Sweden: Labour Court Rules Reading Criminal Record Extract Not Covered by GDPR
Author: Anna Tallroth
In a recent judgement, the Swedish Labour Court held that an employer did not process personal data within the material scope of the GDPR by merely receiving, reading and then destroying a criminal records extract provided by an employee upon request from the employer. Although the extract contained personal data relating to criminal convictions and reading constituted processing, the court found that the employer´s handling was purely manual and that the information neither formed, nor was intended to form, part of any filing system or register.
In AD 2026 no. 27, the Swedish Labour Court considered whether an employer had breached Article 10 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) after asking an employee to provide a criminal records extract, receiving it in a sealed envelope and then reading it. The employee, who had already started a temporary employment as a car mechanic with the employer, later claimed that the employer’s conduct entitled him to damages under Article 82 of the GDPR.
The employee’s trade union argued that the extract contained personal data relating to criminal convictions and that the employer, by receiving and reading the document, had unlawfully processed those data. The employer accepted that the extract contained personal data, but argued that its handling fell outside the GDPR because it was entirely manual – the document was reviewed and then destroyed, without being copied, scanned, recorded, stored or entered into any system, filing structure or register.
The Labour Court began by confirming that the extract contained personal data and that reading it, in itself, constitutes processing within the meaning of the GDPR. However, that did not resolve the case. Under Article 2(1), the GDPR applies to automated processing and to non-automated processing only where the data forms part of, or is intended to form part of, a filing system. Because the employer’s handling was purely manual, and it was not even claimed that the information would be included in any register, the conduct did not fall within the GDPR’s material scope.
The union’s claim was therefore dismissed in full. The Court held that the employer had not processed personal data in breach of the GDPR and also rejected the union’s request for a preliminary ruling from the Court of Justice of the European Union, finding that the answer followed clearly from Article 2(1).
Key Action Points for Human Resources and In-house Counsel:
Employers should review any practice of requesting criminal records extracts and ensure that no copies, notes or structured records are created unless there is a clear legal basis, in accordance with the provisions set out in the GDPR.
