HOME/All Jurisdictions/SE

SE — Country Profile

Sweden

28TOTAL
23OFFICIAL SOURCES
2TOPIC AREAS
Law / Act3
Executive Order4
National Strategy1
Other20
15 JAN 2026 · Law / Act

Cybersecurity Act (2025:1506) implementing NIS 2 Directive

On 15 January 2026, the Cybersecurity Act (2025:1506), transposing Directive (EU) 2022/2555 (NIS 2 Directive), enters into force. The Act applies to public and private operators that fall within its scope under Chapters 1 and 2, including operators in sectors listed in Annexes I and II to the NIS 2 Directive and meeting the applicable size or designation criteria. Operators in scope are subject to binding obligations to register with the competent supervisory authority, implement appropriate ...

✓ OfficialNational Strategyriksdagen.se ↗
10 OCT 2025 · Executive Order

Government's designation of Post and Telecom Authority as competent authority under EU Data Act

On 10 October 2025, the Swedish Government appointed the Post and Telecom Authority (PTS) as the competent authority for the European Union's (EU) Data Regulation on fair access to and use of data. The Regulation aims to create a uniform EU framework for secure and fair data sharing. It gives individuals and companies stronger rights to move and use their data. It covers data generated by smart devices, machines, and services.

✓ OfficialNational Strategypts.se ↗
12 SEP 2025 · Other

Data Protection Authority inquiry into personal data processing for training artificial intelligence models in custody matters

On 9 December 2025, the Data Protection Authority (IMY) released a report on personal data processing for training artificial intelligence models in custody matters. The project, conducted with the law firm Familjens Jurist within the IMY regulatory sandbox, evaluated the use of custody case data to predict high-conflict scenarios. The inquiry focused on whether further processing for AI training complies with General Data Protection Regulation (GDPR) principles, specifically purpose limitati...

✓ OfficialNational Strategyimy.se ↗
31 MAR 2025 · Other

Swedish Authority for Privacy Protection's guidance on updated Camera Surveillance Act

On 31 March 2025, the Swedish Authority for Privacy Protection (IMY) issued comprehensive guidance to support implementation of the amended Camera Surveillance Act (2018:1200), which enters into force on 1 April 2025. The guidance clarifies the legal responsibilities of organisations following the removal of the permit requirement for camera surveillance in publicly accessible spaces. IMY outlines how actors must now independently carry out a documented interest-balancing assessment under the...

✓ OfficialNational Strategyimy.se ↗
06 MAR 2025 · Other

Authority for Privacy Protection investigation into Spotify's compliance with individuals' requests to access their personal data

On 3 June 2025, the Administrative Court of Appeal upheld the SEK 58 million fine imposed on Spotify AB for noncompliance with the General Data Protection Regulation (GDPR). The penalty was originally issued by the Swedish Authority for Privacy Protection (IMY) in June 2023, following an investigation initiated by a complaint. According to the Court, Spotify did not provide users with sufficiently clear and accessible information on how their personal data is processed, including details on d...

✓ OfficialNational Strategydomstol.se ↗
02 SEP 2024 · Other

Privacy Authority regulatory sandbox on LiDAR use in public spaces under GDPR and surveillance law

On 9 February 2024, the Swedish Authority for Privacy Protection (IMY) concluded its second regulatory sandbox pilot, focused on the use of LiDAR sensors to measure public safety conditions in urban environments. Conducted in partnership with the Stockholm City Transport Office, IoT Sweden, and Kista Science City, the project explored the legal implications of processing data from LiDAR-based Internet of Things (IoT) systems intended to estimate the demographic composition of crowds in public...

✓ OfficialNational Strategyimy.se ↗
30 AUG 2024 · Other

Swedish Data Protection Authority investigation into Apoteket and Apohem for transfer of personal data to Meta

On 30 August 2024, the Swedish Data Protection Authority (IMY) issued a ruling in its investigation into local pharmacies Apoteket and Apohem for unlawful transfer of personal information to Meta. In particular, the IMY found that the companies breached Article 32(1) of the GDPR for failing to adopt adequate measures to ensure an appropriate level of security for the personal information of their customers when using the Meta pixel analysis tool on their websites. The tool was used by the com...

✓ OfficialNational Strategyimy.se ↗
24 JUN 2024 · Other

Data Protection Authority investigation into Avanza Bank's use of Meta-pixel analysis tool compliance with GDPR

On 24 June 2024, the Data Protection Authority (IMY) announced its decision to impose an administrative sanction fee of SEK 15 million against Avanza Bank AB for violating articles 5.1(f) and 32.1 of the General Data Protection Regulation (GDPR) due to inadequate security measures while using the Meta-pixel analysis tool from 15 November 2019 to 2 June 2021. Article 5.1f of GDPR requires that personal data must be processed securely, employing appropriate technical and organisational measures...

✓ OfficialNational Strategyimy.se ↗
14 JUN 2024 · Other

Case involving applicability of Articles 13 and 14 of GDPR when personal data is collected via body-worn cameras

On 14 June 2024, the Swedish Supreme Administrative Court announced that it requested a preliminary ruling from the EU Court of Justice to clarify which of Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) applies when personal data is collected via body-worn cameras. The request arises from a case where the Privacy Protection Authority imposed a penalty on a company for allegedly failing to meet the information provision requirements under Article 13 of GDPR during ticke...

National Strategydomstol.se ↗
14 MAY 2024 · Other

IMY Legal position IMYRS 2024:1 on complaints against search services with publication certificates

On 14 May 2024, the Swedish Data Protection Authority (IMY) issued Legal position IMYRS 2024:1 on complaints against search services with publication certificates. The Legal position is issued to provide an operational position and guidance on an issue where there is no other guidance by courts or the European Data Protection Board. With the new Legal position, IMY changes its previous position regarding the investigation of data protection complaints with publication certificates under Swedi...

✓ OfficialNational Strategyimy.se ↗
15 MAR 2024 · Other

IMY investigation into its decisions in complaints against holders of voluntary issuance certificates following Court of Appeal ruling on GDPR precedence

On 15 March 2024, the Swedish Data Protection Authority (IMY) announced a review of its handling of complaints against holders of voluntary publication licenses under the EU Data Protection Regulation (GDPR). This decision was made following the ruling in Case 6027-23 of the Administrative Court of Appeal. The Court ruled that constitutional protection of publication certificates does not always take precedence over the GDPR. IMY has received several complaints regarding holders of publicatio...

National Strategyimy.se ↗
13 MAR 2024 · Other

Lawsuit concerning certificates of issue under Freedom Press Ordinance precedence over GDPR (Case 6027-23)

On 13 March 2024, the Court of Appeal in Stockholm issued a ruling (Case 6027-23) on the applicability of the EU Data Protection Regulation (GDPR) in relation to the Swedish constitutional protection under the Basic Law on Freedom of Expression over certificates of issue. The Court rejected a company's request for personal data from the Swedish Prosecution Authority for journalistic activities, emphasising that the Swedish exemption for journalistic activities under the GDPR does not apply un...

✓ OfficialNational Strategydomstol.se ↗
27 FEB 2024 · Other

IMY Guideline on Processing of Personal Information by AI in Accordance with GDPR

Official source record dated 27 February 2024 for Sweden concerning IMY Guideline on Processing of Personal Information by AI in Accordance with GDPR. See the linked imy.se source for the authoritative text, procedural context, and implementation details.

✓ OfficialNational Strategyimy.se ↗
12 JAN 2024 · Law / Act

Law 2024:954 on supplementary national provisions to Digital Services Act in Sweden designating competent authorities and coordinator

On 1 December 2024, Law 2024:954 on supplementary provisions to the Digital Services Act (DSA) entered into force in Sweden. The Law supplements the DSA by setting out national rules on competent authorities, supervisory measures, judicial review, and sanctions. Within that framework, the Law designates the Swedish Post and Telecom Authority (PTS) as Sweden’s Digital Services Coordinator and assigns supervisory and enforcement responsibilities, alongside additional competent authorities for s...

✓ OfficialContent Moderationdata.riksdagen.se ↗
11 JAN 2024 · Executive Order

IMY regulations on processing of personal data related to violations of the law including sanction list checks

On 1 November 2024, the regulations on the processing of personal data related to violations of the law, including sanction list checks of the Swedish Authority for Privacy Protection (IMY), enter into force. The regulations permit specific companies, particularly in the financial sector and the security and defence market, to process personal data related to legal violations when conducting checks against sanction lists. The regulations eliminate the previous requirement for companies to see...

✓ OfficialNational Strategyimy.se ↗
19 OCT 2023 · Other

IMY investigation into H&M's direct marketing based on data subject requests

On 19 October 2023, the Swedish Agency for Privacy Protection (IMY) issued an administrative fine of SEK 350,000 in its investigation into H&M over its alleged failure to stop direct marketing based on data subject requests in violation of the General Data Protection Regulation (GDPR). The IMY investigation found that the company has failed to handle requests from individuals who do not want to receive marketing from the company. H&M failed to stop the direct marketing based on personal data ...

✓ OfficialNational Strategyimy.se ↗
18 SEP 2023 · Executive Order

IMY Regulations on the processing of personal data relating to criminal offences

On 18 September 2023, the Swedish Authority for Privacy Protection (IMY) published a draft of new regulations on the processing of personal data relating to criminal offences. The regulations set out the conditions under which persons other than the authorities can process personal data referred to in article 10 of EU regulation 2016/679 of 27 April 2016, and apply to companies under the supervision of the Financial Supervisory Authority offering financial services and being obliged to comply...

National Strategyimy.se ↗
30 AUG 2023 · Other

IMY investigation into Trygg-Hansa for alleged GDPR breach

On 30 August 2023, the Swedish Authority for Privacy Protection (IMY) imposed a fine of SEK 35 million on the insurance company Trygg-Hansa. The IMY, following its investigation, found vulnerabilities that resulted in the exposure of customer insurance data on the internet. The IMY's investigation determined that customer information for 650’000 individuals was accessible from October 2018 to February 2021. The IMY's findings indicated that Trygg-Hansa had failed to implement adequate technic...

✓ OfficialNational Strategyimy.se ↗
26 JUN 2023 · Other

IMY investigation into Bonnier for alleged misuse of personal data

On 26 June 2023, the Swedish Privacy Protection Agency (IMY) fined Bonnier, a Swedish media group, for purportedly misusing personal data to ad profile customers. The company has been sanctioned with an administrative fine of SEK 13 million for the acquisition and management of personal data with the intention of using it for marketing, without obtaining the consent of the individuals involved. The IMY asserts that the company gathered information from multiple sources, which was subsequently...

✓ OfficialNational Strategyimy.se ↗
15 MAY 2023 · Other

IMY Supervisory Plan 2023

On 15 May 2023, the Swedish Privacy Protection Authority (IMY) published its annual Supervisory Plan. The plan sets forth the IMY's decisions regarding the reviews to be conducted throughout the year. This year, the planned inspections encompass the evaluation of camera surveillance in publicly accessible locations. Earlier this year, the European Data Protection Board (EDPB) launched a collaborative effort to investigate the role and position of data protection officers. As part of this init...

✓ OfficialNational Strategyimy.se ↗
30 MAR 2023 · Other

Investigation into WhatsApp for alleged violation of Electronic Communications Act

On 30 March 2023, the Swedish Post and Telecommunications Board (PTS) announced the launch of an investigation into messaging service WhatsApp to review its compliance with the obligation to report a security incident. According to the PTS, the investigation was sparked by a global outage WhatsApp’s service that occurred on 25 October 2022, which PTS has assessed to be a reportable security incident. The Electronic Communications Act places an obligation on companies to report significant sec...

National Strategypts.se ↗
07 MAR 2023 · Other

IMY investigation into Google Analytics usage by CDON, Coop, Dagens Industri and Tele2

On 3 July 2023, the Swedish Privacy Authority (IMY) issued a ruling concluding its investigation into Google Analytics usage by CDON, Coop, Dagens Industri and Tele2. The IMY examined that the supplementary technical measures implemented by the four companies, in addition to EU standard contractual clauses, were not sufficient to guarantee the necessary level of protection for the data they transferred to the United States following the Schrems II judgement invalidating the Privacy Shield. Th...

✓ OfficialNational Strategyimy.se ↗
20 DEC 2022 · Other

IMY investigation of Google LLC concerning data processing and compliance with right to be forgotten

On 20 December 2022, the Swedish Supreme Administrative Court decided not to grant an appeal in the Google v Swedish Authority for Privacy Protection's (IMY) case concerning Google's practices in complying with the right to be forgotten under the GDPR, giving effect to the judgment issued on 30 November 2021 by the Gothenburg Court of Appeal, which ordered Google to pay a fine of SEK 50 million. The Court of Appeal found that Google's practice of informing webmasters about the removal of a UR...

✓ OfficialNational Strategyimy.se ↗
13 SEP 2022 · Other

Swedish Authority for Privacy Protection investigation into Klarna Bank AB identity verifications methods

On 13 September 2022, the Swedish Authority for Privacy Protection (APP) announced that it had opened an investigation into Klarna Bank concerning the company's methods of verifying individuals' identities. In particular, the Data Protection Authority opened its investigation in response to individual complaints against Klarna Bank. According to the complaints, Klarna Bank has made unreasonable demands on how private individuals have had to identify themselves. Individuals also complained abo...

National Strategyimy.se ↗
17 JUN 2022 · Other

PTS Cookie Guidance

On 17 June 2022, the Swedish Post and Telecom Authority (PTS), the sector authority in the fields of electronic communications and postal services, has published a set of Guidelines on the proper use of cookies to store user information on websites. Specifically, the Guidelines set out the requirements that have to be complied with to obtain valid user consent to cookie use.

✓ OfficialNational Strategypts.se ↗
09 JUL 2021 · Executive Order

Oversight mechanism architecture in the establishment of Sweden National Cyber Security Centre

On 7 September 2021, the Swedish National Cyber Security Center is established by the Swedish Post and Telecom Authority. The aim of the center is to coordinate the collaboration on cybersecurity between a number of authorities, such as the Security Police, the Armed Forces, and the Swedish Post and Telecom Authority.

✓ OfficialNational Strategypts.se ↗
12 JAN 2021 · Law / Act

Cybersecurity measures in amendment to Security Protection Act

The proposal for an amendment to the Security Protection Act is implemented. The amendment to enhances the role of security protection managers, incentivises the use of security protection agreements and requires special security assessments in case of procedures that involve security agreements, including consultation with the regulatory authority. Finally, the amendment enhances the supervisory authorities' investigative and sanctioning powers.

✓ OfficialNational Strategysvenskforfattningssamling.se ↗
National Strategy

National approach to artificial intelligence (Nationell inriktning för artificiell intelligens)

AI law in Sweden: Published by the Swedish Government on 16 May 2018, the "National approach to artificial intelligence" (Nationell inriktning för artificiell intelligens) sets out Sweden's strategic direction for AI focusing on four pillars: education, research, innovation & use, and framework & infrastructure. The document identifies priorities such as skills development, public-sector uptake, data access, ethical principles and participation in international standard-setting to realise AI's economic and societal benefits while managing associated risks....

✓ OfficialNational Strategydigital-strategy.ec.europa.eu ↗