Balancing Security and Privacy: A Guide to Background Checks for Swedish FinTechs

Companies, and especially FinTechs, are under increasing pressure to know their personnel as well as they know their customers. From sanctions compliance and AML/KYC to access controls and fraud prevention, background checks and security vetting are often indispensable. Yet Swedish law offers no single definition of “background check,” and the legal framework is fragmented. As a result, many organisations find themselves operating in a grey zone, balancing legitimate security needs against stringent data protection rules.

Navigating Background Checks in Sweden: A Legal Grey Zone

Companies, especially those under the supervision of the Swedish Financial Supervisory Authority—subject to, inter alia, requirements under AML and DORA[1]—must proactively identify and manage risks, including those related to their personnel.  Background checks (Sw. Bakgrundskontroller) are therefore a key tool for verifying information and uncovering potential risks regarding employees, individual consultants and candidates during recruitment. However, these checks must always be proportionate and carefully balanced against the individual’s right to privacy.

Conducting background checks means navigating a complex legal landscape, with the GDPR[2]  always at the forefront since personal data is almost always involved. Yet, Swedish law offers no clear definition or explicit prohibition on background checks, leaving employers in a legal grey zone. The term “background check” therefore covers everything from simple reference checks to sensitive reviews of credit history, tax records, sanctions lists, and (most sensitive of all) criminal records. The absence of clear rules highlights the urgent need for guidance and a unified legal framework.

This article navigates you through the legal maze surrounding three particularly sensitive areas of background screening—criminal records, sanction lists, and financial information—and offers practical guidance for conducting checks in a compliant and proportionate manner. We also share best practices-advise and round off with a look ahead at the legislative changes that are set to reshape the landscape.

Criminal Records: When Are They Really Allowed?

As a rule, private actors are generally prohibited from processing personal data related to criminal convictions and offences. Under GDPR and Swedish supplementary law,[3] such processing is only permissible when necessary to establish, exercise, or defend legal claims, or to fulfil specific statutory or regulatory obligations. Swedish law provides such authorizations narrowly, primarily for certain financial sector activities and other regulated areas. Further, the Swedish Authority for Privacy Protection (IMY) has issued general permissions for a handful of narrowly defined contexts,[4] and it may grant exemptions on a case‑by‑case basis upon application. In practice, most employers do not have, but typically, employers lack a general right to process criminal record data.

Two limited avenues exist to obtain criminal record information without direct employer processing: an organisation may ask an individual to bring and display a criminal record extract during a physical meeting, without the organisation making any copy or note of its contents beyond recording that the extract was presented,[5] or a specialist provider holding separate right such as an IMY permit for handling criminal records data can conduct the screening; in such case the provider’s permit conditions will govern the process, and results are typically delivered orally and in summary form.

In all other scenarios, companies may have issues finding sufficient legal basis and should in such case refrain from requesting, collecting, or recording information about criminal offences. Where criminal record checks are permissible, proportionality is crucial: restrict use to roles with genuine risk exposure, avoid retaining results, and document only the fact of presentation and the decision made.

Sanctions Screening: Essential, Yet Heavily Regulated

The expansion of EU and UN measures in recent years has significantly increased the importance of sanctions screening. For financial institutions regulated by the Swedish Financial Supervisory Authority and actors in security and defence markets under the Inspectorate of Strategic Products, processing criminal offense data for sanctions checks may be permissible to the extent necessary to comply with regulatory requirements. IMY’s general authorization[6] permits such entities to process criminal offense data for screening personnel and candidates against official sanctions lists, including those of the EU and UN.

Under this authorization, companies conduct screenings directly against official lists or use reputable third‑party vendors. As always, organisations must ensure a valid GDPR legal basis, strict purpose limitation, and minimise necessary data retention for auditability. For companies outside IMY’s general authorization scope, sanctions screening of staff or candidates may still be justifiable but necessitates careful analysis to avoid unlawful processing of offense‑related data.

Financial Background Checks: Striking the Right Balance

Financial data, such as income levels, tax information, credit histories, property holdings, debt, or payment defaults, while not per se categorized as ’special category’ data under article 9 GDPR, presents heightened privacy risks and may require additional justification. Swedish guidance indicate that some collection of income information may be permissible based on legitimate interests, provided a documented balancing test clearly demonstrates the employer’s need outweighs individual privacy. By contrast, collecting broader financial information (e.g., property holdings or debt) generally demands stronger justification, often limited to roles with extensive decision‑making authority and significant financial responsibility.

Credit checks are subject to specific regulations, requiring a legitimate need (e.g., an existing or impending credit relationship or a justified financial risk assessment). For employers, this could restrict credit checks to roles where financial integrity is a bona fide requirement, and less intrusive measures are insufficient. In all cases, companies must define scope, avoid bulk collection, ensure transparent privacy notices, and implement short retention periods.

Best Practice Blueprint: Structure, Transparency, and Control

In this grey area, structure is your best friend. Communicate clearly with employees and candidates about if, when and how background checks are performed. If you use external screening providers, make sure to align on roles and responsibilities under the GDPR, put appropriate contracts in place, and agree in advance how results will be reported. And lastly, adopt a written policy that defines your organisation’s routines for a “background check,” the trigger points and timing, the roles it applies to, the legal basis, and the documentation and retention framework. Keep the scope proportionate and be prepared to justify your approach.

On the Horizon: Legal Reforms and What to Do Now

Change is coming. IMY has called for greater legal clarity and an inquiry into background checks which has resulted in the Swedish government initiating a review into background checks, which is to be reported no later than 11 March 2027.[7] There are also pending law‑reform initiatives addressing expanded register controls in specific public‑sector settings,[8] as well as recent Supreme Court rulings interpreting GDPR‑related constraints on processing offence‑related data.[9]

Until a coherent and a sufficient sector‑agnostic framework is adopted, companies should continue to apply the current rules wisely. Clarity in process now will position you well when the law catches up.

[1] Regulation on digital operational resilience for the financial sector (EU) 2022/2554.

[2] General Data Protection Regulation (EU) 2016/679.

[3] Article 10 GDPR and section 5 Swedish regulation (2018:219) with Supplementary Provisions to the GDPR.

[4] Such as entities under the supervision of the Swedish Financial Supervisory Authority, as well as within the social services sector and the education sector according to section 6 of IMY’s provisions on the Processing of Personal Data Related to Criminal Offenses (IMYFS 2024:1).

[5] Adverse findings must be handled verbally.

[6] Section 6 of IMY’s provisions on the Processing of Personal Data Related to Criminal Offenses (IMYFS 2024:1).

[7] Committee Directive – An Appropriate Regulatory Framework for Background Checks (Dir. 2025:83).

[8] Referral of the Council of Legislation – Expanded Register Checks for Employment in Municipalities, 9th October 2025.

[9] NJA 2025 s. 123 ”GDPR and Criminal Judgments I and II”.