Uncategorized

GDPR in Sweden

By December 4, 2025December 8th, 2025No Comments

GDPR in Sweden

On May 25, 2018, the rules of the game for data protection changed across Europe. The General Data Protection Regulation (GDPR) came into force and created a uniform framework for how companies should handle personal data. Like Denmark, the GDPR also applies directly in Sweden, but our neighboring country also has its own national adaptations and a proactive supervisory authority that sets the agenda.

But what does GDPR mean specifically in a Swedish context?

The SwedishData Protection Act

Although the GDPR is an EU regulation, it leaves room for national regulations in certain areas. In Sweden, the GDPR is supplemented by “Act (2018:218) with supplementary provisions to the EU General Data Protection Regulation” – often just called “dataskyddslagen”.

This law clarifies how GDPR will be applied in Sweden and covers areas such as:

  • Processing of social security numbers (similar to CPR numbers).
  • Data protection in the context of freedom of expression and information.
  • Specific rules for public authorities.

For any company operating in Sweden, it’s not enough to just read the GDPR text; you also need to understand the Data Protection Act.

Supervision: Integritetsskyddsmyndigheten (IMY)

The Swedish watchdog that ensures compliance with GDPR is Swedish Authority for Privacy Protection (IMY). Many may remember them by their former name, Data Inspectorate.

IMY is an active authority that does not hesitate to issue guidelines and fines. They have made their mark with several landmark cases that have sent clear signals to Swedish companies.

Important cases that define the GDPR i Sweden

Two cases illustrate particularly well how IMY interprets and enforces the rules:

  1. School fine for facial recognition: A municipality was fined SEK 200,000 for using facial recognition technology to register attendance at a secondary school. The IMY ruled that the processing of such sensitive biometric data was illegal. The case was principled because it emphasized that “consent” from students (who are in a dependent relationship with the school) can rarely be considered “free” and valid.
  1. Stop for Google Analytics: In 2023, IMY issued fines to four Swedish companies for their use of Google Analytics. The issue was the transfer of personal data to the US in light of the Schrems II ruling. IMY concluded that the technical measures taken by the companies were not sufficient to protect the data from access by US intelligence services. This ruling has put massive pressure on Swedish (and European) companies’ use of US cloud services.

What does does it mean to you?

  • Doing business in Sweden requires the same strong focus on GDPR as in Denmark. The main difference lies in the special national legislation and the signals that IMY sends.

In short:

  • GDPR appliesbut remember to check the Swedish “dataskyddslagen” for national additions.
  • Keep an eye on IMYas their rulings (especially around data transfers and consent) directly influence what is considered best practice in Sweden.
  • Treat personal data with respect – It’s at the heart of the legislation and the best way to avoid sanctions.

Train the entire organization with a GDPR Course

Check out our GDPR course It provides a common, documentable level and can be customized to your organization.

SEE MORE about GDPR