GDPR and Anti-Money Laundering Directive (AMLD) in Sweden
26 Mar 2024

Although sanction lists contain information on legal violations - which is not sensitive personal data but data that has had stronger protection in Sweden (Article 10, GDPR). Today, Swedish companies who wish to screen against OFAC's sanction list need to apply for and be granted permission from the Swedish Data Protection Authority (IMY). Without the permission, they are not allowed to screen against OFAC.

The IMY received a high volume of applications and because of it there’s now a proposal put in motion from IMY to allow all Swedish companies that are under supervision of the Financial Supervisory Authority ("Finansinspektionen") to screen for publicly available sanction lists from foreign countries (including OFAC).

It was supposed to be entered into force from March 1st 2024 but IMY is a bit behind. When they do make the change, Swedish customers regulated by Finansinspektionen will be able to screen against OFAC. 

In navigation the complexities of GDPR and AMLD, this new proposal to allow Swedish companies to screen against OFAC will make it a lot easier for Swedish companies to conduct their crucial KYC (Know-Your-Customer) processes. 


The new regulations for regulated companies is as follows:


Företag under Finansinspektionens tillsyn

6 § Företag under Finansinspektionens tillsyn som erbjuder finansiella tjänster och som är skyldiga att efterleva kraven i lagen (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism får behandla personuppgifter som avses i artikel 10 i EU:s dataskyddsförordning för kontroller mot sanktionslistor om

  1. Sanktionslistorna är fastställda i demokratisk ordning och allmänt tillgängliga på utfärdande myndigheters eller mellanstatliga organisationers webbplatser, och
  2. Företagen har vidtagit relevanta skyddsåtgärder för att kunna skilja på äkta och falska träffar.


Personuppgiftsbehandling enligt första stycket får endast avse företagens befintliga och presumtiva kunder, befintliga och presumtiva leverantörer, samarbetspartners, förmedlare, arbetstagare, arbetssökande, uppdragstagare, styrelsemedlemmar, fullmaktshavare, ställföreträdare, firmatecknare, ägare, verkliga huvudmän, tredjemanspantsättare och borgensmän, motparter i en transaktion och därmed jämförliga kategorier av personer.



Companies under the supervision of the Swedish Financial Supervisory Authority

Section 6 - Companies under the supervision of the Swedish Financial Supervisory Authority that offer financial services and are obligated to comply with the requirements of the Act (2017:630) on measures against money laundering and terrorist financing may process personal data referred to in Article 10 of the EU General Data Protection Regulation for checks against sanction lists if

1. The sanction lists are established in a democratic manner and are publicly available on the websites of issuing authorities or intergovernmental organizations, and

2. The companies have implemented relevant protective measures to distinguish between genuine and false matches.

Processing of personal data under the first paragraph may only concern the companies' existing and prospective customers, existing and prospective suppliers, partners, intermediaries, employees, job applicants, contractors, board members, attorneys-in-fact, representatives, signatories, owners, beneficial owners, third-party pledgees, and guarantors, counterparties to a transaction, and similarly comparable categories of persons.


Note: this is not legal advice and you should check if new regulations apply to your specific business.

Ready to get started?

Explore Pliance solutions, or contact sales to create a custom-made package for your business.

Contact sales
Pricing that works for you

No hidden fees, pay as you go or commit to a monthly plan.

Price Plans
Start your integration

Get up and running with Pliance in 1-2 days.

API Reference