Primary Legal Sources

Sweden’s data protection regime is built on the GDPR (Regulation (EU) 2016/679), which sets the core rules for processing personal data and is directly applicable in Sweden.

The Swedish Data Protection Act (lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) complements the GDPR by providing national rules permitted under the Regulation.

Ordinance (2018:219) with supplementary provisions to the EU Data Protection Regulation (förordning (2018:219) med kompletterande bestämmelser till EU:s dataskyddsförordning) complements the Swedish Data Protection Act, providing more specific regulations.

Chapter 2, section 6, second paragraph, of the Swedish Constitution (regeringsformen (1974:152)) stipulates that everyone is protected against significant infringements of personal privacy by the public authorities if this occurs without consent and involves surveillance or mapping of the individual’s personal circumstances. The European Convention on Human Rights (europeiska konventionen om skydd för de mänskliga rättigheterna (lag (1994:1219) om den europeiska konventionen angående skydd för de mänskliga rättigheterna och de grundläggande friheterna), EKMR), and the Charter of Fundamental Rights of the European Union (Europeiska unionens stadga om de grundläggande rättigheterna) (EU:s rättighetsstadga)).

Furthermore, data protection-related questions are found in the Fundamental Law on Freedom of Expression (yttrandefrihetsgrundlagen (1991:1469), YGL), and the Public Access to Information and Secrecy Act (offentlighets- och sekretesslagen (2009:400), OSL), when it relates to the balancing act between freedom of speech and personal integrity.

Sectorial Laws

For criminal matters, the relevant law is the Law Enforcement Data Act (brottsdatalagen (2018:1177)).

There are specific laws for surveillance through cameras (the Camera Surveillance Act (kamerabevakningslag (2018:1200)), and processing of personal data for credit scoring (the Credit Information Act (kreditupplysningslag (1973:1173)).

For the health sector the Patient Data Act (patientdatalagen (2008:355)) supplements the GDPR.

Furthermore, several governmental agencies have their own data protection laws regulating the purposes for which personal data can be processed in their own organisation. This includes the Swedish Tax Agency, etc.

Interaction Between Legal Levels

The GDPR takes precedence as directly applicable EU law. Swedish legislation cannot contradict the GDPR but can differentiate when provided by the regulation. When applying the sectoral legalisation, the legal principle lex specialis is applied, meaning the more specific law takes precedence.

To illustrate this by way of example, the European Convention on Human Rights establishes a right to privacy, which is further elaborated upon through the GDPR. The Swedish Data Protection Act then specifies applicable rules where permitted by the GDPR. The Ordinance with supplementary provisions to the EU Data Protection Regulation in turn sets out certain rules relating to the Swedish Data Protection Act.

Extraterritorial Reach

The Swedish Data Protection Act states that data protection laws apply to the processing of personal data carried out within the framework of activities conducted at the establishments of data controllers or data processors in Sweden. The Act also applies to the processing of personal data carried out by data controllers that are not established in Sweden but in a place where Swedish law applies according to international law.

The Act also applies to the processing of personal data carried out by data controllers or data processors that are only established in third countries, if the processing concerns data subjects who are located in Sweden and is related to:

• the offering of goods or services to such data subjects; or
• the monitoring of their behaviour in Sweden.

Interplay with Non-Personal Data, Cyber and AI Laws

The EU AI Act (Regulation (EU) 2024/1689) is directly applicable in Sweden. It supplements the GDPR, it does not replace it. Providers and deployers must still comply with the GDPR where personal data is processed. There are no specific Swedish provisions that alter this interaction beyond what is set out in the EU legislation.

Two key EU instruments govern cybersecurity and intersect with data law more broadly: the NIS2 Directive and the Cyber Resilience Act (CRA). While the GDPR focuses on personal data, NIS2 and the CRA extend protection to encompass comprehensive cybersecurity requirements more broadly, covering system and product security irrespective of whether the data involved is personal. Organisations can build on their existing GDPR compliance frameworks, particularly in the areas of risk assessment, incident reporting, and security measures.

General Principles

The Swedish Data Protection Act does not increase the available rights or principles under the GDPR for data subjects; the same rights and principles outlined in the GDPR apply.

However, chapter 8 in the Swedish Patient Data Act covers patient rights regarding medical records, including:

• access to and copying of records upon request;
• procedures when access is denied;
• provisions for record destruction under certain conditions; and
• information rights about data access.

Compliance Checklist

Core GDPR operational tasks typically include:

• mapping processing operations and purposes;
• identifying lawful bases for processing;
• assessing a special category of personal data/personal data relating to criminal convictions and offences;
• drafting and providing information to data subjects;
• enabling access/rectification/erasure/objection/portability and limits to automated decisions – ie, data subjects’ rights;
• implementing appropriate technical and organisational measures to ensure security of processing;
• maintaining records of processing activities;
• conducting DPIAs for high-risk processing;
• appointing a DPO where required;
• setting processor terms;
• breach readiness/notifications; and
• transfer mechanisms.

National regulation relating to Healthcare Data

Healthcare organisations must:

• ensure that patient journals are maintained with required content and retention;
• enforce internal confidentiality and role-based access with logging and periodic audits;
• enable patient blocking of intra-provider electronic access;
• limit sensitive search keys for special categories of personal data that is not strictly health related;
• use GDPR-compatible legal bases and secrecy for health data; and
• for quality registers, implement opt-out, proper purposes, authority-controller, minimisation and erasure of data (gallring).

General Prohibition and Exceptions

Special categories of personal data are prohibited to process unless certain conditions are fulfilled (eg, explicit consent, employment/social security, vital interests, public interest in health, research with safeguards). Processing requires professional secrecy for healthcare workers in line with Article 9.2.j GDPR. The professional secrecy is outlined in Chapter 6, Section 12, of the Patient Safety Act (2010:659) (patientsäkerhetslagen (2010:659)).

Data relating to criminal convictions needs legal control or a legal basis with safeguards to be processed. Chapter 3, Section 8, of the Data Protection Act stipulates that data relating to criminal convictions may always be processed by government agencies. Parties other than government agencies may process data relating to criminal convictions if the processing is necessary to:

• establish, exercise or defend legal claims, or
• fulfil a legal obligation under an Act or Ordinance.

According to IMY’s regulations on the processing of personal data concerning criminal offences, IMYFS 2024:1, the following organisations may process criminal data:

• non-public authorities in social services;
• independent schools and private higher education institutions (for student welfare records);
• law firms and other legal service providers;
• companies with internal whistle-blowing channels (for senior personnel investigations);
• companies under the supervision of the Swedish Financial Supervisory Authority (Finansinspektionen); and
• companies under the supervision of the Inspectorate of Strategic Products or the Swedish Radiation Safety Authority.

Data Processing Relating to Minors

Under Article 8 GDPR, where consent is the legal basis for processing (Article 6(1)(a)), the processing of a child’s personal data in relation to information society services is lawful only if the child is at least 16 years old. For children below the age of 16, processing is only lawful if consent is given or authorised by the holder of parental responsibility.

Through Chapter 2, Section 4 of the Swedish Data Protection Act, Sweden has exercised its option under Article 8 GDPR to lower the age threshold. When information society services are offered directly to a child living in Sweden, the child’s personal data may be processed on the basis of the child’s own consent if the child is at least 13 years old. If the child is under 13, the data may only be processed with the consent of the child’s parent or legal guardian.

Health Data Processing in Sweden

In Sweden’s healthcare sector, health data can be processed under Article 9(2)(h) GDPR subject to professional secrecy. Criminal-offence data requires “absolutely necessary” processing and can be processed by private providers under strict necessity.

The GDPR allows further processing for scientific research/statistics/archiving with appropriate safeguards. The Patient Data Act enables use of quality registers for research and statistics.

Healthcare providers may process patient data for quality assurance, healthcare development, and research within healthcare. Processing for commercial product development by external companies requires either patient consent or ethical review board approval combined with appropriate safeguards.

Companies providing healthcare products or services may anonymise patient data for product development and scientific research under specific conditions, as true anonymisation removes data from the GDPR’s scope.

European Health Data Space Regulation Impact

The aim of the EHDS Regulation is:

• to improve access to and control over electronic health data for individuals to enable health data to be shared within and between EU countries so that it is available to healthcare professionals and pharmacies when needed for the best possible care and treatment of patients; and
• to enable health data to be reused throughout the EU for purposes such as research, innovation and preparedness for and response to health threats.

For secondary use, the EHDS creates Health Data Access Bodies in each member state to facilitate access to electronic health data for research and innovation. The regulation aims to enable life sciences companies to apply for access to pseudonymised health data across EU member states through standardised procedures.

This is done partly by specifying specific exemptions in Article 9 GDPR to which healthcare data covered by the regulation can apply. It aims to add specific rules for healthcare data to complement the existing rule set in the GDPR.

Aside from this regulation, there have been no national (Swedish) guidelines put in place, or any other laws that regulate the health data space.

Providers and deployers must comply with the GDPR where personal data is processed. Controllers must establish lawful bases for data collection and processing.

There are so far (February 2026) no national guidelines or national AI Act in Sweden. The rules governing AI and automated decisions all stem from the AI Act and the GDPR.

The AI Act regime is risk-based, with prohibited AI uses including manipulative techniques causing significant harm, social scoring, and real-time remote biometric identification for law enforcement (except in narrow cases), as well as certain emotion recognition and biometric categorisation systems.

High-risk AI includes classification for specific areas including biometrics, critical infrastructure, education, employment, essential services (credit/insurance), law enforcement, migration/asylum, justice, and democratic processes.

Transparency and accountability serve as foundational principles across both regulatory frameworks. Within the GDPR framework, organisations must fulfil specific information duties when collecting personal data (for example Article 13 GDPR). The AI Act similarly prioritises transparency, though it implements this principle differently. High-risk AI system providers bear responsibility for equipping deployers with comprehensive usage documentation, enabling them to properly understand and apply the system’s outputs (Article 13 AI Act).

Under the EU AI Act (Article 14), “human oversight” refers to the requirement that high-risk AI systems must be designed and developed in such a way that they can be effectively overseen by natural persons during the period in which they are in use, with the aim of preventing or minimising risks to health, safety, or fundamental rights. In practice, this means that persons assigned to oversight must be able to understand the system’s capabilities and limitations, detect anomalies, avoid over-reliance on AI outputs (automation bias), correctly interpret results, and crucially, be able to override, disregard, or shut down the system entirely.

In Sweden, IMY has published a guideline which aims to create conditions for combining the development and use of AI with strong data protection, thereby promoting innovation and digitalisation in a privacy-friendly manner.

The guidance stipulates that any processing of personal data in the context of AI development or use must comply with GDPR.

It clarifies what counts as personal data, which includes social security numbers, names, IP addresses, email addresses, and pictures where a person is visible. It also notes that data which cannot on its own be directly linked to a person, but when combined with other data can identify a person, is also personal data.

Under the GDPR, controllers must notify IMY within 72 hours unless risk for data subjects is unlikely and inform data subjects without undue delay if high risk is at hand, unless protective measures (eg, encryption) render risk unlikely. Processors must notify controllers without undue delay. Documentation is required.

IMY has their own form, available on their website, which the controllers or processors may fill in to notify a personal data breach. The information required in the form includes:

• incident details: when the incident occurred, when it was discovered, whether it is ongoing, when it ceased, reason for late reporting (if applicable), type of incident (unauthorised disclosure, access, loss, destruction, or alteration), and a brief description;
• discovery and cause: how the incident was discovered and why it occurred, sector and operational area where it took place;
• affected persons and data: number of affected data subjects, number of affected data records, categories of data subjects (employees, customers, patients, children, etc), types of personal data affected (special categories, identification data, etc), and whether data was encrypted;
• consequences: potential consequences of the incident and severity assessment; and
• actions taken: measures taken or planned to address the incident.

Typically, IMY does not investigate a notified breach, as too many are notified to IMY.

Investigations can occur if the breach is receiving a lot of media attention, and IMY feels forced to investigate; see IMY’s recent decision issued on 26 January 2026 regarding SportAdmin.

IMY

IMY is Sweden’s primary data protection regulator. Established under the Data Protection Act, IMY supervises GDPR compliance, the Data Protection Act, and certain sectoral privacy laws. IMY’s mandate includes monitoring and enforcing compliance; investigating complaints; conducting audits; issuing guidance; co-operating with other EU supervisory authorities; and representing Sweden in the European Data Protection Board.

Competent Authorities

IMY has authority over all privacy-related matters, except for matters strictly relating to the placement of cookies according to the E-privacy Directive (2002/58/EC). The Swedish Data Protection Authority still has competence to investigate data processing from personal data gathered by cookies.

Investigative Workflow

IMY investigations are typically triggered by:

• individual complaints;
• data breach notifications;
• media reports;
• whistle-blower information; or
• IMY’s own initiative based on risk assessments.

Upon receiving complaints, IMY conducts preliminary assessments to determine jurisdiction, admissibility, and priority.

For investigations, IMY typically:

• notifies the controller/processor of the investigation and allegations;
• requests written submissions and documentation;
• provides opportunities for organisations to respond to preliminary findings; and
• issues formal decisions with reasoning, corrective measures, and any sanctions.

Cross-Border Co-Operation

For cross-border processing cases, IMY co-operates with other EU supervisory authorities through the GDPR’s consistency mechanism. When IMY is the lead supervisory authority (for controllers/processors with main establishments in Sweden), it co-ordinates investigations and draft decisions with concerned supervisory authorities. The one-stop shop mechanism aims to provide single-point supervision for cross-border controllers. There are no national rules complementing this structure.

Investigation Procedure

IMY initiates investigations through various triggers:

• individual complaints (most common);
• data breach notifications suggesting serious violations;
• media reports;
• whistle-blower information; or
• own-initiative investigations based on sectoral risk assessments.

IMY prioritises cases involving: large-scale processing; a special category of personal data; children’s data; systematic violations; or novel legal issues with broader implications.

Upon initiating investigations, IMY typically issues written requests for information to controllers/processors, specifying required documentation and response deadlines. The response deadline is typically three weeks, with the possibility of being granted a postponement.

Before issuing decisions, IMY provides draft findings and proposed measures, allowing organisations to submit written responses. This ensures procedural fairness and enables organisations to correct factual errors, provide additional context, or present legal arguments. Unlike, for example, the Swedish Competition Authority, IMY does not have the power to carry out dawn raids, that is, unannounced on-site inspections.

IMY may impose various administrative sanctions under Article 58 GDPR. Warnings and reprimands are non-financial sanctions for less serious violations or first-time offences by organisations demonstrating good faith compliance efforts. Orders to comply with data subject requests address specific rights violations. Processing suspension orders halt unlawful processing pending compliance.

The most typical sanction is a reprimand, even for more serious breaches. If an administrative fine is issued IMY relies heavily on the Guidelines 04/2022 of the EDPB on the calculation of administrative fines under the GDPR.

Organisations may appeal IMY decisions to Swedish administrative courts. Appeals must be filed with the Administrative Court of Stockholm (Förvaltningsrätten i Stockholm) within three weeks of receipt of the decision. Appeals proceed through three levels:

• Administrative Court;
• Administrative Court of Appeal of Stockholm (Kammarrätten i Stockholm), requiring leave to appeal; and
• Swedish Supreme Administrative Court (Högsta förvaltningsdomstolen), requiring leave to appeal.

IMY cannot enforce its actions through criminal or civil courts.

For the past 24 months IMY has had structural organisational issues internally and seen the amount of incoming complaints increase substantially. As a result, IMY’s capacity to carry out own-initiative investigations has dropped significantly. As of 1 January 2026, IMY has introduced a new organisational structure aimed at streamlining the agency to better handle complaints and own-initiative investigations.

Most decisions made by IMY are from complaints lodged against a controller, typically when IMY is the lead supervisory authority according to the one-stop shop mechanism. This is because IMY faces resistance from other supervisory authorities when seeking to close cases without examining the substance of the complaint, for example by issuing information letters instead of adopting a decision on the merits.

In practice, the clearest indication that IMY is likely to commence an own-initiative investigation is that the matter has attracted media attention.

There has been no national case law from the Swedish Supreme Court regarding private litigation. However, there have been several lower court judgments regarding non-contractual damages. Typically, these cases revolve around a data subject’s rights not being adhered to.

Most cases are typically not successful in the court because of difficulties proving actual non-contractual damages, even though non-material damages are compensable. The levels of non-contractual damages applicable under Swedish case law are normally between SEK3,000 and SEK5,000 for non-material damages, but in a few isolated cases have been between SEK15,000 and SEK35,000.

The requirements for claimants to bring privacy claims before courts follow the CJEU’s case law, which indicates that it is required that there has been an infringement of the Data Protection Regulation, that damage has occurred, and that there is a causal link between the infringement and the damage. An infringement of the provisions of the Data Protection Regulation alone is thus not sufficient to give rise to compensation.

There is no national case law – ie, from the Swedish Supreme Court, regarding privacy litigation; all relevant rules or standards are CJEU case law. The most relevant decisions are:

• judgment of the Court of Justice of the European Union of 4 May 2023 in Case C-300/21;
• judgment of the Court of Justice of the European Union of 14 December 2023 in Case C-340/21; and
• judgment of the Court of Justice of the European Union of 25 January 2024 in Case C-687/21.

Collectively, these three decisions establish the threshold for GDPR compensation claims: a breach alone is not enough; actual (even non-material) harm must be proven, hypothetical fears are insufficient on their own (though genuine, well-founded fear can qualify), and no punitive damages are available.

The Swedish legislature has not implemented Article 80 GDPR, which gives organisations or associations in the field of the protection of data subjects’ rights and freedom the right to exercise the rights referred to in Articles 77, 78 and 79 of the GDPR.

Under current Swedish law, a legal person cannot represent an individual in court. A non-profit organisation thus cannot act as a representative for the data subject in an administrative case or in a non-contractual damages case in a general court. The provisions on legal representatives in Chapter 12 of the Code of Judicial Procedure are based on the premise that the representative is a natural person.

With regard to the protection of personal privacy, in recent years it has become more common to have non-profit organisations active in the data-protection field. In Sweden, however, this type of activity is still limited.

The Representative Actions Directive was implemented in Sweden on 1 January 2024 through the Act (2023:730) on Group Actions for the Protection of Consumers’ Collective Interests. The reform expands the possibilities for bringing representative actions on behalf of consumers, but is not expected to lead to any dramatic increase in the number of cases. The Swedish Consumer Agency has been designated as a qualified entity in Sweden.

The EU Data Act (Regulation (EU) 2023/2854) has direct applicability from 12 September 2025 in Sweden as in the other EU member states. Supplementary national legislation will, in accordance with the requirements, be enacted in Sweden. The EU Data Act applies to manufacturers, users, data holders, data recipients, third parties, public bodies, cloud service providers, and participants in data spaces involving connected products and associated services.

The regulation covers both personal and non-personal data, governing cross-sector data access and sharing frameworks in relation to the internet of things, cloud computing, and other data processing services. Sweden will, in accordance with the requirements, enact a new Supplementary Act and Ordinance to complement the EU Data Act, specifying definitions, enforcement mechanisms, and sanctions.

Public authorities may request data in exceptional situations, such as public emergencies, but criminal enforcement agencies and tax authorities are excluded from this chapter.

There is no Swedish national law regulating non-personal data except for the EU Data Act.

The EU Data Act explicitly respects and complements the GDPR and other privacy laws, requiring that data sharing and processing of personal data comply with the GDPR’s principles and legal bases. Pseudonymisation or anonymisation of personal data is mandated where feasible for public requests.

Confidentiality obligations apply to competent authorities and public bodies processing data under the EU Data Act, with existing Swedish secrecy laws deemed adequate for covering these requirements.

The EU Data Act prescribes a limitation in the scope of application of the Database Directive. It is thus intended to cover databases even when data is obtained from or generated by a connected product or a related service covered by the EU Data Act, provided that the conditions for the right sui generis are met.

The framework ensures that any processing of personal data under the EU Data Act maintains a lawful basis under the GDPR, such as necessity for public tasks or legal obligations, whilst respecting confidentiality and data protection principles.

Rights

Users of connected products have enhanced rights to access and share product-generated data, with data holders obligated to provide such access promptly and under non-discriminatory, fair terms; unfair contractual clauses are invalidated.

Natural persons and legal entities whose rights under the EU Data Act are infringed have the right to lodge complaints and seek effective remedies, including appeal rights against authorities’ decisions not to act on complaints.

Obligations

• Data sharing between businesses, including cloud service providers, must avoid “lock-in” via the removal of switching fees by 2027, enable data portability, and foster interoperability through open standards developed at the EU level.
• Connected products must be designed so that product data is directly accessible to users by default in an easy, secure, free, and machine-readable format. Before sale or lease, sellers/lessors must provide clear information about data types, volumes, storage, and how users can access or delete data.
• Data holders must make readily available data accessible to users without undue delay, free of charge, in a structured and machine-readable format. When users request data sharing with third parties, data holders must provide the data to those third parties under the same conditions. Data holders must not make it unreasonably difficult for users to exercise their rights through manipulative interface design. Where trade secrets are involved, data holders must identify such data and agree on appropriate confidentiality measures.
• Third parties must process received data only for agreed purposes and delete it when no longer necessary to keep. They must not use data for profiling (unless necessary), share it onwards without agreement, make it available to gatekeepers, or use it to develop competing products.
• A contractual term on data access/use or on liability/remedies in case of breach/termination of data-related obligations that has been unilaterally imposed on another enterprise is not binding on that enterprise if the term is unfair.

Public entities must handle requested data confidentially and may only use data for the specified public interest; data must be deleted when no longer necessary to keep unless archival law applies.

Action Items for Organisations

Organisations should:

• inventory and categorise cloud agreements (SaaS/PaaS/IaaS), noting that Chapter VI of the EU Data Act already applies from 12 September 2025, even for existing agreements;
• identify B2B agreements with data clauses that are either open-ended or run until 11 January 2034 or later, as these will be subject to Article 13 from 12 September 2027;
• assess other agreements with data components for clauses potentially conflicting with the EU Data Act;
• create a “Data Act addendum” for cloud agreements, prioritising updates to switching and portability clauses, using the European Commission’s non-binding model clauses as a starting point;
• build a “2027 list” of B2B agreements affected by Article 13 from 12 September 2027, planning to remove unfair data clauses and renegotiate or terminate agreements before 2027 if they cannot be adapted;
• monitor PTS guidance as the competent authority in Sweden regarding their forthcoming guidance and supervisory practices concerning the EU Data Act; and
• note that Swedish supplementary legislation enters into force on 1 July 2026, primarily addressing supervision, powers, and sanctions rather than altering the contractual rules in the EU Data Act.

The Swedish Post and Telecom Authority (Post- och Telestyrelsen, PTS) is designated as the sole competent authority for enforcement and as the certifying body for dispute resolution organisations. PTS has powers to impose fines, issue warnings, investigate complaints, handle sanctions, and promote data literacy among stakeholders.

The Swedish Civil Contingencies Agency (Myndigheten för civilt försvar, MCF) supports public sector bodies requiring data to manage exceptional needs, tasked with guiding and preparing these bodies for effective use of the Data Act provisions.

PTS co-operates with IMY and other sectoral bodies to ensure consistent enforcement and alignment with related legislation. Harmonisation efforts, standards development, and legal clarifications are driven mainly at the EU level via the European Commission and the European Data Innovation Board (EDIB), with PTS participating actively; regulatory sandboxing by PTS is proposed to facilitate practical guidance for industry stakeholders.

Sanctions include administrative fines ranging from SEK5,000 to SEK20 million depending on the nature of the actor and violation.

The E-privacy Directive, incorporated in Swedish law through the Electronic Communications Act (lagen (2022:482) om elektronisk kommunikation), regulates online tracking technologies such as cookies, SDKs, and other device identifiers.

In Sweden, an opt-in model is applied. Data may be stored in or retrieved from a subscriber’s or user’s terminal equipment only if the user consents to it. However, such storage or access is permitted when necessary for the transmission of an electronic message via an electronic communications network or when necessary for the provision of a service at the express request of the user or subscriber.

Consent must meet GDPR standards: freely given, specific, informed, unambiguous, and easily withdrawable. This means:

• No Pre-Ticked Boxes: Users must take affirmative action to consent.
• No Cookie Walls: Access to websites cannot be conditioned on consent to non-essential cookies.
• Granular Choices: Users must be able to consent separately to different cookie categories.
• Easy Withdrawal: Consent withdrawal must be as easy as giving consent.
• Clear Information: Cookie notices must clearly explain purposes, data collected, and recipients.

Personalised and targeted advertising in Sweden is primarily regulated by the Marketing Act (2008:486), the GDPR, the Electronic Communications Act (2022:482), and – for large platforms – the EU Digital Services Act (DSA). IMY supervises data protection compliance, whilst PTS oversees cookie compliance.

The GDPR requires a lawful basis for profiling and direct marketing and grants an unconditional right to object to direct marketing. The use of automated decisions is restricted. A special category of personal data use in marketing generally requires explicit consent. Children’s online consent threshold applies to Information Society Services, which, according to Article 8 GDPR and Chapter 2 Section 4 of the Swedish Data Protection Act, is set at age 13.

Personalised advertising and online marketing require:

• consent – for electronic marketing (email, SMS) to individuals who have not previously purchased similar products/services; and
• legitimate interests – for direct marketing to existing customers, subject to a balancing test and easy opt-out.

Data subjects have an absolute right to object to direct marketing at any time. Controllers must:

• inform data subjects of the right to object at first communication; and
• provide easy, free opt-out mechanisms (eg, unsubscribe links).

Case Law

IMY found that Bonnier News AB processed personal data without legal grounds under Article 6.1 GDPR by profiling individuals based on their behavioural data in complex behavioural profiles and simple behavioural profiles to display customised advertisements, and imposed an administrative fine of SEK13 million.

IMY found that the consent requirement under Swedish Electronic Communications Act provides strong privacy protection and control for individuals, that this protection risks being undermined if collected personal data is processed based on other legal grounds such as legitimate interest, and that the scope for using Article 6.1(f) GDPR as a legal basis for profiling based on observed data is limited.

Swedish employment law balances employers’ legitimate interests in managing the workplace against employees’ privacy rights. Key principles include:

• Necessity and Proportionality: Employee monitoring must be necessary for legitimate purposes and proportionate to those purposes.
• Transparency: Employees must be clearly informed about monitoring scope, purposes, and methods.
• Minimisation: Only data necessary for specified purposes can be collected.
• Limited Retention: Employee data can only be retained as long as necessary for the purpose it was originally processed.

It is not advisable to base the processing of employees’ personal data on the legal basis of consent. This must only be used in specific situations.

Employee Monitoring

Workplace monitoring (eg, email monitoring, internet usage tracking, location tracking, video surveillance) requires:

• legitimate purpose: clearly defined business reasons (eg, security, productivity, legal compliance);
• proportionality assessment: balancing employer interests against employee privacy;
• transparency: clear policies informing employees about monitoring;
• minimisation: limiting monitoring to what is necessary; and
• good practice in the labour market: an established principle in Swedish labour law, which means that employers and employees must act with respect, loyalty and common sense, often as a complement to other requirements.

Swedish practice generally prohibits:

• continuous, comprehensive monitoring of all employee activities;
• monitoring of private communications (eg, personal emails, private phone calls);
• covert monitoring except in exceptional circumstances (eg, suspected serious misconduct); and
• monitoring in private areas (eg, restrooms, changing rooms).

Background Checks

There is no express statutory right for informal register checks, though the absence of regulation has not been considered to mean that conducting such checks is prohibited.

For private actors, the problem is that the only applicable legal basis under Article 6 GDPR is often the balancing of interests (Article 6.1 f), which is complicated and creates significant uncertainty for private organisations regarding their right to process such data. Unlike public authorities, private actors lack the right to process data on criminal offences without permission from IMY, except in limited cases where specific statutory support exists.

A fragmented regulatory framework and significant uncertainty about what is permitted mean that currently background checks, especially regarding criminal records, are legally dubious.

A special investigator has been appointed to analyse the need for and prerequisites for conducting background checks in both public and private operations, aiming to provide organisations with appropriate tools before and during employment to prevent risks posed by persons with criminal or other harmful intentions in workplaces, such as infiltration and other undue influence, whilst ensuring personal privacy is protected. The mandate must be completed by 11 March 2027.

Job Applicants

Processing applicant data requires:

• lawful basis: typically, contractual necessity (pre-contractual measures) or legitimate interest;
• transparency: clear privacy notices explaining personal data use;
• retention limits: delete unsuccessful applicant data after two and a half years (to make sure that the time within which an applicant may initiate legal proceedings concerning claimed discrimination related to, for example, age, has elapsed – the time limit is a little more than two years), unless consent has been obtained for future opportunities; and
• equality: avoid discriminatory processing (eg, automated screening tools must not discriminate).

There is no specific regulation that differentiates Swedish privacy concerns from any other country bound by the GDPR.

Privacy due diligence is critical to identify risks before acquisition. Key red flags include, for example, lack of privacy policies, no personal data inventory, security issues, and past unresolved data breaches.

Personal data should be disclosed gradually on a “need-to-know” basis throughout the transaction stages. A data sharing agreement between target and acquirer is essential, specifying permitted use, confidentiality obligations, and data deletion requirements if the transaction fails.

Under the GDPR, data subjects must be transparently informed about the M&A transaction and how their personal data will be processed post-completion. The target typically leads this communication through direct contact, website notices, or email notifications. Depending on circumstances, consent may be required for data transfers.

Sweden regulates cross-border transfers of both personal and non-personal data through the GDPR and the EU Data Act (Regulation (EU) 2023/2854), supplemented by proposed Swedish national legislation effective from 1 July 2026.

What Counts as a “Transfer”

Under the EU Data Act, “transfer” includes making data available or accessible across member state boundaries or to third countries, encompassing both personal and non-personal data generated by connected products and services. For personal data under the GDPR, transfers occur when personal data is transferred to or accessed from outside the EU or EEA by controllers or processors established within the EU.

Mechanisms for Lawful Transfers of Personal Data (GDPR)

Transfer of personal data to third countries is lawful only if the controller or processor ensures adequate protection via an adequacy decision by the European Commission recognising the third country’s protection level as equivalent to EU standards, or through appropriate safeguards such as binding corporate rules, standard contractual clauses, approved codes of conduct, or certification mechanisms. In the absence of adequacy decisions or safeguards, specific derogations apply for situations, including explicit consent, contract performance, important public interest, legal claims, or protection of vital interests.

Mechanisms for Lawful Transfers of Non-Personal Data (EU Data Act)

Providers of data processing services must implement technical, organisational, and contractual safeguards to prevent unauthorised international government access to non-personal data held in the Union, and transfers pursuant to third-country court orders are only permissible if based on international agreements and provided they meet conditions of specificity, proportionality, and opportunity for objections. Data processing service providers must comply with harmonised rules facilitating data portability and switching of services with technical and contractual safeguards, with fees for switching abolished by 12 January 2027.

The Swedish Post and Telecom Authority (PTS), designated as the competent authority, assesses data requests by public bodies for exceptional needs, ensuring requests meet criteria of necessity, proportionality, transparency, and legitimate interest balance prior to authorising data access. Providers may seek advisory opinions from relevant national bodies on whether conditions for third-country transfers are fulfilled.

Public bodies receiving data via extraordinary needs requests may share data with other public bodies, EU institutions, or approved third parties under conditions preserving confidentiality and purpose limitations. Users have the right to have data held by data holders provided to third parties of their choice on request, subject to contractual safeguards and confidentiality protections, with restrictions on certain entities such as gatekeeper companies. Third parties receiving data must process data only for agreed purposes, maintain confidentiality, and delete data when no longer needed.

Data holders may limit or refuse access to protect trade secrets, confidential business information, or where sharing would significantly harm economic interests, provided they notify PTS. Requests for data by public bodies must be specific, justified, and not duplicate previous requests; unfounded requests need not be complied with.

Under Article 32 of the EU Data Act, data processing service providers must take adequate technical, organisational, and legal measures to prevent international government access to and transfer of non-personal data held in the Union where such transfer or access would contravene Union law or the national law of the member state concerned. This applies when decisions or judgments from courts or administrative authorities in third countries require a provider to transfer or provide access to non-personal data covered by the EU Data Act and held in the Union.

The decision’s or judgment’s addressee may request an opinion from the relevant national body or authority with competence for international co-operation in legal matters to determine whether the conditions specified are fulfilled, particularly when the decision may concern trade secrets and other commercially sensitive data, as well as content protected by intellectual property rights, or where the transfer may lead to re-identification.

However, Sweden has not succeeded in identifying any authority or body that currently conducts activities corresponding to the task described in Article 32.3 of the EU Data Act. If it emerges during the application of the regulation that data processing service providers do not receive the assistance prescribed in Article 32.3 by approaching Swedish authorities, the government will consider appointing one or more relevant authorities under that article.

Data Localisation Rules

The key Swedish data localisation law is the Swedish Bookkeeping Act (1999: 1078) (Bokföringslagen). Chapter 7, Section 2 requires organisations to:

• store accounting information in Sweden for seven years after the end of the calendar fiscal year; and
• maintain equipment for storing accounting information in Sweden.

The types of information that have to be kept in Sweden include:

• balance sheets;
• basic accounting and general ledgers;
• subsidiary ledgers;
• verification documents, meaning documents concerning business events or adjustments made to accounts (Chapter 1, section 2(8), Bookkeeping Act);

• bookkeeping system documentation and processing histories; and
• annual reports.

Exemptions

An organisation that has accounting obligations under the Bookkeeping Act may:

• temporarily store verification documents outside of Sweden if special reasons consistent with good accounting practices exist (Chapter 7, Section 3, Bookkeeping Act); for example, a bank may store verification documents in another country for bookkeeping in that country;
• store machine-readable media and maintain equipment for storing accounting information in another EU country or a country that is party to a mutual assistance agreement if the organisation:

1. notifies the Tax Agency or the Financial Supervisory Authority of the equipment storage location;
2. allows immediate access to the accounting information at the request of the Tax Agency or the Customs Agency; and
3. can immediately produce the accounting information in printed form on request.

In General

The GDPR does not mandate data localisation; personal data may be stored anywhere provided appropriate transfer mechanisms are in place. However, remote access by third-country entities constitutes a transfer requiring compliance with Chapter V GDPR.

Remote access by third-country entities is permitted when:

• the third country has received an EU adequacy decision (eg, EU–US Data Privacy Framework for certified US organisations, UK, Switzerland, Japan, etc); and
• standard contractual clauses (SCCs) have been executed between data exporter and importer, accompanied by:

1. transfer impact assessment evaluating third-country laws;
2. supplementary measures where necessary (encryption, access controls, data minimisation); and
3. documentation of assessment and measures;
• for intra-group transfers, binding corporate rules (BCRs) have been approved by supervisory authorities;
• Article 49 derogations apply in limited situations, including:

1. explicit consent after being informed of risks;
2. contractual necessity;
3. legal claims establishment, exercise or defence;
4. vital interests protection; and
5. compelling legitimate interests (rare, occasional transfers affecting few individuals);
• irrespective of the transfer mechanism relied upon, appropriate technical and organisational security measures have been implemented, namely:

1. encryption of data in transit and at rest;
2. strong authentication and access controls;
3. logging and monitoring of access;
4. contractual restrictions on data use; and
5. regular security assessments.

There is no privacy law except for the GDPR restricting foreign discovery. The basic principle is that a court in the state where the trial is taking place can only access evidence in another state if that state has given its consent, either through an international agreement or in the individual case. If an official representative of a state, such as a judge, conducts evidence-gathering on site within the territory of another state without such approval, this typically constitutes a violation of the sovereignty of the other state.

Rules on the taking of evidence abroad are found in the 1970 Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters. Between EU member states, the EU Evidence Regulation (Regulation (EU) 2020/1783) applies. If there are legal grounds for foreign discovery, these would typically not be in conflict with the GDPR, as the regulation permits processing of personal data for secondary purposes if it is based on Union law or the national law of the member states, and constitutes a necessary and proportionate measure in a democratic society.

The Swedish Supreme Court addressed the interplay between discovery obligations and the GDPR in the Norra Stockholm Bygg case (Ö 1750-20), where it sought a preliminary ruling from the CJEU on whether GDPR Articles 6(3) and 6(4) apply to national procedural law concerning discovery of documents containing personal data. The CJEU confirmed that these provisions are applicable in civil disputes involving discovery of documents with personal data concerning third parties collected for other purposes (such as tax control). The court held that national courts must consider the interests of the data subjects when deciding on discovery requests and balance these against the circumstances of each case, the type of proceedings involved, and with due regard to the proportionality principle and the data minimisation principle under Article 5(1)(c) GDPR.

In the Swedish case, the Swedish Supreme Court ultimately granted the discovery request, emphasising that the right to effective judicial protection and a fair trial requires parties to access documents needed to prove their case, even when they contain others’ personal data. However, it applied the data minimisation principle by requiring masking of personal identity numbers whilst allowing disclosure of names and work attendance records.

The GDPR continues to evolve through adequacy decisions and updated SCCs. The AI Act’s entry into force (general application from 2 August 2026; prohibitions from 2 February 2025) will add obligations for high-risk AI relying on cross-border data and require alignment with GDPR and data-transfer regimes. The changes to be expected next is the matter of the EU–US Data Privacy Framework and whether it will be challenged in the courts.