Sweden Data Privacy Laws: GDPR Implementation Guide (2026)

Sweden was one of the first countries in the world to enact data protection legislation. The original Data Act (Datalagen) dates back to 1973, placing Sweden decades ahead of most nations in recognizing the importance of personal data protection. Today, Sweden's data privacy framework is built on the EU General Data Protection Regulation (GDPR) and a set of national laws that tailor GDPR provisions to Swedish legal traditions.

This guide covers the full scope of Sweden's data privacy regime: the laws that apply, the authority that enforces them, the fines that have been levied, and the compliance obligations that organizations operating in Sweden must meet.

For an overview of data privacy frameworks across multiple countries, see our World Data Privacy Laws hub.

The Legal Framework: GDPR and Swedish National Law

Sweden's data privacy framework operates on two levels. The GDPR applies directly as EU law throughout Sweden. On top of that, Sweden has enacted national legislation to fill in areas where the GDPR grants member states discretion.

The GDPR (Regulation 2016/679)

The GDPR took effect across the EU on May 25, 2018. As an EU regulation, it applies directly in Sweden without requiring transposition into national law. The GDPR establishes the core principles of data protection: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

Every organization that processes personal data of individuals in Sweden must comply with the GDPR, regardless of where the organization is established. This includes companies outside the EU that offer goods or services to Swedish residents or monitor their behavior.

The Swedish Data Protection Act (Dataskyddslagen, 2018:218)

The Swedish Data Protection Act (Lag 2018:218 med kompletterande bestammelser till EU:s dataskyddsforordning) entered into force on May 25, 2018, alongside the GDPR. It provides supplementary provisions in areas where the GDPR allows or requires national legislation.

The Act extends the GDPR's reach in one notable way: its provisions also apply to processing of personal data in activities not covered by EU law and activities covered by Title V, Chapter 2 of the Treaty on European Union. This means the GDPR framework governs data processing in Sweden even in areas that fall outside the EU's normal legislative competence.

Key provisions of the Swedish Data Protection Act include:

• Age of consent for children: Set at 13 years for information society services, one of the lowest in the EU. This applies to children living in Sweden regardless of where the controller is established.

• Personal identity numbers (personnummer): Processing of Swedish personal identity numbers and coordination numbers requires either explicit consent or clear justification based on the purpose of the processing, the importance of secure identification, or another significant reason. This gives personnummer elevated protection beyond ordinary personal data.

• Criminal data: The Act regulates how personal data relating to criminal convictions and offenses may be processed by entities other than official authorities.

• Compensation and appeals: Data subjects may seek compensation for damages caused by unlawful processing, and the Act establishes the right to appeal supervisory authority decisions.

The Data Protection Ordinance (2018:219)

The Data Protection Ordinance supplements the Data Protection Act with more detailed rules. It specifies, among other things, which public authorities may process criminal records data and sets procedural rules for how IMY exercises its supervisory powers.

The Camera Surveillance Act (2018:1200)

Sweden maintains a separate law governing video surveillance. As of April 1, 2025, the permit requirement for camera surveillance in public spaces was removed. Organizations no longer need prior approval from IMY to install cameras in public areas. However, they must still conduct and document a legitimate interest assessment before beginning surveillance, and they must comply with both the Camera Surveillance Act and the GDPR.

The Electronic Communications Act (2022:482)

This law implements the EU ePrivacy Directive and governs electronic communications, including rules on cookies, traffic data retention, and the confidentiality of electronic communications. The Swedish Post and Telecom Authority (PTS) oversees compliance with this law.

IMY: Sweden's Data Protection Authority

The Integritetsskyddsmyndigheten (IMY), known in English as the Swedish Authority for Privacy Protection, is Sweden's independent supervisory authority for data protection. Before 2021, the authority was called Datainspektionen (the Data Inspection Board).

IMY is responsible for:

• Supervising compliance with the GDPR, the Data Protection Act, and related legislation.
• Investigating complaints from individuals about potential GDPR violations.
• Conducting proactive audits and inspections of organizations.
• Issuing administrative fines and corrective orders.
• Providing guidance and recommendations to organizations and the public.
• Participating in the European Data Protection Board (EDPB).
• Operating a regulatory sandbox for AI and data protection innovation.

IMY's 2026 Supervisory Priorities

For 2026, IMY has announced three focus areas for its guidance and supervision work:

1. Crime prevention: Reviewing how personal data is used in crime prevention efforts.
2. Children and young people: Strengthening protections for minors' personal data online.
3. AI in the public sector: Monitoring the use of artificial intelligence by public authorities, with particular attention to systems involving sensitive personal data and situations where individuals cannot opt out.

IMY also established a dedicated guidance unit effective January 1, 2026, to provide more accessible support to organizations navigating data protection requirements.

Record Data Breach Reports in 2025

IMY received 12,276 personal data breach notifications in 2025, the highest annual total since the GDPR took effect in 2018. This represented an increase of approximately 89% compared to 2024. IMY linked the surge in part to major darknet data leaks affecting Swedish organizations.

Notable IMY Enforcement Actions and Fines

IMY has steadily increased its enforcement activity since the GDPR took effect. Below are the most significant cases.

Google: SEK 75 Million (2020)

IMY imposed a fine of SEK 75 million (approximately EUR 7 million) on Google for failure to comply with the right to delisting. After a 2017 audit found that Google had not properly handled requests to remove search result listings, IMY ordered Google to comply. A 2018 follow-up audit revealed continued non-compliance. The resulting fine was one of the largest GDPR penalties issued by a Nordic data protection authority at that time.

Spotify: SEK 58 Million (2023)

IMY fined Spotify SEK 58 million (approximately EUR 5 million) for shortcomings regarding transparency. The investigation found that while Spotify provided personal data when individuals exercised their right of access, the company did not clearly explain how that data was used. Specifically, Spotify's descriptions of data categories, retention periods, and third-country transfers were deemed insufficiently clear.

Klarna: SEK 7.5 Million (2022)

IMY fined Klarna Bank AB SEK 7.5 million for multiple GDPR violations. The investigation found that Klarna failed to provide information on the purpose and legal basis for processing personal data in one of its services. Klarna also provided incomplete and misleading information about recipients of personal data when sharing data with credit information companies, and gave incomplete information about data subjects' rights.

Trygg-Hansa: SEK 35 Million (2023)

Insurance company Trygg-Hansa received a SEK 35 million fine (approximately EUR 2.8 million) after IMY found that customer data for 650,000 customers was accessible without proper authentication from October 2018 to February 2021. The case highlighted the importance of implementing adequate technical and organizational security measures.

Apoteket and Apohem: SEK 37 Million and SEK 8 Million (2024)

IMY imposed combined fines of SEK 45 million against two pharmacies for transferring personal data to Meta through the improper use of Meta's tracking pixel. The pharmacies had used the pixel to improve their marketing on Facebook and Instagram without implementing appropriate technical and organizational measures to protect customers' personal data, including potentially sensitive health-related browsing data.

Avanza Bank: SEK 15 Million (2024)

IMY fined Avanza Bank AB SEK 15 million for unintentionally transferring personal data of between 500,000 and one million customers to Meta through the improper use of a tracking pixel. The transfers occurred between November 2019 and June 2021.

Google Analytics Enforcement: SEK 12.3 Million (2023)

Following 101 complaints about unlawful EU-US data transfers, IMY imposed a fine of SEK 12 million on telecommunications provider Tele2 and SEK 300,000 on online retailer CDON for using Google Analytics on their websites. These were the first financial penalties imposed on companies anywhere in the EU for using Google Analytics following the Schrems II ruling.

Skelleftea School: SEK 200,000 (2019)

Sweden's first-ever GDPR fine went to a school in Skelleftea that used facial recognition technology to track student attendance. Although only 22 students were involved over a three-week trial, IMY found violations of Article 5 (data minimization), Article 9 (processing of biometric data without legal basis), and Articles 35-36 (failure to conduct a data protection impact assessment). The case set an early precedent for biometric data enforcement.

H&M: SEK 350,000 (2023)

IMY fined the fashion retailer for continuing to use personal data for direct marketing purposes despite receiving objections from data subjects. The case reinforced the right to object to processing under GDPR Article 21.

Sportadmin: SEK 6 Million (2026)

In an early 2026 action, IMY fined Sportadmin SEK 6 million following an IT attack. The case underscored IMY's expectations regarding security measures and incident response.

Penalty Structure

The following table summarizes the penalty framework that applies in Sweden.

Violation Category	Maximum Penalty (Companies)	Maximum Penalty (Public Authorities)
Less serious GDPR infringements (Art. 83(4))	EUR 10 million or 2% of global annual turnover, whichever is higher	SEK 5 million
Serious GDPR infringements (Art. 83(5-6))	EUR 20 million or 4% of global annual turnover, whichever is higher	SEK 10 million
Failure to comply with IMY corrective orders	EUR 20 million or 4% of global annual turnover	SEK 10 million

IMY determines the specific fine amount based on several factors:

• The nature, gravity, and duration of the infringement.
• Whether the infringement was intentional or negligent.
• Actions taken to mitigate damage to data subjects.
• The degree of responsibility considering technical and organizational measures implemented.
• Any previous infringements.
• The categories of personal data affected.
• How the infringement became known to the supervisory authority.

Beyond monetary fines, IMY can issue warnings for planned processing that would likely violate the GDPR, reprimands for ongoing violations, and orders to cease specific processing activities or bring processing into compliance.

Data Breach Notification Requirements

Sweden follows the GDPR's breach notification framework, administered by IMY.

When to Notify IMY

Controllers must notify IMY of a personal data breach within 72 hours after becoming aware of it. Notification is required when the breach is likely to result in a risk to the rights and freedoms of individuals.

If a breach is unlikely to result in any risk, notification to IMY is not required. Examples include breaches affecting a limited amount of non-sensitive personal data, or situations where protection was compromised for such a brief time that unauthorized access was not possible.

How to Notify

Notifications must be submitted through IMY's electronic reporting system (e-service). If all information is not available within the 72-hour window, controllers may submit an initial notification and provide supplementary information within four weeks.

Notifying Data Subjects

When a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify the affected data subjects without undue delay. The notification must describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.

Processor Obligations

Even when a breach occurs at a data processor, the responsibility to notify IMY remains with the controller. Processors must notify their controllers without undue delay after becoming aware of a breach.

Consequences of Failure to Notify

Failing to report a personal data breach can itself constitute a GDPR violation, potentially resulting in administrative fines of up to EUR 10 million or 2% of global annual turnover.

Swedish-Specific Provisions

Several features distinguish Sweden's data protection landscape from other EU member states.

Constitutional Exemptions for Media

Sweden's Freedom of the Press Act (Tryckfrihetsforordningen) and Fundamental Law on Freedom of Expression (Yttrandefrihetsgrundlagen) are constitutional laws that can override the GDPR. Under the Data Protection Act, the GDPR and the Act's supplementary provisions do not apply to the extent that they would conflict with these constitutional protections.

In practice, this has allowed online publishers to obtain a "publication certificate" (utgivningsbevis) by registering a responsible editor. Once granted, the service is treated as constitutionally protected media, potentially exempting it from GDPR requirements.

This system has been controversial because some websites have used publication certificates to share personal data such as addresses, incomes, and criminal records that the GDPR would normally protect. Recent Swedish court rulings and EU Court of Justice proceedings (Case C-199/24) have begun to challenge this blanket exemption, holding that EU law requires a case-by-case proportionality assessment between data protection rights and freedom of expression.

A Swedish Government official report has proposed new provisions to strengthen privacy protections when personal data is published on search services online, with these changes proposed to enter into force on January 1, 2027.

Personal Identity Numbers (Personnummer)

Sweden's personal identity number system is deeply embedded in Swedish society. Every resident receives a personnummer, which is used for healthcare, banking, taxation, and countless other purposes. Because of its sensitivity as a universal identifier, the Data Protection Act provides elevated protection.

Organizations may only process personnummer without consent if it is "clearly justified" in view of the purpose, the importance of secure identification, or another significant reason. This threshold is higher than for ordinary personal data, effectively treating personnummer as requiring safeguards similar to those applied to sensitive data categories.

Age of Consent at 13

Sweden has set the age at which children can independently consent to the processing of their personal data in connection with information society services at 13 years. This is among the lowest consent ages in the EU, where member states may set the threshold anywhere between 13 and 16 under GDPR Article 8. This provision applies to children living in Sweden, regardless of where the data controller is based.

Fines for Public Authorities

Unlike some EU member states that exempt public authorities from fines, Sweden has chosen to allow financial penalties against government bodies. The maximum fine for public authorities is SEK 5 million for less serious infringements and SEK 10 million for serious violations. IMY has exercised this power, including fining the Swedish Equality Ombudsman for data security failures.

Data Protection Impact Assessments (DPIAs)

IMY has published a detailed list of processing operations that require a Data Protection Impact Assessment under GDPR Article 35. A DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms, particularly when using new technologies.

IMY has identified specific criteria that indicate a DPIA should be performed:

• Processing personal data for automated decision-making with legal or similarly significant effects.
• Processing sensitive personal data or data of a very personal nature on a large scale.
• Combining personal data from two or more processing activities in ways that deviate from what data subjects would reasonably expect.
• Processing data about vulnerable individuals (employees, children, patients).
• Using new technology or organizational solutions.
• Processing data to prevent individuals from accessing a service or entering into an agreement.

IMY has published a two-part DPIA guidance document and a three-part DPIA template to help organizations comply with these requirements.

Data Protection Officers (DPOs)

Sweden follows the GDPR's DPO requirements without imposing additional national obligations. Appointment of a DPO is mandatory for:

• Public authorities and bodies.
• Organizations whose core activities require regular and systematic monitoring of individuals on a large scale.
• Organizations whose core activities involve large-scale processing of special categories of data.

The appointed DPO must be reported to IMY. Swedish law imposes a confidentiality obligation on DPOs regarding information obtained while performing their duties. IMY has published guidance and a notification form for controllers to submit DPO appointment details.

Cross-Border Data Transfers

Sweden does not impose additional national requirements for cross-border data transfers beyond the GDPR. Transfers within the European Economic Area (EEA) are permitted without restriction.

For transfers to countries outside the EEA without an EU adequacy decision, organizations must use appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission.
• Binding Corporate Rules (BCRs) approved by the relevant supervisory authority.
• Codes of conduct or certification mechanisms with binding commitments from the recipient.

IMY's enforcement against companies using Google Analytics and Meta tracking pixels has demonstrated that the authority takes cross-border transfer compliance seriously. The Tele2 and CDON fines in 2023 specifically targeted inadequate safeguards for transfers to the United States.

AI and Emerging Technology

Sweden is actively shaping its approach to AI regulation within the data protection framework.

In January 2025, the Swedish Agency for Digital Government (Digg) and IMY jointly launched guidelines to encourage the use of generative AI in public administration while maintaining data protection standards.

IMY broadened its regulatory sandbox in 2025, allowing organizations to test innovative data processing activities in a supervised environment. This sandbox approach helps organizations explore new technologies while receiving direct guidance from the supervisory authority.

Looking ahead, Sweden's Parliament is considering proposals from the SOU 2025:101 official report, which would establish the permanent national framework for AI market surveillance by August 2026. The framework includes the designation of eleven market surveillance authorities and the launch of a national AI regulatory sandbox.

IMY's designation of "AI in the public sector" as one of its three 2026 supervisory priorities signals that organizations deploying AI systems that process personal data should expect heightened scrutiny.

Cookie Consent and Dark Patterns

In April 2025, IMY took formal enforcement action against several companies for using "dark patterns" in their cookie consent banners. Dark patterns are design techniques that manipulate users into making choices they might not otherwise make, such as making the "accept all" button prominently visible while hiding the "reject" option.

IMY issued formal warnings and reprimands, including to media company Aller Media AB. These actions signal that IMY expects cookie consent mechanisms to present genuine, unmanipulated choices to users.

The Electronic Communications Act (2022:482) governs the use of cookies and similar tracking technologies in Sweden. Organizations must obtain informed consent before placing non-essential cookies on users' devices.

Compliance Checklist for Organizations in Sweden

Organizations processing personal data of individuals in Sweden should address the following areas.

Establish a lawful basis for processing. Before collecting or processing personal data, identify which of the six GDPR legal bases applies. Document this determination in your Records of Processing Activities.

Appoint a DPO if required. Public authorities and organizations engaged in large-scale systematic monitoring or processing of sensitive data must appoint a Data Protection Officer and notify IMY.

Handle personnummer with care. Processing Swedish personal identity numbers requires either explicit consent or clear justification. Do not collect personnummer as a matter of routine.

Implement breach notification procedures. Establish internal processes to detect, assess, and report personal data breaches to IMY within 72 hours.

Conduct DPIAs for high-risk processing. If your processing activities meet IMY's criteria for high-risk processing, complete and document a Data Protection Impact Assessment before beginning the processing.

Ensure transparent privacy notices. Provide clear, accessible information about what data you collect, why, how long you keep it, who receives it, and what rights individuals have. IMY's enforcement against Spotify and Klarna shows that vague or incomplete privacy information triggers fines.

Review cross-border data transfers. If you transfer personal data outside the EEA, ensure you have appropriate safeguards in place. Following IMY's Google Analytics enforcement, pay particular attention to data transfers to the United States and other non-adequacy countries.

Audit tracking pixels and analytics tools. IMY's 2023 and 2024 fines against multiple companies for Meta pixel and Google Analytics use demonstrate that tracking technologies are a priority enforcement area. Verify that any third-party scripts on your website comply with GDPR transfer and consent requirements.

Use honest cookie consent mechanisms. Avoid dark patterns in cookie banners. Present "accept" and "reject" options with equal prominence. IMY's 2025 enforcement actions make clear that manipulative consent designs will not be tolerated.

Train your staff. Ensure employees who handle personal data understand the legal framework, your organization's data protection policies, and how to recognize and report data breaches.

This article is for informational purposes only and does not constitute legal advice. Data privacy laws are subject to change. Consult a qualified attorney licensed in Sweden for guidance on specific compliance obligations.