CW1 Inc
  • Solutions
  • Insights
  • About Us
  • Careers

Share: facebook cw1 facebook cw1 facebook cw1
Privacy Statement
Global (en)
CW1 Inc

A Short Guide for Businesses


 Navigating the Differences Between the Swedish PUL and GDPR
Erik Dahlsson
9 March 2023
SHARE: facebook cw1 facebook cw1 facebook cw1

In today's fast-paced digital world, businesses rely on personal data to drive their operations. As a result, laws and regulations exist to protect personal data, including the prominent European Union laws of Personuppgiftslagen (PUL) and the General Data Protection Regulation (GDPR). Both laws aim to safeguard personal data, but they have significant differences that can be difficult to navigate.

Scope and Applicability:

PUL is a Swedish law that regulates the processing of personal data within Sweden. This means that all businesses operating in Sweden must comply with PUL when processing personal data. GDPR, on the other hand, is a European Union law that applies to all EU member states and non-EU businesses that process personal data of EU citizens. This means that if your business processes the personal data of EU citizens, GDPR applies to you. As a result, businesses must be vigilant in ensuring compliance with both laws to avoid legal liabilities and damage to their reputation.


Obtaining explicit consent from individuals before processing personal data is an essential aspect of both PUL and GDPR. However, GDPR requires consent to be freely given, specific, informed, and unambiguous, whereas PUL only requires explicit consent. This means that businesses must provide individuals with clear information about how their personal data will be processed, including the legal basis for processing, and obtain their explicit and informed consent to avoid legal consequences, such as hefty fines and investigations by data protection authorities.

Data Processor and Controller:

The roles of data processor and controller differ significantly between PUL and GDPR. Under PUL, the data controller is responsible for ensuring that personal data is processed in accordance with the law, while the data processor is a third-party entity that processes personal data on behalf of the data controller. However, under GDPR, both data controllers and processors have specific obligations and responsibilities to protect personal data. This means that businesses must carefully consider their data processing activities and ensure that they are compliant with both laws to avoid legal consequences.

Data Protection Officer:

GDPR requires businesses that process large amounts of personal data to appoint a Data Protection Officer (DPO) to ensure compliance with the law and advise on data protection matters. Although PUL does not require the appointment of a DPO, businesses must conduct regular audits to ensure compliance with the law and avoid legal consequences.


and changes


The safeguarding of personal data is not only crucial for businesses but also for individuals. With the new regulations in place, it is imperative to protect individuals' rights and personal information. In this article, we will provide you with an exhaustive overview of the new regulations and elucidate how they affect your business.

What Are the New Regulations?

The General Data Protection Regulation (GDPR) is the novel regulation that took effect on May 25th, 2018, replacing the antecedent data protection laws. The GDPR bolsters the rights of individuals regarding their personal data and mandates businesses to obtain explicit consent from individuals before collecting and processing their personal data.

Furthermore, businesses must furnish individuals with access to their personal data upon request and ensure that it is accurate and up-to-date. The GDPR has significant ramifications for businesses of all sizes and industries.

Key Changes Introduced by the GDPR

The GDPR introduces several key changes, which comprise:

  1. Increased fines for non-compliance - Businesses that flout the new regulations can face fines of up to €20 million or 4% of their annual global turnover, whichever is greater.

  2. Mandatory data breach notifications - Businesses must notify the relevant supervisory authority of any data breaches within 72 hours of becoming cognizant of the breach.

  3. Right to erasure - Individuals have the right to request that businesses erase their personal data.

  4. Consent - Businesses must obtain explicit consent from individuals before collecting and processing their personal data. This means that pre-ticked boxes or assumed consent are no longer valid.

How Do These Changes Impact Your Business?

The GDPR has momentous implications for businesses of all sizes and industries. Failure to comply with the GDPR can lead to severe fines and reputational damage to your business. To ensure compliance with the new regulations, you must undertake the following steps:

  1. Review and update your privacy policy - Your privacy policy should be reviewed and updated to ensure compliance with the new regulations. It should also explicitly state how you collect, process, and store personal data.

  2. Obtain explicit consent - You must obtain explicit consent from individuals before collecting and processing their personal data. This implies that you cannot use pre-ticked boxes or assume consent.

  3. Train your staff - Your staff must be trained on the new regulations to guarantee that they understand their obligations and responsibilities.

  4. Implement security measures - You must institute appropriate security measures to protect personal data from unauthorized access, use, or disclosure.


CW1 AB / CW1 Inc is responsible for your data. Cookies are used to analyze traffic & customize content. Please see our cookie policy for more information.