European Union · updated 2026-06-15
Sweden
Sweden's IMY made data subject rights expensive to ignore — it fined Spotify SEK 58M over incomplete access-request responses. Build a real export flow, not a policy paragraph, before scaling in Sweden.
- Law:
- GDPR + Data Protection Act (2018:218) + Electronic Communications Act
- Regulator:
- IMY (Integritetsskyddsmyndigheten)
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Sweden requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (integritetspolicy)
Art. 13–14 GDPRPrivacy notice naming controller, purposes, legal bases, recipients, retention, and rights. The Klarna fine turned on vague and incomplete notice wording.
How to implement Be specific: name recipients or recipient categories precisely and give concrete retention periods. Swedish is expected for consumer services; English is common for B2B and dev tools.
Required -
Cookie consent banner
Ch. 9 §28 ECAOpt-in consent for analytics and marketing cookies with prior blocking and first-layer rejection.
How to implement Standard EU CMP configuration works. Swedish sites increasingly use consent-mode analytics or EU-hosted alternatives after IMY's Google Analytics rulings.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register of processing activities.
How to implement Keep current per product; IMY requests it at the start of supervisory cases.
Required -
Data protection officer
Art. 37 GDPRGDPR-baseline thresholds; notify IMY of the appointment through its e-service.
How to implement Register electronically and publish contact details in your integritetspolicy.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification via IMY's e-service plus individual notification for high-risk breaches.
How to implement IMY accepts preliminary reports — file within 72 hours even if the investigation is ongoing and supplement later.
Required -
Transfer risk assessment for US tools
Ch. V GDPRIMY's 2023 Google Analytics decisions fined Swedish companies over US transfers. Post-DPF the risk is reduced but transfer mapping is still expected.
How to implement Inventory which vendors move data outside the EEA, confirm DPF certification or SCCs for each, and record it in your ROPA.
Recommended
The details
- Cookie consent
- Chapter 9 §28 of the Electronic Communications Act requires opt-in consent for non-essential cookies, enforced by PTS with IMY covering the personal-data side. Standard EU banner rules apply: prior blocking, real reject option.
- Data Protection Officer
- GDPR baseline thresholds; the DPO (dataskyddsombud) must be notified to IMY via its e-service.
- Processing agreements
- Art. 28 GDPR personuppgiftsbiträdesavtal required with all processors. Swedish enterprise and public-sector customers request them as a standard procurement item.
- Breach notification
- Report to IMY within 72 hours via its e-service. IMY publishes annual breach reports and expects even 'investigating' notifications inside the window.
- Enforcement in practice
- IMY fined Spotify SEK 58M (≈€5M) in 2023 for not fully explaining data in access-request responses, and Klarna SEK 7.5M over privacy-notice deficiencies.
Data subject rights
What users can demand from you in Sweden, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data plus intelligible explanation of processing within one month.
Spotify's fine shows raw data dumps aren't enough — technical fields must be explained so users understand them. Pair exports with a data dictionary.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Swedish accounting law requires 7-year retention of accounting records — document the exemption.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export endpoint; Spotify's 'Download your data' flow is the reference pattern IMY evaluated.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus a support channel.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Maintain suppression lists; Sweden's NIX registries cover telemarketing opt-outs.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
Klarna-style instant credit decisions are the canonical Swedish example — disclose the logic and offer human review of rejections.
Tools that cover Sweden
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Cookiebot
Nordic-founded CMP; Swedish-language banners with prior blocking preconfigured.
Visit Cookiebot → -
privacy policy
iubenda
Generates Swedish and English privacy policies with the concrete wording IMY expects.
Visit iubenda → -
compliance suite
OneTrust
Handles access-request workflows at scale — the exact capability IMY fined Spotify over.
Visit OneTrust →
Frequently asked questions
What did Spotify actually get fined for?
Not refusing access requests — responding incompletely. IMY held that users must receive their data and a sufficiently clear explanation of how it's used. If your export is a raw JSON dump with cryptic field names, add human-readable descriptions.
Can I use Google Analytics in Sweden?
IMY fined four Swedish companies in 2023 over GA's US transfers under the pre-DPF regime. With the EU-US Data Privacy Framework in force and Google certified, GA4 behind consent is defensible again — but document the transfer basis in your ROPA.
Does Sweden add national requirements beyond GDPR?
Few for private companies — the Data Protection Act mostly handles public-sector specifics. Sweden's distinctive feature is enforcement style: IMY cases concentrate on transparency quality and data subject rights execution.
What is the digital age of consent in Sweden?
13 — the GDPR minimum. Consent-based information-society services need parental consent below that age.
Similar jurisdictions
Free download
Get GDPR updates for Sweden
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.