Data & Privacy · Sweden
Data & Privacy - Sweden
As an EU member state, Sweden applies the directly-effective GDPR as its comprehensive data-protection regime, in force since 25 May 2018. It is supplemented nationally by the Data Protection Act (2018:218), which fills areas where the GDPR permits or requires national rules, and is enforced by the supervisory authority IMY. Sector-specific statutes (e.g. Patient Data Act, Criminal Data Act, Camera Surveillance Act) layer on top for particular fields.
The GDPR applies directly in Sweden and is the primary, omnibus data-protection law covering all sectors; it replaced the former Personal Data Act (1998:204) on 25 May 2018.
The Data Protection Act (2018:218) and Ordinance (2018:219) provide supplementary provisions where the GDPR allows national derogations, and notably extend GDPR-style protection even to processing outside EU-law competence.
Integritetsskyddsmyndigheten (IMY), formerly Datainspektionen and renamed on 1 January 2021, is the national supervisory authority; it handles supervision, complaints, and EDPB cooperation across the EU.
Beyond the GDPR, IMY also enforces the Patient Data Act (healthcare records), the Criminal Data Act (implementing the EU Law Enforcement Directive for police/justice), and the Camera Surveillance Act.
From 1 April 2025 the prior IMY permit requirement for camera surveillance in public spaces was abolished; authorities must instead document a balancing test and keep a register of ongoing surveillance.
IMY can levy GDPR fines up to EUR 20 million or 4% of global turnover (capped at SEK 5–10 million for public authorities). In 2025 it fined pharmacies Apoteket AB and Apohem AB SEK 37m and SEK 8m for Meta-pixel data leaks, and acted against cookie-consent 'dark patterns'.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →