The Swedish Data Protection Authority’s Annual Review – increased willingness to process


The Swedish Data Protection Authority (the Swedish DPA) announces that it will use its enforcement capabilities to greater extent.

In its latest annual review, the Swedish DPA announced that is has changed its management of data protection related complaints due to an EU-wide harmonisation effort. Going forward, all complaints submitted to the Swedish DPA (and other DPAs across the EU) will therefore be managed in accordance with the new joint interpretation of the complaints mechanism.

As a main rule, the Swedish DPA has previously not initiated enforcement efforts based on single complaints. Instead, the Swedish DPA has used aggregated complaints for strategic considerations to identify areas and industries where there might exist particular risks for data subjects. The aforementioned EU-wide harmonisation effort means that the Swedish DPA will aim to investigate and enforce complaints from individuals based on even a single lodged complaint.

This means that a greater number of personal data processes will be targeted by the Swedish DPA for enforcement efforts, and that supervision and enforcement will likely move from consisting of a few, prioritised and complex matters, to a large and diverse body of supervision and enforcement efforts. With approximately 70 % of current complaints aimed at private entities this will likely mean that more companies and smaller companies may be the subject of such enforcement efforts.

The Swedish DPA also states that it has decided to use its supervisory authority more offensively in relation to legal proceedings. This is deemed necessary in order to facilitate and contribute to the creation of relevant case law in the field of data protection.


The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.