Skip to content
GDPR by Law

European Union · updated 2026-06-15

Sweden

Conditional

Sweden's IMY made data subject rights expensive to ignore — it fined Spotify SEK 58M over incomplete access-request responses. Build a real export flow, not a policy paragraph, before scaling in Sweden.

Law:
GDPR + Data Protection Act (2018:218) + Electronic Communications Act
Regulator:
IMY (Integritetsskyddsmyndigheten)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Sweden requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (integritetspolicy)

    Art. 13–14 GDPR

    Privacy notice naming controller, purposes, legal bases, recipients, retention, and rights. The Klarna fine turned on vague and incomplete notice wording.

    How to implement Be specific: name recipients or recipient categories precisely and give concrete retention periods. Swedish is expected for consumer services; English is common for B2B and dev tools.

    Required
  2. Cookie consent banner

    Ch. 9 §28 ECA

    Opt-in consent for analytics and marketing cookies with prior blocking and first-layer rejection.

    How to implement Standard EU CMP configuration works. Swedish sites increasingly use consent-mode analytics or EU-hosted alternatives after IMY's Google Analytics rulings.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities.

    How to implement Keep current per product; IMY requests it at the start of supervisory cases.

    Required
  4. Data protection officer

    Art. 37 GDPR

    GDPR-baseline thresholds; notify IMY of the appointment through its e-service.

    How to implement Register electronically and publish contact details in your integritetspolicy.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour notification via IMY's e-service plus individual notification for high-risk breaches.

    How to implement IMY accepts preliminary reports — file within 72 hours even if the investigation is ongoing and supplement later.

    Required
  6. Transfer risk assessment for US tools

    Ch. V GDPR

    IMY's 2023 Google Analytics decisions fined Swedish companies over US transfers. Post-DPF the risk is reduced but transfer mapping is still expected.

    How to implement Inventory which vendors move data outside the EEA, confirm DPF certification or SCCs for each, and record it in your ROPA.

    Recommended

The details

Cookie consent
Chapter 9 §28 of the Electronic Communications Act requires opt-in consent for non-essential cookies, enforced by PTS with IMY covering the personal-data side. Standard EU banner rules apply: prior blocking, real reject option.
Data Protection Officer
GDPR baseline thresholds; the DPO (dataskyddsombud) must be notified to IMY via its e-service.
Processing agreements
Art. 28 GDPR personuppgiftsbiträdesavtal required with all processors. Swedish enterprise and public-sector customers request them as a standard procurement item.
Breach notification
Report to IMY within 72 hours via its e-service. IMY publishes annual breach reports and expects even 'investigating' notifications inside the window.
Enforcement in practice
IMY fined Spotify SEK 58M (≈€5M) in 2023 for not fully explaining data in access-request responses, and Klarna SEK 7.5M over privacy-notice deficiencies.

Data subject rights

What users can demand from you in Sweden, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data plus intelligible explanation of processing within one month.

Spotify's fine shows raw data dumps aren't enough — technical fields must be explained so users understand them. Pair exports with a data dictionary.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Swedish accounting law requires 7-year retention of accounting records — document the exemption.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export endpoint; Spotify's 'Download your data' flow is the reference pattern IMY evaluated.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support channel.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Maintain suppression lists; Sweden's NIX registries cover telemarketing opt-outs.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Klarna-style instant credit decisions are the canonical Swedish example — disclose the logic and offer human review of rejections.

Tools that cover Sweden

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Cookiebot

    Nordic-founded CMP; Swedish-language banners with prior blocking preconfigured.

    Visit Cookiebot →
  • privacy policy

    iubenda

    Generates Swedish and English privacy policies with the concrete wording IMY expects.

    Visit iubenda →
  • compliance suite

    OneTrust

    Handles access-request workflows at scale — the exact capability IMY fined Spotify over.

    Visit OneTrust →

Frequently asked questions

What did Spotify actually get fined for?

Not refusing access requests — responding incompletely. IMY held that users must receive their data and a sufficiently clear explanation of how it's used. If your export is a raw JSON dump with cryptic field names, add human-readable descriptions.

Can I use Google Analytics in Sweden?

IMY fined four Swedish companies in 2023 over GA's US transfers under the pre-DPF regime. With the EU-US Data Privacy Framework in force and Google certified, GA4 behind consent is defensible again — but document the transfer basis in your ROPA.

Does Sweden add national requirements beyond GDPR?

Few for private companies — the Data Protection Act mostly handles public-sector specifics. Sweden's distinctive feature is enforcement style: IMY cases concentrate on transparency quality and data subject rights execution.

What is the digital age of consent in Sweden?

13 — the GDPR minimum. Consent-based information-society services need parental consent below that age.

Similar jurisdictions

Free download

Get GDPR updates for Sweden

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.