Data & Privacy · Sweden
Data protection & privacy laws in Sweden (2026)
Sweden shaded by its data & privacy status
As an EU member state, Sweden applies the directly-effective GDPR as its comprehensive data-protection regime, in force since 25 May 2018. It is supplemented nationally by the Data Protection Act (2018:218), which fills areas where the GDPR permits or requires national rules, and is enforced by the supervisory authority IMY. Sector-specific statutes (e.g. Patient Data Act, Criminal Data Act, Camera Surveillance Act) layer on top for particular fields.
Key points
The GDPR applies directly in Sweden and is the primary, omnibus data-protection law covering all sectors; it replaced the former Personal Data Act (1998:204) on 25 May 2018.
The Data Protection Act (2018:218) and Ordinance (2018:219) provide supplementary provisions where the GDPR allows national derogations, and notably extend GDPR-style protection even to processing outside EU-law competence.
Integritetsskyddsmyndigheten (IMY), formerly Datainspektionen and renamed on 1 January 2021, is the national supervisory authority; it handles supervision, complaints, and EDPB cooperation across the EU.
Beyond the GDPR, IMY also enforces the Patient Data Act (healthcare records), the Criminal Data Act (implementing the EU Law Enforcement Directive for police/justice), and the Camera Surveillance Act.
From 1 April 2025 the prior IMY permit requirement for camera surveillance in public spaces was abolished; authorities must instead document a balancing test and keep a register of ongoing surveillance.
IMY can levy GDPR fines up to EUR 20 million or 4% of global turnover (capped at SEK 5–10 million for public authorities). In 2025 it fined pharmacies Apoteket AB and Apohem AB SEK 37m and SEK 8m for Meta-pixel data leaks, and acted against cookie-consent 'dark patterns'.
Timeline - major decisions & events
IMY sanctioned ATG, Aller Media and Warner Music Sweden for cookie consent interfaces that used asymmetric design—prominent 'Accept' buttons, multi-step 'Reject' flows and pre-ticked boxes—to coerce consent. IMY declared dark-pattern cookie enforcement an ongoing priority through 2026.
CMS Law (reporting on IMY decisions) ↗IMY fined Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB a combined SEK 250,000 for improperly processing employees' sobriety-test results without a lawful basis under GDPR, reinforcing scrutiny of workplace health and biometric data.
EDPB ↗IMY imposed the largest GDPR fines in Swedish history against two online pharmacies for transmitting highly sensitive health data—STI tests, contraceptives, OTC medicines—to Meta via tracking pixels without a lawful basis, totalling SEK 45M (~€4M).
IMY ↗Following noyb's 101 complaints, IMY ordered CDON, Coop, Dagens Industri and Tele2 to stop using Google Analytics and fined Tele2 SEK 12M (~€1M) and CDON SEK 300,000 for sending personal data to the US without adequate safeguards—Sweden's first major enforcement of post-Schrems II transfer rules.
EDPB ↗By government decision the Swedish data-protection authority was renamed from Datainspektionen (est. 1973) to Integritetsskyddsmyndigheten (Swedish Authority for Privacy Protection, IMY), signalling an expanded mandate covering personal integrity in a digital society.
IMY ↗Datainspektionen fined Skellefteå municipality's school board SEK 200,000 for piloting facial recognition to track 22 pupils' attendance, violating Articles 5, 9, 35 and 36 GDPR; the regulator held that student consent cannot be freely given to a public authority with power over them.
EDPB ↗The EU GDPR replaced the 1998 Personal Data Act as the primary framework. Sweden simultaneously enacted the Dataskyddslagen (SFS 2018:218) to exercise national margins of appreciation, covering processing of social-security numbers, freedom-of-expression exemptions and special rules for public authorities.
Riksdagen (Swedish Parliament) ↗Sweden replaced its 1973 Data Act with PuL to implement EU Directive 95/46/EC, adopting a rights-based framework with principles of purpose limitation, data minimisation and data-subject rights; Datainspektionen retained supervisory authority with expanded powers.
Riksdagen (Swedish Parliament) ↗The Swedish Riksdag enacted Datalagen (the Data Act, SFS 1973:289), the first national data protection statute in history, requiring government licensing of personal data registers and establishing Datainspektionen as the supervisory authority; it entered into force 1 July 1974.
ILO NATLEX ↗Sweden - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →