Data Protection in Sweden: An Overview

General trends

In recent years, Sweden's approach to data protection has significantly evolved. Rapid technological advancements, increased digitalisation across industries, and a growing awareness of the individual's right to privacy are the main drivers of this development. As a member of the European Union (EU), the Swedish data protection regime mainly consists of the General Data Protection Regulation (GDPR) and national laws supplementing the GDPR.

This update highlights three of the most prominent trends in Sweden. The first trend concerns the increased focus on cybersecurity from a data protection perspective and a brief description of the related new cybersecurity legislation, with a general focus on the financial sector. The second trend highlights technological advancements and the interplay between AI and data protection, with examples of ongoing initiatives in Sweden. Thirdly, Swedish developments concerning the processing of personal data relating to criminal convictions and offences are presented.

Digital Resilience from a Data Protection Perspective

Digital resilience

Sweden is currently placing greater emphasis on cybersecurity measures for several reasons. In addition to being affected by the recent developments in EU data and cyber regulations, which have already come into force and are expected to be implemented in 2025 and 2026, the heightened focus on cybersecurity is also a response to changes in the Swedish security landscape. The ongoing war in Ukraine, Sweden joining NATO, organised crime, violent extremism and Sweden's threat level regarding terrorism, which has been considered to be four out of five since August 2023 (level four entails a high terrorist threat), have led organisations to prioritise and invest in cybersecurity frameworks to safeguard data.

In February 2025, the Swedish Authority for Privacy Protection (IMY) (Integritetsskyddsmyndigheten) released its annual report, outlining the authority's supervision and other activities throughout 2024. IMY's three major case types – personal data breaches, inquiries, and complaints – all saw an increase during 2024 compared to the previous year. During 2024 IMY received 6,500 reports of personal data breaches and initiated 421 supervisory cases.

Protection against external malicious attacks is important from a security perspective. Internal, continuous and systematic data protection flaws are as important to ensure a high level of security as protection from external threats. IMY issued several notable decisions regarding security breaches involving personal data being accidentally transferred over the internet. In two cases – Apohem AB and Apoteket AB – breaches occurred when the companies inadvertently transmitted customer purchasing records and contact information to Meta via the Meta Pixel website tracking software. IMY determined that the transferred information constituted sensitive personal data and concluded that the companies had failed to implement appropriate technical measures to ensure a level of security commensurate with the risks. IMY issued administrative fines of SEK8 million to Apohem AB and SEK37 million to Apoteket AB for violating the GDPR.

Financial sector

The Swedish financial sector is highly digitalised, including traditional banks and, to a large extent, fintech leaders such as Trustly, Klarna, and Zettle. This digitalisation follows data protection and information and communication technology (ICT) risks, making the Swedish financial system, in particular, more vulnerable to data protection risks, cyber threats, and ICT disruptions.

In addition to the GDPR, the EU Digital Operational Resilience Regulation (DORA) implements requirements to address ICT-related risks for nearly all entities operating within the Swedish financial sector. DORA aims to mitigate ICT vulnerabilities and establish uniform rules across the EU. It introduces, among other things, requirements for cybersecurity information, continuity planning to recover operations after incidents, managing risks from outsourcing ICT to third parties, resilience testing, and frameworks for information sharing.

Effective January 2025, DORA and supplemented technical standards apply to banks, investment firms, insurance companies, and other stakeholders in the Swedish financial sector, such as intermediaries managing alternative investment funds and crypto service providers. As the financial sector has become predominantly digital and reliant on third-party infrastructure and service providers, an important aspect of DORA is that these ICT providers are included within the regulation's scope.

The Swedish Act (2024:1278) with supplementary provisions to DORA, includes supplementary Swedish legislation, and encompasses specific provisions on threat-led penetration testing, fees, the supervision of the Swedish Financial Supervisory Authority (Finansinspektionen) and sanctions.

In addition to the requirements applicable to engaging a processor of ICT services set forth in the GDPR, DORA poses certain data protection requirements that must be fulfilled. Financial entities must properly assess the ICT risks and discontinuation provisions and ensure appropriate data protection prior to entering into a contractual arrangement on the use of ICT services under DORA. This includes provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data, including personal data.

Swedish bank secrecy

Along with the GDPR and DORA, entities within the Swedish financial industry also have to comply with the Swedish banking secrecy rules. The banking secrecy rules apply in parallel to the GDPR. Hence, data may fall under the scope of both the GDPR and Swedish banking secrecy rules, requiring careful assessments to ensure compliance with both sets of rules. Swedish bank secrecy is regulated in the Swedish Banking and Financing Business Act (Lag (2004:297) om bank- och finansieringsrörelse) but also in other laws applicable to specific sectors within the financial industry. The Banking and Financing Business Act provides that a credit institution may not disclose an individual's relationship to the credit institution without authorisation. This duty of secrecy imposes obligations on the credit institution and its representatives, such as employees, the CEO, and contractors. If a bank violates the bank secrecy undertakings, it could be liable for damages if the individual can prove that the relevant breach has caused them financial harm. Such violations may also prompt the Swedish Financial Supervisory Authority to revise the bank's general procedures, potentially resulting in sanctions if the authority deems these routines inadequate.

The individuals to whom the right to confidentiality applies are the bank's natural and legal customers. It applies to all current and former customer relations, regardless of the duration and extent of the relationship, and extends beyond the death of the natural person or the dissolution of the legal entity. The protected information is interpreted broadly to include all information about the customer that the bank obtains because of the customer relationship, both personal data and trivial private information, even if it is not obtained directly from the customer.

Exceptions to banking secrecy apply when providing information to legal guardians, during criminal investigations, and in other instances, provided there are legitimate grounds. Confidentiality may also be waived by a provision in law or based on other specific legitimate grounds (not to be confused with "legitimate interest" as per the GDPR). Banking secrecy does not apply to the customer themselves or when the customer has consented to a specific information disclosure. Additionally, already publicly known information is not considered confidential and, therefore, not protected by banking secrecy regulations.

AI and Data Protection

AI Act

The AI Act came into effect in August 2024, and its provisions are being implemented gradually. The AI Act governs the development, provision, and use of AI systems in the EU. It employs a risk-based approach, where AI systems are divided into the following categories of risk:

• unacceptable;
• high;
• limited; and
• minimal.

Different requirements apply based on the risk category. General-purpose AI models are an additional category posing specific transparency requirements. Violations of the regulation can result in penalties based on a company's annual turnover, comparable to the GDPR.

The AI Act will apply in parallel with the GDPR. A national review of the need for national adaptions because of the AI Act is ongoing and will be presented at the latest 30 September 2025.

Sweden is no exception to the increasing global interest in AI. The use and integration of AI in various sectors raise significant concerns from a data protection perspective, which needs to be evaluated on a case-by-case basis. One of the foremost challenges is understanding the impact of the GDPR on AI and vice versa. Close collaboration between technicians and legal professionals is crucial for ensuring that new AI technology is safe from a data protection perspective. IMY has been actively involved in addressing the emerging challenges of new AI technology through regulatory sandboxes. Uncertainty generally stifles innovation; therefore, the IMY offers comprehensive guidance through its regulatory sandboxes, which emphasise the use of AI in relation to data protection regulations, as described further below.

IMY’s regulatory sandboxes

The main objective of IMY’s regulatory sandbox initiative is to enable collaboration between innovators and regulators. Together, the innovators and regulators interpret how regulations can work in practice with innovative products and services. The purpose of the regulatory sandbox is for IMY to provide guidance through workshops and thereafter make the results public.

The first regulatory sandbox pilot (Pilot) included two healthcare providers aiming to evaluate the possibilities of joint training and an exchange of the machine learning method models. AI Sweden - the Swedish centre for applied AI - also supported the work. The results from the Pilot include IMY's reasoning behind the appropriate legal basis for such processing activities, the data processing roles and other relevant information from an AI and data protection perspective. The results of the pilot report IMY's reflections on AI and other new technologies while ensuring compliance with the GDPR. IMY highlights the special need for cross-functional collaboration regarding the use of AI. Both the regulatory and technical aspects are highly complex, especially when put into practice. Close collaborations between technicians and legal professionals are crucial for success. Therefore, technicians will need to educate legal professionals on how the technology functions and legal professionals will need to develop good pedagogical skills to explain the fundamental principles of data protection and how the technicians should apply them.

Since the first regulatory sandbox, IMY has published the results from two other sandboxes, which addressed measuring safety in public environments using IoT technology and handing out public documents with the help of AI.

An interesting regulatory sandbox to keep an eye out for during 2025 is IMY's sandbox together with the four major Swedish banks SEB, Nordea, Swedbank and Handelsbanken concerning the possibilities for increased information sharing between banks to strengthen the ability to prevent fraud and money laundering while still complying with the GDPR.

Personal Data Relating to Criminal Convictions and Offences

Article 10 of the GDPR in general

Article 10 of the GDPR concerns the processing of personal data relating to criminal convictions and offences. In Sweden, the general rule is that only the public authorities can process personal data related to criminal convictions and offences. The legal bases for organisations (other than public authorities) to process personal data of this nature are limited to when permitted under the Swedish constitution, applicable law, or when necessary to establish legal claims or fulfil legal obligations. In addition, IMY has the authority to permit organisations to process personal data related to criminal offences. This chapter will highlight important developments led by IMY that are relevant to personal data relating to criminal convictions and offences in Sweden.

Interpretation of Article 10

In IMY's regulatory statement, IMY clarified its stance on the interpretation of Article 10 of the GDPR concerning personal data relating to criminal convictions and offences. Article 10 of the GDPR shall, according to IMY, be interpreted to apply to information that discloses if a person is or has been the subject of a police report, preliminary investigation, prosecution or proceedings in criminal cases. This also includes acquittals in criminal cases, for example, if a person has been released from accusation and freed from obligation regarding the charges. IMY's statement further clarifies that information indicating that a physical person has or may have been suspected of criminal activities can be considered to be included under the scope of Article 10 of the GDPR, regardless of whether legal proceedings have been initiated or not. However, this shall not be interpreted to include all information since there is a certain threshold of specificity to be considered.

Additionally, IMY clarifies that observations or passive events where the objective criteria for a crime may be met are normally not considered processing of personal data relating to criminal convictions and offences. Simply put, if a surveillance camera captures a robbery through passive recording of a certain area, this would generally not be considered data processing under Article 10 of the GDPR. On the other hand, if the sequence of events is separated at a later stage for legal action, it will fall under the scope of Article 10 of the GDPR.

Checks against sanction lists

Another development concerns the legality of conducting checks against sanction lists. The processing of personal data concerning criminal convictions and offences was to some extent already permissible under the Swedish Money Laundering and Terrorist Financing (Prevention) Act (Lag (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism) to the extent necessary to assess and manage the risks associated with a customer relationship. However, there was no explicit legal basis for conducting checks against sanction lists.

Organisations within, eg, the financial, dual-use and military sectors, frequently need to perform checks against various international sanction lists for compliance reasons, such as sanction lists from OFAC, OFSI and the EU. As a consequence, unless other applicable laws authorised checks against sanction lists, for example, through EU regulations, businesses in Sweden have been required to seek specific permission from IMY to be able to conduct checks against sanction lists since sanction lists may contain information about criminal offences. This resulted in IMY receiving an excess of applications from entities within the financial sector seeking permission to process such personal data to comply with anti-money laundering and terrorism financing obligations, as well as from organisations involved in the export of dual-use goods or military equipment to adhere to international export restrictions.

IMY's updated regulation and related guidelines aim to facilitate the processing of personal data relating to criminal convictions and offences by certain sectors. This will allow certain entities within the financial sector and military industry to process personal data relating to criminal convictions and offences when checking (for example, customers, suppliers, and employees against sanctions lists).

The legislation provides a legal basis for certain organisations engaged in financial services and subject to anti-money laundering and terrorism financing regulations, as well as for certain organisations involved in the export of dual-use goods or military equipment to process personal data for checks against sanction lists under certain conditions. The conditions require that the sanction list must be established democratically and made publicly available on official websites. Additionally, organisations are required to implement protective measures to differentiate between genuine matches and false matches. The scope of personal data processing will be limited to specific categories of individuals connected to the organisations.

The Swedish entities affected by the new regulations are companies in the financial sector under the supervision of the Swedish Financial Supervisory Authority, companies in the security and defence market under the supervision of the Swedish Inspectorate for Strategic Products (Inspektionen för strategiska produkter), and certain companies in the security and defence market under the supervision of the Swedish Radiation Safety Authority (Strålsäkerhetsmyndigheten).

GDPR and the constitutionally protected right to publish

For non-Swedish persons, it may come as a surprise how easily the personal data of most Swedish individuals can be found in online databases, including name, family, address, size of home, car details, company engagements, criminal records, etc. Under the Swedish Freedom of the Press Act (Tryckfrihetsförordningen (1949:105)) and the Swedish Fundamental Law on Freedom of Expression (Yttrandefrihetsgrundlagen (1991:1469)), holders of a certificate of no legal impediment to publication (ie, a publishing license) have constitutional protection for their publication of personal data.

The compatibility of personal data publishing and the GDPR has been the subject of several governmental investigations and national public debate due to the widespread publication and dissemination of personal data, including personal data relating to criminal convictions and offences. Each year, IMY receives several complaints against holders of publication licences. The complaints often concern companies providing online search services with personal data such as names, addresses and personal data relating to criminal convictions and offences.

Previously, the general opinion was that IMY is prevented from investigating complaints from individuals against search services because of the protection under the Swedish Freedom of the Press Act and the Swedish Fundamental Law on Freedom of Expression.

However, throughout 2024, several significant developments have emerged concerning entities with voluntary publisher licenses' rights to publish personal data under the Swedish constitution regarding personal data protected by the GDPR. In IMY's recent legal position, the authority considers that it is authorised to initiate supervision of and enforcement against search services with a publishing licence following complaints from individuals under the GDPR.

The main reasons why IMY has reconsidered its previous position are outlined below.

• Developments in the EU and Swedish case law that have strengthened the legal positions of individuals who complain to IMY and IMY's obligations to investigate and act on their complaints.
• Case law, which has clarified that a balance needs to be struck between the right to protection of personal data under the GDPR and the freedom of expression and information under the Swedish Freedom of the Press Act and the Swedish Fundamental Law on Freedom of Expression. Accordingly, the Swedish constitutional protection for holders of publishing licences may not always take precedence over the GDPR, and a balance must be struck in each individual case between the privacy protection interest expressed by the GDPR and the constitutional protection.

Additionally, a report presented by the Swedish Government in November 2024 includes proposals to amend the Freedom of the Press Act and the Fundamental Law on Freedom of Expression, which would impact search services publishing personal data. Legal policy developments in Sweden concerning search services with a publishing licence must, therefore, be closely monitored.