectly related to a living natural person is considered as personal data. Everything done with personal data is processing, whether it is performed through computer processing or not. The following is mentioned as examples of processing of personal data: Collection, Registration, Storage and Processing. A person, who alone or together with others, determines why and how personal data are to be handled, is called the controller. This is usually a legal person, a company, an association or a public authority. Even a natural person may be a controller. A personal data representative is a natural person who shall ensure that personal data is processed in a lawful and proper manner. The representative is appointed by the controller. A freely given, specific and informed indication of the data subject's agreement to processing is known as consent. A consent may be either verbal or in writing. It must, however, be voluntary. The consent must also be specific, which means that it must apply to a particular processing concerning the registered person. PROCESSING OF PERSONAL INFORMATION The data controller must make certain that: The purpose of collection and processing of information is clearly specified; only the amounts and types of information that are necessary will be processed; information is not stored any longer than necessary. Personal information may be processed only with the consent of the data subject, or if processing is necessary to Complete and implement a contract between the data controller and the subject. Fulfill legal requirements. Protect interests that are vital to the data subject. Carry out a "public interest." Perform a government function. Complete a task that is so important that it outweighs the privacy interest of the data subject. It is not allowed to process personal information for direct marketing purposes unless the data subject has approved of that in writing. The data subject may withdraw his or her consent at any time. The Principle of Access to Official Documents Freedom of the Press and Expression The principle of access to official documents, embodied in the constitution, means that public authorities are liable upon request to provide copies of public documents, except when secrecy is applicable. The Personal Information Act includes an exemption for such processing of personal data that is only related to the work of a journalist or artistic or literary work. The provisions of the act concerning security measures when processing personal data must, however, be applied. The provisions of the Personal Data Act are not to apply so that they might limit the principle of public access to documents or contradict the rules concerning the freedom of the Press Act or fundamental law on freedom of expression. Sensitive Data There is a general prohibition against the processing of sensitive personal information, including information about race or ethnic origin, political persuasion, religious or philosophical belief, trade union membership, medical condition and sexual orientation. Sensitive personal information may, however, under following circumstances be processed: If the data controller complies with the general rules for processing of personal information. If the data subject has given informed consent or has previously publicized the information, or processing is necessary in order to protect vital interests of the data subject or someone else, and where it is not possible to obtain consent from the data subject. Make sure that the data controller can fulfill his obligations and defend his legal rights in the labor court. In order to comply with any legal requirement. In addition hereto, health personnel may process sensitive personal information for therapeutic purposes; non-profit organizations may process such information for internal use; and sensitive data may be processed for research and statistical reasons. Processing of Personal Identity Numbers Data concerning personal identity numbers may be processed without consent only when manifestly justified with regard to the person in question.