Swedish Supervisory Authority issues reprimand and order to Verifiera
10 October 2023
GDPR
The General Data Protection Regulation (GDPR) has been found to be applicable to parts of Verifieras personal data processing despite the presence of a voluntary disclosure certificate. The data collection has not been deemed to be covered by constitutional protection, and the processing has taken place without a legal basis.
On September 13th, a decision was published following the review by the Swedish Data Protection Authority (Integritetsskyddsmyndigheten or IMY) of the company Verifiera. Verifiera's business involves providing subscription services for a digital legal database, which includes, among other things, judgments in cases related to compulsory care due to mental health issues or substance abuse. Verifiera has what is called a "voluntary publication certificate," and one of the questions examined during the review was whether the processing of personal data was covered by constitutional protection.
As a general rule, the publication of material on the internet falls outside the scope of the Swedish Freedom of the Press Act (Yttrandefrihetsgrundlagen or YGL). This means that the General Data Protection Regulation (GDPR) is usually applicable. An exception to this rule exists through the possibility of applying for a publication certificate for databases, which provides a form of "voluntary constitutional protection" (1 chapter, section 4 of YGL). With such a publication certificate, protection is granted for expressions that occur by providing information from a database. In such cases, the GDPR does not apply to the processing of personal data to the extent that it would conflict with the YGL (see 1 chapter, section 7 of the Data Protection Act).
IMY examined whether Verifiera's data collection fell within the exception in YGL (1 chapter, section 20 of YGL), which allows for regulations prohibiting the publication of personal data, including health-related data. IMY stated that a comprehensive assessment should be made, taking into account factors such as the purpose of data collection, the type of data provided, and the search and compilation functions available.
IMY concluded that Verifiera's data collection involved a substantial gathering of legal judgments containing highly sensitive information. Furthermore, the data processing was described as having significant consequences for the data subjects, as one of the purposes of the data collection was for background checks, such as for recruitment purposes. Verifiera had not taken any measures to exclude, mask, or limit the ability to search for data that could be linked to specific individuals. IMY also emphasized that Verifiera's search service was far from the values that constitutional laws aim to protect.
IMY's assessment led to the conclusion that the exception in YGL (1 chapter, section 20 of YGL) applied to Verifiera's publication of judgments and decisions in psychiatric and LVM (care for the mentally ill) cases, and therefore, the processing was not constitutionally protected.
Due to the data collection not being considered constitutionally protected, the GDPR was declared to be applicable to Verifiera's processing of personal data insofar as it pertains to the publication of judgments and decisions in psychiatric and LVM cases. IMY further stated that the processing of sensitive personal data had violated Article 9 of the GDPR. Consequently, IMY issued a reprimand and ordered Verifiera to take measures to ensure that it is no longer possible to access information about an individual through a search if the searched person is mentioned in judgments or decisions related to psychiatric and LVM cases.