• Insights

Sweden – The GDPR one year on

Written by
Elmzell Advokatbyrå, one of the leading labour and employment law practices in Sweden, guaranteeing comprehensive and high quality assistance for all of our clients.
This article provides details of data protection developments in Sweden since the entry into force of the GDPR in May 2018, including investigations and the publication of guidance by the data protection authority.    

The Swedish DPA has not yet imposed any fines. However, the DPA has provided information about ongoing investigations and the following are of interest:

  • Google’s access to the user location data by means of its so-called ‘Location History’ and ‘Web & App Activity’;
  • how Klarna, a company that offers transfer of payment services, uses customers’ personal data; and
  • a school using facial recognition to register attendance.


An incident has also been reported in the media regarding a service providing medical advice to individuals by phone, called 1177. According to media reports, a million calls were publicly available on a web server. The DPA is currently investigating the companies providing this service.

Sweden decided to implement a law that complements the GDPR from the same date as the GDPR came into force. Since the purpose of the law is to compliment GDPR, it is not comprehensive. There is no separate legislation regarding processing of employees’ personal data.

The Swedish DPA has just published an integrity report including frequently asked questions from citizens and organisations. Questions concerning the lawfulness of employers’ processing of personal data are frequently asked, according to the report. The DPA has also, in its enforcement scheme, stated that employers’ monitoring of employees is one of the tasks prioritised for 2019-2020.

Sofia Lysén
Associate - Sweden
Elmzell Advokatbyrå