Sweden: Adopted IMY guideline on the processing of personal information in the development or use of AI in accordance with GDPR

On 27 February 2024, the Swedish Data Protection Authority (DPA) published a guideline on the processing of personal information in the development or use of artificial intelligence (AI) in accordance with the General Data Protection Regulation (GDPR). The guideline stipulates that any processing of personal data in the context of AI development or use must comply with GDPR. The DPA noted that personal information includes social security numbers, names, IP addresses, email addresses, and pictures where a person is visible. The DPA also specifies that data which, on its own, cannot be directly linked to a person but, when combined with other data, can identify a person, is also classified as personal data. This includes but is not limited to a diary number, residential address, registration number of a car, or encrypted or pseudonymised personal data. The guideline also provides information on what qualifies as data processing, such as organising data for training machine learning models, sharing data among businesses for AI development, inputting data into generative AI services, and storing data within models to accomplish tasks. Lastly, the guideline lists the obligations of the data controller, including the need for a legal basis for processing, respect for the rights of data subjects, appropriate security measures, and the requirement for an impact assessment.