Mrkoll and GDPR – what actually applies?

View as Markdown
4 mins read • Legal Writer • GDPR • 14 August 2025
  1. Mrkoll GDPR: What is Mrkoll and how are personal data processed?
  2. Mrkoll GDPR: Lawful basis under Article 6 GDPR
  3. Data subject rights and limitations
  4. How Morling Consulting can assist

Mrkoll is a website that publishes personal data sourced from public registers. For many, this raises questions about privacy, data protection and how such publication can be compatible with the General Data Protection Regulation (GDPR). In our review of Mrkoll and GDPR we explain the legal background, the rights you have as a data subject, and the limitations that apply when information is published on sites such as Mrkoll.

Mrkoll GDPR: What is Mrkoll and how are personal data processed?

Mrkoll collects and publishes personal data such as name, registered address, telephone number, date of birth, income data and property holdings. These data are obtained from public sources, for example the Swedish Tax Agency (Skatteverket), the Swedish Land Registry (Lantmäteriet) and the Swedish Companies Registration Office (Bolagsverket). Because the data originate in public documents, the principle of public access applies, granting a right to access public information. However, when these data are republished digitally, the question arises whether and how GDPR should be applied—what is Mrkoll in legal terms, and which rules govern its processing?

GDPR applies in general to the processing of personal data, but Article 85 allows Member States to introduce exemptions where processing takes place for journalistic purposes or to safeguard freedom of expression and information. In Sweden, these exemptions appear, among other places, in Chapter 1, Section 7 of the Swedish Data Protection Act (Dataskyddslagen), meaning that certain websites enjoy constitutional protection under the Fundamental Law on Freedom of Expression (Yttrandefrihetsgrundlagen, YGL) or the Freedom of the Press Act (Tryckfrihetsförordningen, TF). Where this is the case, GDPR does not apply to the processing in question.

Mrkoll GDPR: Lawful basis under Article 6 GDPR

For processing of personal data that falls within the scope of GDPR to be lawful, it must rely on one of the lawful bases in Article 6 GDPR. In Mrkoll’s case, this could involve:

  • Legitimate interests: The site argues there is a legitimate interest in disseminating public information, and that this interest outweighs the data subject’s privacy interests. In practice, this requires a careful legitimate interest assessment.

Consent is not, in practice, relevant in these circumstances because publication takes place regardless of the data subject’s wishes.

Data subject rights and limitations

As a data subject you have several rights under GDPR, but these may be restricted if publication benefits from constitutional protection and the exemptions in Article 85 GDPR. This means that a request for erasure, rectification or restriction will not always result in action.

Examples of rights and potential limitations include:

  • Right to erasure (Article 17 GDPR): Under GDPR you may request the removal of your data. If the site is covered by YGL or TF, erasure may be refused.
  • Right to rectification (Article 16 GDPR): If data are inaccurate you have the right to request correction. Where data are sourced from a public register and accurately reflect that source, they may be considered correct even if out of date. If publication is constitutionally protected under YGL or TF, this right does not apply.
  • Right to object (Article 21 GDPR): If processing is based on legitimate interests or the performance of a task in the public interest, you may object. In a balancing test, however, the interest in disseminating the information may be deemed to outweigh your objection. If publication is constitutionally protected under YGL or TF, this right does not apply.

In some cases, the Chancellor of Justice (Justitiekanslern, JK) and the Data Protection Agency—the data protection authority—have commented on the balance between privacy and freedom of information. The outcome has often been that constitutional protection prevails over GDPR, which can be frustrating for the data subject. It remains to be seen whether this will continue given the Data Protection Agency’s increased focus on the issue in supervisory matters concerning Mrkoll, Upplysning.se, Krimfup and Lexbase.

How Morling Consulting can assist

We help individuals and businesses across Europe to assess whether their data fall under constitutionally protected publication or whether GDPR applies. We can assist with:

  • Analysing the lawful basis and any applicable exemptions relevant to the publication of your organisation’s information.
  • Assessing and responding to requests for erasure, rectification or objection in a legally robust manner that protects your organisation’s interests.
  • Representing your organisation before the Data Protection Agency or the Chancellor of Justice where there are grounds to challenge a publication.

Our GDPR consultants handle complex matters where freedom of the press and freedom of expression intersect with privacy, and provide qualified advice at every stage of the process.

Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more
Anonymous lawyer in a suit presses a digital whistleblowing button inside a protective sphere, symbolising secure whistleblowing systems, employee privacy and internal controls under the AMLR.

3 February 2026

AMLR Articles 13–15: employee integrity, whistleblowing and internal control
Read more