Many of us are free during the summer, but the development in the field of law never ceases. GDPR Hero have put together three of the most important aspects about the Swedish Data Protection Authorities work and the development in the field of GDPR.

1. The Swedish Data Protection Authority (Datainspektionen) has continued with its audits. 

During this year, the Swedish Data Protection Authority has initiated multiple audits. An audit is initiated when a Data Protection Authority sends a written document to an operator who is included in the GDPR. The public sector has been of special interest for the Swedish Data Protection Authority, who recently initiated audits of Region Uppsala and Umeå University. Region Uppsala has notified two personal data breaches to the Swedish Data Protection Authority. After the notification, the Swedish Data Protection Authority has chosen to initiate an audit of the breaches and if the region had a right to process the personal data the way they did. The Swedish Data Protection Authority has furthermore initiated an audit of how Umeå University process special categories of personal data after complaints from the Swedish Police authority.

However, it is not only the public sector but also the private sector that is in the Swedish Data Protection Authorities interest. The Swedish Data Protection Authority has initiated an audit with the purpose of controlling how consent is used to obtain customers personal data. Consent is one of six legal grounds for a legal processing of personal data. You can read more about the legal grounds in Swedish here. The purpose of the audit is not only to review the companies, but also to give guidance on how to use consent. Consent is a legal ground that is often misused, and it is a part of the Swedish Data Protection Authorities inspection plan for 2019/2020 to review consent.

2. The first GDPR fine in Sweden has been rendered!

Many have asked us if and when fines will be rendered in Sweden. We can now let you know that the first fine has been rendered. The amount? 200 000 SEK (approximately 20 000 euro).

The Swedish Data Protection Authority, Datainspektionen, is the supervisory authority for personal data processing and is responsible for issuing GDPR fines. A fine is rendered when an operator that is obliged to apply GDPR does not apply it correctly. The amount of the fine can vary depending on if the operator is a public or private actor and how serious the violation is.

The Swedish Data Protection Authority has issued the first GDPR fine to a municipality for the incorrect processing of students personal data. The school has processed biometric data, facial recognition, to keep track of students´ attendance to classes. The school has used consent as their legal basis for the processing, but according to the Swedish Data Protection Authority, consent is not applicable in this situation because there is an imbalance between the students and the school. Read more about the legal basis consent in Swedish here.

A Data Protection Authority has more possibilities than fines. It can give warnings and limit the operator’s possibility to process personal data. When choosing what type of sanction to apply, a Data Protection Authority have to consider the breach´s nature, complexity and duration. In the case with camera surveillance of the students, special categories of personal data concerning children were being processed. The Swedish Data Protection Authority does not think this was a minor breach. A fine was therefore the relevant sanction.

The Swedish Data Protection Authority’s decision has been appealed by the municipality. We will have to wait and see what the end result will be.

3. The work with harmonization of GDPR fines in the EU countries – and Sweden is one of the chairmanship countries.

One of the purposes with the GDPR is to harmonize how personal data is being processed within the EU and what consequences that are relevant when the legal framework has been violated. A working party has been set up in the EU. The working party´s purpose is to harmonize the GDPR fines. Equal cases should be treated equally within the EU. Sweden is one of the presidency countries within this working party. The other presidency countries are Great Britain and the Netherlands.

The guidelines are estimated to be finished next year. The operators that are obligated to follow the GDPR will have more insight into the amount of a possible fine for a certain violation of the legal framework.

Do you have any questions?

We hope that this blog article gave you some guidance! If you have and questions regarding the GDPR or GDPR Hero you are welcome to contact us. Our phone number is 046 – 273 17 17 and our email is

If you want a free demonstration of GDPR Hero, click here. Don´t forget – we offer GDPR Hero in English!


Josefin Karlström


The content presented in this blog contains general information and is not to be considered as legal advice.