Skip to content
World Watch/Sweden/Data & Privacy

Data & Privacy Β· Sweden

Data protection & GDPR compliance in Sweden (2026)

Comprehensive lawEU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), implemented nationally by the Act (2018:218) with supplementary provisions to the EU GDPR (Dataskyddslagen) and Ordinance (2018:219); supervised by Integritetsskyddsmyndigheten (IMY, Swedish Authority for Privacy Protection).Country index 93 Β· A+

Sweden shaded by its data & privacy status

Data protection in Sweden: comprehensive law, under EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), implemented nationally by the Act (2018:218) with supplementary provisions to the EU GDPR (Dataskyddslagen) and Ordinance (2018:219); supervised by Integritetsskyddsmyndigheten (IMY, Swedish Authority for Privacy Protection)..

As an EU member state, Sweden applies the directly-effective GDPR as its comprehensive data-protection regime, in force since 25 May 2018. It is supplemented nationally by the Data Protection Act (2018:218), which fills areas where the GDPR permits or requires national rules, and is enforced by the supervisory authority IMY. Sector-specific statutes (e.g. Patient Data Act, Criminal Data Act, Camera Surveillance Act) layer on top for particular fields.

GDPR & data protection in Sweden

In Sweden, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Swedish Authority for Privacy Protection (IMY).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Swedish Authority for Privacy Protection (IMY)
Applies to
any organisation processing the personal data of people in Sweden, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Sweden supplements it with a national data-protection act and its own supervisory authority.

GDPR in Sweden: FAQ

Does the GDPR apply in Sweden?

Yes. As an EU/EEA member, Sweden applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Swedish Authority for Privacy Protection (IMY).

Who enforces data protection law in Sweden?

The Swedish Authority for Privacy Protection (IMY).

What are the GDPR fines in Sweden?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Sweden?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Sweden?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive GDPR baseline

The GDPR applies directly in Sweden and is the primary, omnibus data-protection law covering all sectors; it replaced the former Personal Data Act (1998:204) on 25 May 2018.

National supplementary act

The Data Protection Act (2018:218) and Ordinance (2018:219) provide supplementary provisions where the GDPR allows national derogations, and notably extend GDPR-style protection even to processing outside EU-law competence.

Supervisory authority (IMY)

Integritetsskyddsmyndigheten (IMY), formerly Datainspektionen and renamed on 1 January 2021, is the national supervisory authority; it handles supervision, complaints, and EDPB cooperation across the EU.

Sector-specific statutes

Beyond the GDPR, IMY also enforces the Patient Data Act (healthcare records), the Criminal Data Act (implementing the EU Law Enforcement Directive for police/justice), and the Camera Surveillance Act.

Camera surveillance reform (2025)

From 1 April 2025 the prior IMY permit requirement for camera surveillance in public spaces was abolished; authorities must instead document a balancing test and keep a register of ongoing surveillance.

Enforcement and sanctions

IMY can levy GDPR fines up to EUR 20 million or 4% of global turnover (capped at SEK 5-10 million for public authorities). In 2025 it fined pharmacies Apoteket AB and Apohem AB SEK 37m and SEK 8m for Meta-pixel data leaks, and acted against cookie-consent 'dark patterns'.

Timeline - major decisions & events

Apr 1, 2025enforcement
IMY Issues Formal Criticisms for Dark-Pattern Cookie Banners

IMY sanctioned ATG, Aller Media and Warner Music Sweden for cookie consent interfaces that used asymmetric design, prominent 'Accept' buttons, multi-step 'Reject' flows and pre-ticked boxes, to coerce consent. IMY declared dark-pattern cookie enforcement an ongoing priority through 2026.

CMS Law (reporting on IMY decisions) β†—
Jan 1, 2025enforcementofficial
IMY Fines SL Group SEK 250 000 for Sobriety-Test Data Mishandling

IMY fined Storstockholms Lokaltrafik (SL) and Waxholms Γ…ngfartygs AB a combined SEK 250,000 for improperly processing employees' sobriety-test results without a lawful basis under GDPR, reinforcing scrutiny of workplace health and biometric data.

EDPB β†—
Aug 30, 2024enforcementofficial
Pharmacy Meta-Pixel Fines: Apoteket SEK 37M, Apohem SEK 8M

IMY imposed the largest GDPR fines in Swedish history against two online pharmacies for transmitting highly sensitive health data, STI tests, contraceptives, OTC medicines, to Meta via tracking pixels without a lawful basis, totalling SEK 45M (~€4M).

IMY β†—
Jul 1, 2023enforcementofficial
IMY Bans Google Analytics and Issues First Major EU-US Transfer Fines

Following noyb's 101 complaints, IMY ordered CDON, Coop, Dagens Industri and Tele2 to stop using Google Analytics and fined Tele2 SEK 12M (~€1M) and CDON SEK 300,000 for sending personal data to the US without adequate safeguards, Sweden's first major enforcement of post-Schrems II transfer rules.

EDPB β†—
Jan 1, 2021decisionofficial
Datainspektionen Renamed Integritetsskyddsmyndigheten (IMY)

By government decision the Swedish data-protection authority was renamed from Datainspektionen (est. 1973) to Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection, IMY), signalling an expanded mandate covering personal integrity in a digital society.

IMY β†—
Aug 21, 2019enforcementofficial
Sweden's First GDPR Fine: Facial Recognition Attendance System in School

Datainspektionen fined SkellefteΓ₯ municipality's school board SEK 200,000 for piloting facial recognition to track 22 pupils' attendance, violating Articles 5, 9, 35 and 36 GDPR; the regulator held that student consent cannot be freely given to a public authority with power over them.

EDPB β†—
May 25, 2018lawofficial
GDPR Applies; Sweden Enacts Complementary Dataskyddslagen (SFS 2018:218)

The EU GDPR replaced the 1998 Personal Data Act as the primary framework. Sweden simultaneously enacted the Dataskyddslagen (SFS 2018:218) to exercise national margins of appreciation, covering processing of social-security numbers, freedom-of-expression exemptions and special rules for public authorities.

Riksdagen (Swedish Parliament) β†—
Oct 24, 1998lawofficial
Personal Data Act (Personuppgiftslagen / PuL, SFS 1998:204) Enacted

Sweden replaced its 1973 Data Act with PuL to implement EU Directive 95/46/EC, adopting a rights-based framework with principles of purpose limitation, data minimisation and data-subject rights; Datainspektionen retained supervisory authority with expanded powers.

Riksdagen (Swedish Parliament) β†—
May 11, 1973lawofficial
Sweden Enacts World's First National Data Protection Law (Datalagen)

The Swedish Riksdag enacted Datalagen (the Data Act, SFS 1973:289), the first national data protection statute in history, requiring government licensing of personal data registers and establishing Datainspektionen as the supervisory authority; it entered into force 1 July 1974.

ILO NATLEX β†—

Sweden - other topics

Data & Privacy in other countries

Last verified 5/23/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β†’