About the General Data Protection Regulation

The General Data Protection Regulation (GDPR) contains rules for how personal data may be used. The Regulation comes into force on 25 May 2018, replacing the Personal Data Act (PuL).

One aim of the General Data Protection Regulation is to protect the basic rights and freedoms of the individual, especially the right to protection of personal data. Respect for private life is expressed in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). The General Data Protection Regulation also has the aim of creating a uniform and equivalent level of protection of personal data within EU, so that the free flow of information within the union is not hindered.

What is personal data?

Personal data applies to every processing operation that pertains to an identified, or identifiable, now-living person. Typical personal data includes personal identity numbers, name and address, images, and audio recordings. Encrypted information and different kinds of electronic identities, such as IP addresses and cookies, are considered to be personal data if they can be connected to natural persons. Even information that has been encoded, encrypted, or pseudonymised, but that can be attributable to a natural person with the help of supplementary data, is personal data.

What is processing?

All forms of actions using personal data – for example, collection, registration, storage, processing, alteration, dissemination, erasure, or destruction – are personal data processing. The General Data Protection Regulation applies not only to both entirely and partially automated processing of personal data, but can also apply to manual processing, in special cases.

Principles for processing

All processing of personal data must comply with a number of fundamental principles. The principles imply that personal data may only be processed for justified purposes that are not overly general, and that are limited to the data that is necessary for the purpose. The data may not be processed later in a manner that is inconsistent with that purpose, nor saved longer than necessary.

The rights of a registered person

If your data has been registered, then you have the right to receive information on how your personal data is processed, both when the data is collected and whenever you request it, from the personal data controller, in this case, FOI.

You have the right to request access to your personal data and receive information about how the controller is processing it. You also have the right to request that incorrect personal data is rectified, and that the processing of your data is restricted. As a registered person, you also have the right to object to processing, as well as the right to appeal to the Swedish Data Protection Authority, which is the regulatory authority.

You also have the right, should the need arise, to deletion and portability of data. These rights may be applicable at FOI only in exceptional cases, since FOI is a government authority that is steered by specific laws and regulations – The Archives Act, among others – regarding the preservation of information.

All documents, including personal data, that are sent to the authority become public documents, which may eventually be released, if someone requests them, according to the principle of public access to official records, with the exception of data that is protected by secrecy or confidentiality.


Contact information FOI and FOI's Data Protection Officer

Swedish Defence Research Agency, FOI

E-mail: registrator@foi.se
Postal address:
FOI – Swedish Defence Research Agency
164 90 Stockholm

Data Protection Officer, FOI:

E-mail: dataskyddsombud@foi.se
Postal address:
FOI – Swedish Defence Research Agency
164 90 Stockholm


Read more about GDPR

You can read more about the General Data Protection Regulation on the Swedish Authority for Privacy Protection website External link, opens in new window.

Last updated: 2021-06-02