GDPR compliance scanning for Swedish websites
A privacy policy is a promise. Vakteye tests whether your website keeps it. For Swedish organizations, that means running the actual consent flow, watching what trackers fire before and after a visitor rejects cookies, and mapping every behavioral gap to the specific GDPR article and Dataskyddslagen (2018:218) provision it implicates — with evidence, not a checklist.
Who it's for
- Swedish companies preparing for an IMY inquiry or a customer's vendor-security questionnaire
- DPOs and legal teams who need evidence a policy was tested, not just written
- Marketing and growth teams shipping new tracking pixels or consent-mode changes who want a pre-launch check
What Vakteye tests
- Whether the cookie banner's reject option actually blocks non-essential cookies and trackers
- Whether trackers fire again after a visitor withdraws consent (the "zombie cookie" pattern)
- Whether the privacy notice's stated purposes match what the site's forms and scripts actually collect
- Whether security basics regulators expect under GDPR Article 32 are in place (headers, transport security, exposed secrets)
Legal basis
GDPR Article 5
Personal data must be processed lawfully, fairly, and transparently — the baseline every other test in this scan traces back to.
GDPR Article 6(1)(a)
Processing based on consent requires that consent to be freely given, specific, and actually honored once withdrawn.
GDPR Article 13
Visitors must be told, in practice and not just in a policy document, what data is collected and why.
Example finding
Tracker fires after consent is rejected
What we observed
A visitor loads the page, sees the cookie banner, and clicks "reject." A behavioral scan then observes a network request to a known analytics or advertising tracker firing anyway, seconds after rejection.
Why it matters
This is the category of behaviour EU data protection authorities have scrutinised cookie banners over — including Swedish IMY reprimands where a reject flow was harder than accept, and CJEU rulings (Planet49) on active consent. A policy document cannot catch this; only running the actual flow can.
FAQ
Related reading
Ready to see what your website actually does?
Book a full behavioral audit — the same methodology described above, run against your entire site with a complete evidence package.
Book a full audit