Last review date: 27 December 2024

Updates to this chapter for the 2025 edition of the Global Data Privacy and Security Handbook primarily consists of the Swedish regulators' enforcement during 2024 and future supervision for 2025, and additional information on processing of personal data in the employment context, relating to use of AI tools, profiling and automated decision-making, and within the transactional context. Furthermore, the Swedish Authority for Privacy Protection has issued Regulation IMYFS 2024:1 enabling processing of personal data relating to criminal offences and convictions for the purposes of conducting screening against third country sanctions lists. There are also minor changes to sections on certain provisions and applicability.

The implementation of the NIS 2 directive has been postponed in Sweden and will most likely not be entered into force until the summer of 2025. The Swedish DPA issued three administrative fines in 2024. Further, the Swedish DPA issued a number of decisions that did not result in any administrative fines, but where the controller was left with, e.g., a reprimand or ban on the non-compliant processing activity.