On 20 February 2026, the Swedish Authority for Privacy Protection (IMY) published its Annual Report 2025, outlining a year marked by a sharp increase in complaints and data breach notifications, and a proposal to review the GDPR.
Complaints, supervision and sanctions
IMY received 7,434 complaints in 2025, a 102% increase compared to 2024. In parallel, the authority registered 12,276 personal data breach notifications, up 89% year-on-year. Two large-scale incidents affected more than 1.5 million individuals.
In supervisory terms, IMY initiated 329 investigations and concluded 496 cases. The average duration of supervisory proceedings remained high at 396 days. Nearly one quarter of cases were cross-border, requiring cooperation under the GDPR one-stop-shop mechanism and resulting in longer timelines.
Although IMY adopted 168 corrective measures under the GDPR in 2025, only three administrative fines were imposed. The majority of corrective measures consisted of reprimands and orders rather than administrative fines.
Generative AI and regulatory guidance
AI and generative AI were priority areas for IMY in 2025. The authority issued guidance on GDPR compliance when using generative AI in public administration, published updated guidance on data protection impact assessments (DPIAs), and expanded its regulatory sandbox to include projects involving AI in social services, inter-organisational data sharing and synthetic data generation.
IMY also formally proposed a review of the GDPR in January 2025, advocating a strengthened risk-based approach to better accommodate technological development and innovation.
The report documents increased case volumes, longer timelines in cross-border cases and limited use of administrative fines relative to overall case volumes. It also signals Sweden’s active engagement in discussions on possible GDPR reform.
The full report is available here.
