The Swedish Data Protection Authority (Datainspektionen)

The EU GDPR (General Data Protection Regulation) superseded all EU member states’ data protection laws based on the 1995 Data Protection Directive (DPD) on 25 May 2018.

The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR. The Swedish Data Protection Authority is also the supervisory authority under the Swedish law that supplements the GDPR, the Data Protection Act (2018:218).

Non-compliant organisations face considerably greater penalties under the Regulation than under previous data protection laws – up to 4% of annual global turnover or €20 million, whichever is greater. In addition, data subjects have the right to seek judicial remedies against data controllers and processors, as well as the right to obtain compensation for damages occurring as a result of GDPR breaches.

Find out more about the GDPR >>

How IT Governance can help

Find out more about the GDPR on our dedicated information pages below. You can also contact our team of experts to find out more about how we can support your organisation.

Read more and visit our shop

Scope of the Swedish Data Protection Authority’s work

The Swedish Data Protection Authority checks compliance with data protection laws and regulations. The checks that it makes primarily concern the GDPR, the Camera Surveillance Act, the Credit Information Act, the Patient Data Act and the Debt Recovery Act, but it is also the supervisory authority for a large number of other statutes.

Giving advice and disseminating knowledge is also an important part of the Swedish Data Protection Authority’s work. It does this for the people who process personal data in society, the data controllers and the people whose data is processed – the data subjects. It explains how to comply with the law and what rights the individual has, through:

  • Information on its website;
  • Press releases;
  • Courses and talks; and
  • Answering questions from the general public via its information service.

Checks on compliance are mainly by means of inspection. It does this either through visits or by letter, phone or email. Inspection is planned in most cases, but the Swedish Data Protection Authority can also make an inspection following complaints or tip-offs from individuals or reports in the media.

Legislative work

The Swedish Data Protection Authority draws up its own statutes with general regulations and publishes general guidelines with recommendations on various issues. When new laws and regulations are drafted, it checks that personal privacy is protected effectively; every year it submits its opinion in a large number of consultative statements. It also reviews drafts of statutes, requests for comment from the council on legislation and government bills and sits on expert commissions and committees.


Lodging a complaint with the Swedish Data Protection Authority can be done by filling in this pdf form and emailing it or sending it by post to:

Box 8114
104 20

The Swedish Data Protection Authority takes the following into account to decide whether or not to make an inspection:

  • If it is a recurrent and systematic breach of regulations.
  • If there are serious shortcomings.
  • If it is a single case or a general breach of regulations.
  • If it is something that the Swedish Data Protection Authority has already investigated.

The ePrivacy Directive and Regulation

The EU’s 2002 ePrivacy Directive, also referred to as the ‘cookies law’, sets out rules on electronic communications, including:

  • Marketing emails;
  • Faxes;
  • Texts;
  • Phone calls;
  • The use of cookies that track website visitors’ information;
  • The security of public electronic communications services; and
  • The privacy of end users.

What is the ePR?

In January 2017, the European Commission proposed a new ePR (Regulation on Privacy and Electronic Communications) as part of its digital single market strategy.

The ePR, or ePrivacy Regulation, is set to supersede the 2002 ePrivacy Directive and all member state laws that enforce it, including Sweden’s Lag (2003:389) om elektronisk kommunikation (Act on Electronic Communication). It was originally intended to come into effect alongside the GDPR on 25 May 2018 but is now tentatively scheduled to apply from 2019.

The ePR is broader in scope than the ePrivacy Directive and aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).

Click here for more information about the ePR >>

The difference between EU regulations and directives

The EU has two types of legal instruments that are used to regulate business: directives and regulations.

  • Directives set minimum standards and parameters for the EU but leave the actual implementation down to the states themselves. The Data Protection Directive and ePrivacy Directive fall into this category. When a directive is passed, the EU sets a deadline by which every member state must have put it into force, whether by law, regulation or other initiative.
  • Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

Speak to an expert

Please contact our GDPR team for advice and guidance on our products and services.