The General Data Protection Regulation (GDPR) serves as a cornerstone for data protection within the European Union, aiming to safeguard individuals’ personal data and privacy. In Sweden, the enforcement and supervision of GDPR are entrusted to the Swedish Authority for Privacy Protection, known as Integritetsskyddsmyndigheten (IMY) (1).
In this article, Lexing Sweden (Eris Law) explores how GDPR is regulated in Sweden, focusing on IMY’s responsibilities, recent enforcement actions, and the guidance it provides to ensure compliance.
IMY: Sweden’s Data Protection Authority
IMY operates as an independent public authority responsible for monitoring and enforcing compliance with GDPR and other data protection laws in Sweden. Its mandate includes overseeing that personal data is handled correctly and securely by organizations operating within the country. IMY also serves as the main point of contact for individuals wishing to lodge complaints regarding the mishandling of their personal data and provides guidance to organizations on data protection obligations. Additionally, IMY is tasked with overseeing the application of the Debt Recovery Act and the Credit Information Act in Sweden.
Enforcement Actions and Legal Developments
IMY has been proactive in enforcing GDPR compliance, with several notable cases highlighting its commitment to upholding data protection standards. For instance, in 2025, IMY imposed administrative fines on two Swedish pharmacies, Apoteket AB and Apohem AB, amounting to SEK 37 million and SEK 8 million respectively, for failing to implement appropriate technical and organizational measures when using Meta’s analytics tool, resulting in the inadvertent transfer of sensitive personal data (2).
In another case, the Discrimination Ombudsman (DO) was fined SEK 100,000 for insufficient security measures when collecting personal data through a web form. IMY also criticized H&M for making it unnecessarily difficult for individuals to opt out of marketing communications, thereby violating their rights under GDPR.
These enforcement actions underscore IMY’s role in holding organizations accountable for non-compliance and ensuring that personal data is handled responsibly.
Guidance and Resources Provided by IMY
Beyond enforcement, IMY provides extensive guidance to help organizations and individuals understand and comply with GDPR. In February 2025, IMY published guidance on data protection impact assessments (DPIAs), outlining a ten-step process to help organizations identify and mitigate risks associated with processing personal data, particularly for high-risk activities (3).
IMY has also emphasized the importance of conducting and documenting legitimate interest assessments when relying on this legal basis for data processing. In a recent decision, IMY found that a company had violated Article 6(1)(f) of the GDPR by processing personal data without meeting the necessary conditions to rely on legitimate interest, highlighting the need for a structured and documented assessment (4).
Furthermore, in April 2025, IMY issued formal warnings to several companies for using “dark patterns” in their cookie consent banners, such as making the “accept” option more prominent than “reject” or providing insufficient information about data processing purposes (5). These actions reflect IMY’s commitment to ensuring genuine consent and transparent data collection practices.
IMY’s Structure and Activities
IMY is headquartered in Stockholm and is organized into departments focusing on different sectors, including government, healthcare, education, business, and the judiciary. The authority regularly investigates data breaches and non-compliance issues, issuing decisions and fines as necessary. IMY also collaborates with other supervisory authorities within the EU through the European Data Protection Board (EDPB), participating in joint operations and sharing information to ensure consistent application of data protection laws across member states.
How IMY Processes Personal Data
As a data controller, IMY processes personal data in the course of its duties. Individuals have the right to contact IMY’s Data Protection Officer (DPO) to exercise their rights under GDPR, such as requesting access to their data or objecting to processing.
Conclusion
The regulation of GDPR in Sweden is characterized by IMY’s active role in enforcement, guidance, and education. Through timely legislative updates, decisive enforcement actions, and comprehensive resources, IMY ensures that personal data is handled responsibly and that individuals’ privacy rights are upheld. Organizations operating in Sweden must remain vigilant and proactive in their data protection practices to comply with GDPR and avoid potential sanctions.
(1) Swedish Authority for Privacy Protection (IMY) website, available at: https://www.imy.se/en/
(2) IMY fines Swedish Pharmacies, available at: Sanktionsavgifter mot Apoteket och Apohem för överföring av personuppgifter till Meta | IMY
(3) IMY’s Guidance on DPIAs, available at: https://www.imy.se/publikationer/vagledning-vid-konsekvensbedomning/
(4) IMY fines Bonnier News AB, available at: IMY (Sweden) – DI-2019-11737 – GDPRhub
(5) Dark Patterns in Cookie Banners, available at: https://cookieinformation.com/resources/blog/blog-swedish-dpa-imy-dark-patterns-april-2025/Cookie Information+1consentmo.com+1
(6) Data Protection & Privacy 2025 – Sweden, available at: https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2025/sweden/trends-and-developments
Our advice:
To know more about Lexing Sweden, watch its presentation video here!