Social Democrats face scrutiny over potential GDPR violations related to member data sharing in Sweden

The General Data Protection Regulation (GDPR) is an EU legislation designed to protect personal data, granting individuals control over their information stored by companies. Tobias Baudin, the party secretary for the Social Democrats, has indicated that the party has shared data about its members with Kombispel, a company owned by the party, on multiple occasions. Kombispel may then further transfer this information.

Baudin emphasized that when becoming a member, individuals sign a privacy policy, which states that information can be shared with Kombispel and potentially other parties.

However, concerns have been raised regarding potential violations of Article 9 of GDPR, which regulates the sharing of sensitive personal data, including political opinions. Caroline Olstedt Carlström, chair of the Forum for Data Protection and a lawyer, argues that the way the Social Democrats have shared members’ information could be a breach of this article. Members must explicitly consent to share sensitive data with the party and Kombispel. Carlström criticized the consent collection as inadequate, suggesting that there is no legal basis for handling such data.

There have been reports that complaints regarding the Social Democrats’ handling of member data have been submitted to the Data Protection Authority, which has yet to determine whether to proceed with the investigations. If found in violation of GDPR, the Social Democrats could face significant penalties, potentially in the millions.

The party’s privacy policy mentions that personal data may be passed on to Kombispel, which acts on behalf of the Social Democrats and is required to treat the data according to specified instructions solely for the purpose of contacting members regarding lottery sales.