On 18 September 2023, the Swedish Authority for Privacy Protection (IMY) published a draft of new regulations on the processing of personal data relating to criminal offences. The regulations set out the conditions under which persons other than the authorities can process personal data referred to in article 10 of EU regulation 2016/679 of 27 April 2016, and apply to companies under the supervision of the Financial Supervisory Authority offering financial services and being obliged to comply with measures against money laundering and the financing of terrorism. Also, the regulations apply to companies exporting munitions or dual-use items. In particular, the mentioned companies may process customers' personal data in order to check them against sanctions lists if two criteria are met. First, the sanctions lists must be democratically established and publicly available, and second, safeguards to distinguish between genuine and false matches must be in place.
Original source