Data & Privacy Β· Sweden
Data protection & GDPR compliance in Sweden (2026)
Sweden shaded by its data & privacy status
Data protection in Sweden: comprehensive law, under EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), implemented nationally by the Act (2018:218) with supplementary provisions to the EU GDPR (Dataskyddslagen) and Ordinance (2018:219); supervised by Integritetsskyddsmyndigheten (IMY, Swedish Authority for Privacy Protection)..
As an EU member state, Sweden applies the directly-effective GDPR as its comprehensive data-protection regime, in force since 25 May 2018. It is supplemented nationally by the Data Protection Act (2018:218), which fills areas where the GDPR permits or requires national rules, and is enforced by the supervisory authority IMY. Sector-specific statutes (e.g. Patient Data Act, Criminal Data Act, Camera Surveillance Act) layer on top for particular fields.
GDPR & data protection in Sweden
In Sweden, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Swedish Authority for Privacy Protection (IMY).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Swedish Authority for Privacy Protection (IMY)
- Applies to
- any organisation processing the personal data of people in Sweden, wherever the organisation is based
- Maximum fine
- β¬20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Sweden supplements it with a national data-protection act and its own supervisory authority.
GDPR in Sweden: FAQ
Yes. As an EU/EEA member, Sweden applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Swedish Authority for Privacy Protection (IMY).
The Swedish Authority for Privacy Protection (IMY).
Up to β¬20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR applies directly in Sweden and is the primary, omnibus data-protection law covering all sectors; it replaced the former Personal Data Act (1998:204) on 25 May 2018.
The Data Protection Act (2018:218) and Ordinance (2018:219) provide supplementary provisions where the GDPR allows national derogations, and notably extend GDPR-style protection even to processing outside EU-law competence.
Integritetsskyddsmyndigheten (IMY), formerly Datainspektionen and renamed on 1 January 2021, is the national supervisory authority; it handles supervision, complaints, and EDPB cooperation across the EU.
Beyond the GDPR, IMY also enforces the Patient Data Act (healthcare records), the Criminal Data Act (implementing the EU Law Enforcement Directive for police/justice), and the Camera Surveillance Act.
From 1 April 2025 the prior IMY permit requirement for camera surveillance in public spaces was abolished; authorities must instead document a balancing test and keep a register of ongoing surveillance.
IMY can levy GDPR fines up to EUR 20 million or 4% of global turnover (capped at SEK 5-10 million for public authorities). In 2025 it fined pharmacies Apoteket AB and Apohem AB SEK 37m and SEK 8m for Meta-pixel data leaks, and acted against cookie-consent 'dark patterns'.
Timeline - major decisions & events
IMY sanctioned ATG, Aller Media and Warner Music Sweden for cookie consent interfaces that used asymmetric design, prominent 'Accept' buttons, multi-step 'Reject' flows and pre-ticked boxes, to coerce consent. IMY declared dark-pattern cookie enforcement an ongoing priority through 2026.
CMS Law (reporting on IMY decisions) βIMY fined Storstockholms Lokaltrafik (SL) and Waxholms Γ ngfartygs AB a combined SEK 250,000 for improperly processing employees' sobriety-test results without a lawful basis under GDPR, reinforcing scrutiny of workplace health and biometric data.
EDPB βIMY imposed the largest GDPR fines in Swedish history against two online pharmacies for transmitting highly sensitive health data, STI tests, contraceptives, OTC medicines, to Meta via tracking pixels without a lawful basis, totalling SEK 45M (~β¬4M).
IMY βFollowing noyb's 101 complaints, IMY ordered CDON, Coop, Dagens Industri and Tele2 to stop using Google Analytics and fined Tele2 SEK 12M (~β¬1M) and CDON SEK 300,000 for sending personal data to the US without adequate safeguards, Sweden's first major enforcement of post-Schrems II transfer rules.
EDPB βBy government decision the Swedish data-protection authority was renamed from Datainspektionen (est. 1973) to Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection, IMY), signalling an expanded mandate covering personal integrity in a digital society.
IMY βDatainspektionen fined SkellefteΓ₯ municipality's school board SEK 200,000 for piloting facial recognition to track 22 pupils' attendance, violating Articles 5, 9, 35 and 36 GDPR; the regulator held that student consent cannot be freely given to a public authority with power over them.
EDPB βThe EU GDPR replaced the 1998 Personal Data Act as the primary framework. Sweden simultaneously enacted the Dataskyddslagen (SFS 2018:218) to exercise national margins of appreciation, covering processing of social-security numbers, freedom-of-expression exemptions and special rules for public authorities.
Riksdagen (Swedish Parliament) βSweden replaced its 1973 Data Act with PuL to implement EU Directive 95/46/EC, adopting a rights-based framework with principles of purpose limitation, data minimisation and data-subject rights; Datainspektionen retained supervisory authority with expanded powers.
Riksdagen (Swedish Parliament) βThe Swedish Riksdag enacted Datalagen (the Data Act, SFS 1973:289), the first national data protection statute in history, requiring government licensing of personal data registers and establishing Datainspektionen as the supervisory authority; it entered into force 1 July 1974.
ILO NATLEX βSweden - other topics
Data & Privacy in other countries
Last verified 5/23/2026 Β· Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite Β· Explore the full world map β