Skip to content

Fines and warnings

What fines can be imposed for contravening the General Data Protection Regulation?

Swedish Authority for Privacy Protection can decide that a company that contravenes the General Data Protection Regulation must pay an administrative fine. The fine can at most amount to 20 million EUR or four per cent of the company's global annual turnover depending on which amount is the higher. In the case of somewhat lesser infringements the maximum fine is 10 million EUR or 2 per cent of the company's global annual turnover. It will probably not be common for Swedish Authority for Privacy Protection to impose maximum fines.

How high the fine is depends both on which provision the infringement concerns and on the circumstances in the individual case. Swedish Authority for Privacy Protection will among other things look at how serious the infringement is, how much harm has been caused, if sensitive personal data is involved, and if the infringement is intentional. Swedish Authority for Privacy Protection must ensure that any fine is effective, proportional and deterrent. For this reason, the company's size, for example, can also be of importance.

In Sweden, authorities must also be able to be fined. For less serious infringements the fine is to amount to a maximum of 5 million SEK and for serious infringements a maximum of 10 million SEK.

Swedish Authority for Privacy Protection can also issue warnings if a planned instance of personal data processing will likely contravene the Regulation's provisions. The authority can issue reprimands if an ongoing instance of personal data processing contravenes the provisions and can also order a company or other organisation to for example cease a certain instance of processing.

Swedish Authority for Privacy Protection's decision can be appealed.

About the information on this page

If the information in English is different from the Swedish version of this page, the Swedish version applies.

Latest update: 6 May 2021
Page labels Tillsyn, Om IMY