The Swedish Data Protection Act contains no specific provisions for the processing of employees’ personal data. However, according to the Swedish Data Protection Authority, processing is necessary for the employment relationship.
The processing of sensitive data is only allowed when the processing is required for the purpose of observing and complying with employment law (Chapter 3(2) DPA).
With regard to consent, it is the employer’s responsibility to prove that the employee gave consent freely. The Swedish Data Protection Authority emphasizes that it might be difficult to obtain consent in the employment relationship and should, therefore, be limited to cases where the given consent may be associated with a clear advantage for the employee.
Guidelines of the supervisory authority
The Swedish Data Protection Authority has published a practical guideline for the processing of employee data: https://www.datainspektionen.se/globalassets/dokument/gammalt/personuppgifter-i-arbetslivet.pdf (in Swedish)