Law: The primary pieces of legislation are the Act with Supplementary Provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English version of the Act is available here) (the Act), Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) (the Ordinance) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: The Swedish Authority for Privacy Protection (IMY)

Summary: The GDPR was implemented through a variety of pieces of legislation including the Act with supplementary provisions to the GDPR (SFS 2018:218) (only available in Swedish here) (an unofficial English version of the Act is available here) (the Act) and the Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (only available in Swedish here) (an unofficial English version of the Ordinance is available here) (the Ordinance).

However, although the Act and the Ordinance supplement the GDPR, they are subsidiary to other laws. This means that provisions in special laws which deviate from what is stated in the Act or the Ordinance will prevail, provided, of course, that the special law complies with the GDPR and concerns a matter which the GDPR allows to be separately regulated or specified in national law.

The Swedish Authority for Privacy Protection (IMY) is the relevant supervisory authority under, for example, the Swedish Criminal Data Act (SFS 2018:1177) (only available in Swedish here) (the Criminal Data Act), the Camera Surveillance Act 2018:1200 (only available in Swedish here) (the Camera Surveillance Act), the Swedish Patient Data Act (SFS 2008:355) (only available in Swedish here) (the Swedish Patient Data Act), and the Swedish Credit Information Act (SFS 1973:1173) (only available in Swedish here).