GDPR Compliance Checklist for Swedish Websites

Most Swedish websites have at least three GDPR violations. The most common: tracking cookies before consent, outdated privacy policies, and missing data processor agreements.

— Vakteye scanning data, Q1 2026

IMY is not waiting for complaints anymore. They scan websites proactively, issue fines in the millions, and publish every decision. If your website handles personal data (and it does), this GDPR checklist for Sweden is where you start.

The 10-point GDPR checklist

Each item below maps to a specific GDPR article. Skip one, and you have a gap a regulator can walk through.

1. Legal basis documented: every processing activity needs a lawful basis under Article 6. Consent, legitimate interest, contractual necessity. Pick one and document it. "We've always done it this way" is not a legal basis.
2. Privacy policy current: Article 13 requires specific information: who you are, what you collect, why, how long you keep it, and who you share it with. If your policy still mentions Privacy Shield, it's outdated.
3. Cookie consent implemented: the ePrivacy Directive (transposed into Swedish LEK) requires consent before non-essential cookies. That means no analytics, no marketing pixels, no fingerprinting scripts until the user clicks accept.
4. Data processor agreements in place: Article 28 requires written agreements with every processor: your hosting provider, email service, analytics platform, CRM. No agreement means no lawful processing.
5. DPIA conducted where required: Article 35 requires a Data Protection Impact Assessment for high-risk processing. If profiling, large-scale monitoring, or sensitive data apply, you need a DPIA on file.
6. DPO appointed (if required): public authorities and organizations doing large-scale systematic monitoring must appoint a Data Protection Officer under Article 37. Even if not required, having a privacy contact person is good practice.
7. Breach notification plan ready: Article 33 gives you 72 hours to notify IMY after discovering a breach. Without a plan, you will miss that deadline. Document who decides, who reports, and how you assess risk.
8. Cross-border transfer assessment done: if you use US-based services (Google Analytics, Mailchimp, HubSpot), you are transferring data outside the EU. Article 44-49 require a legal mechanism. Check if your providers are covered by the EU-US Data Privacy Framework.
9. Data subject rights process exists: Articles 15-22 give individuals the right to access, correct, delete, and port their data. You need a process to handle these requests within one month (GDPR Art 12(3)).
10. Regular compliance audits scheduled: GDPR is not a one-time project. Article 5(2) requires ongoing accountability. Scan your website quarterly, review your policies annually, and document everything.

How to use this checklist

Print it. Walk through each item with your team. Mark what you have, what you're missing, and what needs updating. Be honest. Regulators will be.

The items are ordered by priority. Legal basis and privacy policy come first because everything else depends on them. Cookie consent is third because it's the most visible violation and the one IMY catches fastest with automated scans.

What happens if you don't comply

GDPR fines are not theoretical in Sweden. IMY has been active.

Fines under Article 83 GDPR can reach 4% of global annual turnover or EUR 20 million, whichever is higher. But the fine is often the smallest cost. Reputational damage, lost contracts, and the operational burden of a formal investigation hit harder.

The most common failures we see

After scanning hundreds of Swedish websites, patterns emerge. Three items on this GDPR checklist fail more than any others.

• Cookie consent: In our scanning sample, a majority of sites deploy tracking before consent. Many have a banner, but the reject button does not actually stop cookies.
• Data processor agreements: small businesses often have no idea they need written agreements with SaaS providers. Using Mailchimp without a DPA is a violation.
• Privacy policy: policies copied from templates in 2018 that still reference Privacy Shield, list the wrong legal basis, or fail to mention third-party data sharing.

GDPR compliance is not optional

Swedish law does not have a grace period. There is no "small business exemption." If you process personal data (collecting emails, setting cookies, logging IP addresses), GDPR applies to you.

Most violations we find are fixable in days, not months. The hard part is knowing where the problems are.

Start with a scan

This GDPR checklist for Sweden covers the fundamentals. But checklists only work if you act on them. An automated scan finds what manual reviews miss: hidden trackers, cookie respawn after rejection, outdated consent implementations.