Privacy and the processing of personal data within Stockholm County Healthcare Services

Every time you are in contact with the healthcare system, information about you is registered. The ways in which we may register and use your personal data are subject to strict regulation. This means that we have a great responsibility to ensure that your personal data is processed in the correct way, so that we can provide a good, secure service while also protecting your personal privacy.

On this page you will find information about the definition of personal data, the situations in which we need to process your personal data, how we process your data, and which rights you have.

What is personal data?

Personal data refers to all information that can be associated with, and used to identify, an individual person. Examples include a person’s name, a photograph, an address, a telephone number or an audio recording. It could also involve more sensitive information, such as information about their health or personal views and values.

When is your personal data processed by Stockholm County Healthcare Services?

There are several situations in which we process personal data. The most common situations are:

  • In medical records.
  • In healthcare statistics.
  • In follow-ups and quality assurance of healthcare provision.
  • In healthcare research.
  • For personnel reasons, such as processing salary, absence due to illness and job applications.

Applicable laws and regulations

Personal data may only be collected and processed for justifiable purposes. It is not permitted to collect more personal data than is necessary for the stated purpose. Neither may the data be stored for longer than is necessary, nor processed in a different way to the originally intended use.

The processing of personal data is regulated by several laws for the protection of your personal privacy, such as the Public Access to Information and Secrecy Act, the General Data Protection Regulation and the Patient Data Act. The General Data Protection Regulation (GDPR) is a new EU-wide regulation that replaces the previous personal data legislation.

For which reasons may my personal data be processed?

Personal data may only be collected and processed for explicitly stated purposes, which must also be in accordance with legal bases. As a general rule, it is necessary to obtain the consent of an individual in order to process their personal data. There are, however, several exceptions to this general rule.

When Stockholm County Healthcare Services processes personal data, the legal basis is usually that the processing is necessary in order:

  • to perform a task that is of public interest or that is part of the work of an authority, or
  • to fulfil a legal obligation.

Public interest

For a work duty to be of public interest, it must have a grounding in the legal system. The commission entrusted to Stockholm County Healthcare Services is regulated by legislation, regulations, ordinances and political decisions. In many instances, the performance of this undertaking requires us to process personal data.

Fulfilment of a legal obligation

As a public authority, Stockholm County Healthcare Services is subject to several legal obligations, which must be fulfilled. For example, we have a legal obligation to register all documentation and certain forms of personal information in various situations. Another example is that we are legally obliged to document the information that is needed in order to provide good and safe care for the patient, including in our patients’ medical records.

Who is responsible for the processing of my personal data?

Stockholm County Healthcare Services is the data controller, which means that it has ultimate responsibility for the organisation’s processing of personal data. Specifically, it is the board of Stockholm County Healthcare Services that bears ultimate responsibility for personal data, but overall responsibility has been delegated to the director of hospital care. We have also appointed a data protection officer, who ensures compliance with the rules of the GDPR and other relevant regulations.

How is my personal data protected?

As a general rule, personal data may only be made available to those who need to access it. Procedures and systems are in place to ensure that personal data is processed and protected in a secure manner.

In the healthcare sector, there are additional provisions to safeguard the protection of patient information.

Can my personal data be shared with others?

The principle of freedom of information involves the right for any individual to gain an insight into the work of public authorities – for example, by accessing public documents. Personal data included in public documents may therefore be requested and disclosed in accordance with the freedom of information principle – regardless of the purpose for which the personal data was originally processed.

The right of access to public documents does not, however, apply if the document contains data that is regarded as classified in accordance with the Public Access to Information and Secrecy Act. The constitutionally protected principle of freedom of information is not restricted by the GDPR.

We are also sometimes obliged to disclose personal data about you to others – for example, information may be disclosed to the National Board of Health and Welfare (Socialstyrelsen) or the Health and Social Care Inspectorate (Inspektionen för vård och omsorg). We may also sometimes be obliged to share information with (for example) the police or social services.

For how long will my personal data be stored?

Personal data may not be stored for longer than is necessary. This means that when personal data is no longer needed for the purpose for which it was collected, it must be deleted (storage limitation).

With regard to public authorities, there is an exception to the principle of storage limitation. Authorities are obliged to save public documents that are to be preserved for the future, even if the documents are no longer needed for the ongoing activities.

This means that, if personal data is contained in public documents that are to be saved for the future, Stockholm County Healthcare Services must save this data for longer than is necessary for the fulfilment of the original purpose.


We store and dispose of public documents in accordance with the ordinances established by the county council’s authority for public archives.

What are my rights?

If your personal data has been registered by Stockholm County Healthcare Services, you have certain rights with regard to information about, and control of, your data.

You have the right to request a copy of all data we have about you. You also have the right to request the correction of data, if any of the registered data is not correct. You also have the right to object to the processing of your personal data, and (in certain cases) have your data deleted.

The validity of these rights depends on the legal basis that justifies the processing of your personal data. This means that certain rights only apply under certain circumstances.

What can I do if I am not satisfied?

If you are not satisfied with the processing of your personal data, you should first contact the organisation that is responsible for the processing.

As a patient, you can also contact the Patients’ Advisory Committee (Patientnämnden).

You also have the right to submit complaints to the Swedish Authority for Privacy Protection's (IMY) if you feel that your personal data has been processed incorrectly.

More information and contact details

If you should have any questions about our processing of personal data, or about your rights in relation to GDPR, or if you would like to contact our data protection officer, you can contact us at:

Postal address: Dataskyddsombudet, Stockholms läns sjukvårdsområde, Box 43436, 104 31 Stockholm .
Tel: 08-123 400 00 (switchboard).

Email: Remember never to send anything containing patient data by email.