Verifiera AB – Court Ruling (Sweden, 2024)

The controller, Verifiera AB, operates a database that includes court decisions pertaining to involuntary psychiatric care and care of persons with substance abuse. The controller's business operations falls within the scope of the Swedish constitutional law on Freedom of Expression (Yttrandefrihetsgrundlag - YGL) due to their publishing license ("utgivningsbevis"). The Swedish DPA (Integritetsskyddsmyndigheten - IMY) issued a reprimand and an injunction against the controller. The DPA found that the publication of health-related court decisions by the controller violated Article 9(1) GDPR, which prohibits the processing of personal data related to health. It ordered the controller to take certain measures to comply with Article 9(1) GDPR. Although [https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/lag-2018218-med-kompletterande-bestammelser_sfs-2018-218/ Chapter 1, §7 of the Swedish Data Protection Act], states that the GDPR and the implementing national law shall not apply to the extent that this would conflict, among others, with the constitutional law on Freedom of Expression, the GDPR is still applicable when sensitive data is published under [https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/yttrandefrihetsgrundlag-19911469_sfs-1991-1469/#K1 Chapter 1, §20 YGL]. [https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/yttrandefrihetsgrundlag-19911469_sfs-1991-1469/#K1 Chapter 1, §20 YGL] states: “The provisions of this Constitution shall not preclude the enactment of legislation prohibiting the disclosure of personal data # revealing ethnic origin, skin colour or other similar characteristics, political opinions, religious or philosophical beliefs or trade union membership # concerning health, sex life or sexual orientation, or #  which consists of genetic data or biometric data to uniquely identify a natural person.” Thus, the DPA held that Article 9(1) GDPR is ap