GDPR Enforcement in Sweden

Trend: Have the national data protection authorities in Sweden focused on certain types of non-compliance. Do you see a focus on certain industries/sectors? If so, which ones?

The Swedish Authority for Privacy Protection (“Integritetsskyddsmyndigheten”, “IMY”) has declared in its plan for 2026 that it will prioritise the following three areas in its supervision and guidance work:

• The use of AI in the public sector – IMY will monitor how public-sector bodies use AI in order to support them in deploying the technology in a manner that respects privacy. As public bodies increasingly introduce AI, citizens often have no alternative but to interact with them, making it essential that these bodies work actively with data protection even in the context of AI. Where AI systems also process sensitive personal data, stringent privacy protection requirements apply;
• Data protection for children and young people – IMY will increase knowledge about how children and young people can protect their personal data, both among young people themselves and among adults who handle their data, such as guardians and schools. Children and young people are avid users of digital services and many use the internet, social media and apps daily without fully understanding the risks. Their personal data are considered particularly worthy of protection;
• Tools used in law enforcement from a data protection perspective – IMY will examine how the tools used in law enforcement relate to data protection rules. Law enforcement authorities need effective tools to prevent and solve crime, but some of these tools entail significant restrictions on individuals' right to privacy. In recent years, new tools have also emerged, such as covert coercive measures and collection of biometric data.

According to IMY’s annual report for 2025, most complaint-based supervisory cases are directed against private-sector companies, with a significant share also relating to individuals' use of camera surveillance (particularly complaints about neighbours' security cameras).

During 2025, IMY also opened self-initiated investigations against four operators of search services with a certificate of publication (utgivningsbevis) that publish personal data, following a high volume of complaints in that area. 
IMY additionally initiated supervisory investigations following two major personal data breaches in which large portions of the Swedish population had their data leaked and published by hostile actors.

In 2025, three enforcement decisions resulted in administrative fines: Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB) were each fined SEK 75,000 for collecting and storing data from employees' alcohol tests without a legal basis under the GDPR and Diskrimineringsombudsmannen (DO) was fined SEK 100,000 for failing to implement adequate security measures to protect personal data submitted via a web form.

The Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS) is the supervisory authority for the use of cookies under the Swedish Act on Electronic Communications. PTS has historically not been particularly active in its cookie-related enforcement, but its overall supervisory posture has intensified. Its 2025 annual report shows extensive proceedings across areas such as electronic communications, cybersecurity and data governance, as well as planned supervisory actions concerning consent requirements under Chapter 9 of the Act. PTS has also imposed significant sanctions under the Swedish Protective Security Act (säkerhetsskyddslagen), applicable to anyone who carries out activities that are of significance to Sweden’s security. While cookie-specific enforcement remains limited, PTS's broader track record suggests an increasingly active approach that may extend to this area.

Overall, what was the most significant fine in Sweden to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The most significant fine in Sweden to date was imposed by IMY on Spotify on 12 June 2023 for SEK 58 million (then approx. EUR 4.9 million) for its handling of data subjects’ rights to access their personal data. IMY found that Spotify did not clearly inform data subjects about how their personal data were used. As Spotify has users in many countries, the decision was taken in cooperation with other supervisory authorities in the EU. Spotify appealed the decision and the Administrative Court of Stockholm found that Spotify was in breach of the GDPR regarding information to the data subjects, however not to the extent that IMY found. The fine was therefore reduced to SEK 40 million (approx. EUR 3.7 million). IMY and Spotify have both appealed the decision to the Court of Appeal in Stockholm.

Prior to the Spotify decision described above, IMY imposed a fine of SEK 75 million (approx. EUR 7 million) on Google on 11 March 2020 for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. After an appeal against the fine, the Administrative Court of Stockholm announced that it had rejected Google’s appeal. However, the court reduced the fine to SEK 50 million (approx. EUR 5 million). The judgment has gained legal force.

On 30 August 2024, IMY imposed fines against two pharmacies (SEK 37 million (approx. EUR 3.2 million) and SEK 8 million (approx. EUR 740,000)) for failing to take appropriate technical and organisational measures to protect personal data in the context of using Meta Pixel on their website to improve their marketing practices on Facebook and Instagram. This caused sensitive data relating to customers, such as purchases of prescription-free drugs for specific health problems, self-tests, treatment of sexually transmitted diseases and sex toys, to be transferred to Meta. Information relating to prescriptions however was not transferred.

How is the data protection authority organised in Sweden? Budget, staff, assignment to a ministry?

IMY is the supervisory authority under the GDPR and the supplementary Swedish Data Protection Act among other legislation. IMY is also the supervisory authority for the processing of cookies, to the extent that the GDPR applies. IMY is part of the Ministry of Justice.

IMY is a “unanimous” authority with a transparency council that monitors the authority. IMY is led by a Director General. The Director General of IMY is appointed by the Swedish government.

The budget for IMY for 2026 is approximately SEK 250 million (approx. EUR 23 million). IMY has approximately 160 employees.
PTS is the supervisory authority under the Swedish Act on Electronic Communications among other legislation and oversees the use of cookies.

PTS is part of the Ministry of Finance and is led by a board appointed by the Swedish government. PTS also has a Director General which is appointed by the Swedish government.

The budget for PTS for 2026 is approximately SEK 318 million (approx. EUR 30 million). PTS has approximately 530 employees.

• There are two DPAs in Sweden. One (IMY) for compliance under the GDPR and one (PTS) for use of cookies under the Swedish Act on Electronic Communications.
• IMY is subordinate to the Ministry of Justice. The budget for IMY for 2026 is approximately SEK 250 million (approx. EUR 23 million). IMY has approximately 160 employees.
• PTS is subordinate to the Ministry of Finance. The budget for PTS for 2026 is approximately SEK 318 million (approx. EUR 30 million). PTS has approximately 530 employees.

How does a fine procedure work in Sweden? Can the authority impose fines itself? Procedural steps? Legal remedies?

• Supervision can be conducted through desk supervision and/or on-site supervision. The DPAs publish information about initiated proceedings on their websites.
• If PTS suspects that the target for the supervision regarding use of cookies under the Swedish Act on Electronic Communications is not in compliance with the rules, it will give the target for the supervision the opportunity to respond and to take actions.
• IMY has essentially the same competences as set out in the GDPR. A fine cannot be imposed on the target if the target has not had the opportunity to give their opinion within five years of the day on which the violation took place according to chapter 6 section 4 of the supplementary Swedish Data Protection Act. The target must be served any decision to impose a fine.
• Decisions on fines under the GDPR can be appealed to the competent administrative court.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines under the GDPR will be paid to the Legal, Financial and Administrative Service Agency (Kammarkollegiet).

The Legal, Financial and Administrative Service Agency is a state authority within the Ministry of Finance with various tasks such as providing services within the state sector, primarily regarding finance, law, asset management, risk management and administration.

Is there an official calculation methodology for fines in Sweden?

There is no common, official calculation methodology to establish fines under the GDPR in Sweden.
However, we assume that IMY follows the Guidelines on the application and setting of administrative fines from Article 29 (wp253) and guidelines on the calculation of administrative fines under the GDPR from the EDPB (04/2022).

Can public authorities be fined in Sweden? If yes: Where does this money go?

Public authorities can be fined in Sweden when in breach of Articles 83 (4), 83 (5) and 83 (6) GDPR. The maximum fine that can be imposed is SEK 10 million (approx. EUR 925,000).

Such fines will be paid to the Legal, Financial and Administrative Service Agency.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

IMY publishes decisions, including fines imposed, and other procedural steps in supervision matters.

IMY publishes a summary of the decision as news on its website and through its newsletter subscription service. The decision itself is also attached and can be found on their website. Hence, companies are often identifiable.

PTS also publishes decisions regarding cookie supervision under the Swedish Act on Electronic Communications on its website.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

Apart from publishing supervisory decisions, IMY also provides aggregated information on cases and the total amount of fines under the GDPR in its annual reports, which are available in Swedish on its website.

Further, PTS also provides some brief information regarding its supervisory work under the Swedish Act on Electronic Communications in its annual report.

• In 2020, IMY initiated 47 supervisory matters. 
• In 2020, IMY closed 47 supervisory matters. IMY imposed fines in 15 of the closed supervisory matters. 
• In 2020, the total amount of fines imposed by IMY was approximately SEK 150,000,000 (approx. EUR 15,000,000).
   
• In 2021, IMY initiated 104 supervisory matters.
• In 2021, IMY closed 37 supervisory matters. IMY imposed fines in eight of the closed supervisory matters.
• In 2021, the total amount of fines imposed by IMY was SEK 32,500,000 (approx. EUR 3,250,000).
   
• In 2022, IMY initiated 121 supervisory matters.
• In 2022, IMY closed 106 supervisory matters. IMY imposed fines in five of the closed supervisory matters.
• In 2022, the total amount of fines imposed by IMY was SEK 9,720,000 (approx. EUR 972,000).
   
• In 2023, IMY initiated 210 supervisory matters. 39 of the initiated supervisory matters were cross-border matters.
• In 2023, IMY closed 173 supervisory matters. IMY imposed fines in eleven of the closed supervisory matters.
• In 2023, the total amount of fines imposed by IMY was SEK 120,400,000 (approx. EUR 12,040,000).
   
• In 2024, IMY initiated 421 supervisory matters. 54 of the initiated supervisory matters were cross-border matters.
• In 2024, IMY closed 326 supervisory matters. IMY imposed fines in six of the closed supervisory matters.
• In 2024, the total amount of fines imposed by IMY was SEK 60.6 million (approx. EUR 6,060,000).
   
• In 2025, IMY initiated 329 supervisory matters. 91 of the initiated supervisory matters were cross-border matters.
• In 2025, IMY closed 496 supervisory matters. IMY imposed fines in three of the closed supervisory matters.
• In 2025, the total amount of fines imposed by IMY was SEK 250,000 (approx. EUR 25,000)

Does Sweden have model declaratory proceedings/class actions in data protection law?

The Swedish Act on Representatives’ Actions for the Protection of The Collective Interests of Consumers from 2023 entitles approved entities to bring injunction claims and claims for compensation against data controllers.

In addition, the Swedish Group Proceedings Act from 2002 entitles individuals, organisations and authorities with similar claims to assert claims on behalf of the members without power of attorney and without members/the group participating.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

To date, fines under the GDPR by IMY have been more relevant than court proceedings concerning claims for damages or injunctions. In 2025, IMY issued three administrative fines: Stockholm’s public transport operators Storstockholms Lokaltrafik (SL) and Waxholms Ångfartygs AB (WÅAB) were each fined SEK 75,000 for collecting and storing alcohol test data from employees without a legal basis and the Equality Ombudsman (Diskrimineringsombudsmannen (DO)) was fined SEK 100,000 for failing to implement adequate security measures to protect personal data submitted via a web form.

The amount of GDPR-based civil claims lodged by individuals remains low and only a few have been heard by higher instances. However, there is a growing tension between the constitutional protection in the Swedish Freedom of the Press Act/the Swedish Fundamental Law on Freedom of Expression and the data protection of individuals under the GDPR. During 2025, IMY opened self-initiated investigations against four operators of search services with certificates of publication (utgivningsbevis) that publish personal data, following a high volume of complaints in this area.

In February 2025, the Swedish Supreme Court found in two judgments that the GDPR may have an impact on whether personal data in criminal judgments can be protected by confidentiality, even if the constitutional protection applies (case numbers Ä 3457-24 and Ä 3169-24). Further, a local court has requested a preliminary ruling from the CJEU on this matter (C-199/24). No new Supreme Court judgments on GDPR matters have been issued since February 2025.