GDPR Enforcement in Sweden

Trend: Have the national data protection authorities in Sweden focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The Swedish Authority for Privacy Protection (“Integritetsskyddsmyndigheten”, “IMY”) has declared in its plan for 2025 that it will prioritise the following matters in its supervision and guidance ¹:

• How employers process employees' personal data;
• AI and the GDPR;
• How digital tools are used in healthcare and social care, so that digitalisation occurs without risks to patients' personal data;
• How actors who conduct camera surveillance, and who previously had to apply for permission but no longer have to, themselves carry out a documented balancing of interests and have a list of surveillance cameras;
• How children and young people can protect their personal data.

According to IMY’s annual report for 2024 ², most complaints to the data protection supervisor are directed against the private sector but with a significant number of complaints from neighbours regarding camera surveillance.

Further, IMY concluded in a legal opinion from May 2024 that it has the authority to initiate supervision in response to complaints against search services with a certificate of publication, thus establishing a constitutional protection and triggering a large amount of complaints to the data protection supervisor.

In February 2025, the Swedish Supreme Court also found in two judgments that the GDPR may have an impact on whether personal data in criminal judgments can be protected by confidentiality, even if the constitutional protection applies (case numbers Ä 3457-24 and Ä 3169-24).

The Swedish Post and Telecom Authority (“Post- och telestyrelsen”, “PTS”) is the supervisory authority for the use of cookies under the Swedish Act on Electronic Communications. PTS has not been very active in its supervisory activities.

So far, PTS has only initiated four supervisory proceedings against two companies and two authorities regarding the rules on cookies as of the end of 2022. After PTS notified them of suspected violations, the companies and authorities remedied the violations and PTS closed the matters in late 2023 without taking any further action.

Overall, what was the most significant fine in Sweden to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The most significant fine in Sweden to date was imposed by IMY on Spotify on 12 June 2023 for SEK 58 million (then approx. EUR 4.9 million) for its handling of data subjects’ rights to access their personal data. IMY found that Spotify did not clearly inform data subjects about how their personal data were used. As Spotify has users in many countries, the decision was taken in cooperation with other supervisory authorities in the EU. Spotify appealed the decision and the Administrative Court of Stockholm found that Spotify was in breach of the GDPR regarding information to the data subjects, however not to the extent that IMY found. The fine was therefore reduced to SEK 40 million (approx. EUR 3.7 million). IMY and Spotify have both appealed the decision to the Court of Appeal in Stockholm.

Prior to the Spotify decision described above, IMY imposed a fine of SEK 75 million (approx. EUR 7 million) on Google on 11 March 2020 for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. After an appeal against the fine, the Administrative Court of Stockholm announced that it had rejected Google’s appeal. However, the court reduced the fine to SEK 50 million (approx. EUR 5 million). The judgment has gained legal force.

On 30 August 2024, IMY imposed fines against two pharmacies (SEK 37 million (approx. EUR 3.2 million) and SEK 8 million (approx. EUR 740,000)) for failing to take appropriate technical and organisational measures to protect personal data in the context of using a Meta-pixel on their website to improve their marketing practices on Facebook and Instagram. This caused sensitive data relating to customers, such as purchases of prescription-free drugs for specific health problems, self-tests, treatment of sexually transmitted diseases and sex toys, to be transferred to Meta. Information relating to prescriptions were however not transferred.

How is the data protection authority organised in Sweden? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

IMY is the supervisory authority under the GDPR and the supplementary Swedish Data Protection Act among other legislation. IMY is also the supervisory authority for the processing of cookies, to the extent that the GDPR applies. IMY is part of the Ministry of Justice.

IMY is a “unanimous” authority with a transparency council that monitors the authority. IMY is led by a Director General. The Director General of IMY is appointed by the Swedish government.

The budget for IMY for 2025 is approximately SEK 220 million (approx. EUR 20 million). IMY has approximately 150 employees.

PTS is the supervisory authority under the Swedish Act on Electronic Communications among other legislation and oversees the use of cookies.

PTS is part of the Ministry of Finance and is led by a board appointed by the Swedish government. PTS also has a Director General which is appointed by the Swedish government.

The budget for PTS for 2025 is approximately SEK 250 million (approx. EUR 23 million). PTS has approximately 470 employees.

• There are two DPAs in Sweden. One (IMY) for compliance under the GDPR and one (PTS) for use of cookies under the Swedish Act on Electronic Communications.
• IMY is placed under the Ministry of Justice. The budget for IMY for 2025 is approximately SEK 220 million (approx. EUR 20 million). IMY has approximately 150 employees.
• PTS is placed under the Ministry of Finance. The budget for PTS for 2025 is approximately SEK 250 million (approx. EUR 23 million). PTS has approximately 470 employees.

How does a fine procedure work in Sweden? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Supervision can be conducted through desk supervision and/or on-site supervision. The DPAs publish information about initiated proceedings on their websites.
• If PTS suspects that the target for the supervision regarding use of cookies under the Swedish Act on Electronic Communications is not in compliance with the rules, it will give the target for the supervision the opportunity to respond and to take actions.
• IMY has essentially the same competences as set out in the GDPR. A fine cannot be imposed on the target if the target has not had the opportunity to give their opinion within five years of the day on which the violation took place according to chapter 6 section 4 of the supplementary Swedish Data Protection Act. The target must be served any decision to impose a fine.
• Decisions on fines under the GDPR can be appealed to the competent administrative court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines under the GDPR will be paid to the Legal, Financial and Administrative Service Agency (Swe: Kammarkollegiet).

The Legal, Financial and Administrative Service Agency is a state authority within the Ministry of Finance with various tasks such as providing services within the state sector, primarily regarding finance, law, asset management, risk management and administration.

Is there a common, official calculation methodology for fines in Sweden (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology to establish fines under the GDPR in Sweden.

However, we assume that IMY follows the Guidelines on the application and setting of administrative fines from Article 29 (wp253) and guidelines on the calculation of administrative fines under the GDPR from the EDPB (04/2022).

Can public authorities be fined in Sweden? If they can: Where does this money go?

Public authorities can be fined in Sweden when in breach of Articles 83 (4), 83 (5) and 83 (6) of the GDPR. The maximum fine that can be imposed is SEK 10 million (approx. EUR 925,000).

Such fines will be paid to the Legal, Financial and Administrative Service Agency.

In Sweden, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

IMY publishes decisions, including fines imposed, and other procedural steps in supervision matters.

IMY publishes a summary the decision as news on its website and through its newsletter subscription service. The decision itself is also attached and can be found on their website.

PTS also publishes decisions regarding cookie supervision under the Swedish Act on Electronic Communications on its website.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2023?

Apart from publishing supervisory decisions, IMY also provides aggregated information on cases and the total amount of fines under the GDPR in its annual reports, which are available in Swedish on its website.

Further, PTS also provides some brief information regarding its supervisions under the Swedish Act on Electronic Communications in its annual report.

• In 2024, IMY initiated 421 supervisory matters. 54 of the initiated supervisory matters were cross-border matters.
• In 2024, IMY closed 326 supervisory matters. IMY imposed fines in six of the closed supervisory matters.
• In 2024, the total amount of fines imposed by IMY was SEK 60.6 million (approx. EUR 5.5 million).

Does Sweden have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

• The Swedish Act on Representatives’ Actions for the Protection of The Collective Interests of Consumers from 2023 entitles approved entities to bring injunction claims and claims for compensation against data controllers.

In addition, the Swedish Group Proceedings Act from 2002 entitles individuals, organisations and authorities with similar claims to assert claims on behalf of the members without power of attorney and without members/the group participating.

What is more relevant in Sweden: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

To date, fines under the GDPR by IMY have been more relevant than court proceedings concerning claims for damages or injunctions.

The amount of GDPR-based civil claims lodged by individuals is not high and only a few have been heard by higher instances. However, there is a trend regarding the tension between the constitutional protection in the Swedish Freedom of the Press Act/the Swedish Fundamental Law on Freedom of Expression to request, publish and/or use publicly available personal data and the data protection of such individuals under the GDPR.

In February 2025, the Swedish Supreme Court also found in two judgments that the GDPR may have an impact on whether personal data in criminal judgments can be protected by confidentiality, even if the constitutional protection applies (case numbers Ä 3457-24 and Ä 3169-24). Further, a local court has requested a preliminary ruling from the CJEU on this matter (C-199/24).