GDPR Compliance Investigation in Finland and Sweden

After GDPR regulation coming into force on the 25th of May, the Finnish Data Protection Authority’s office was flooded with complaints about possible infringements.

This may result in sanctions worth millions in euros (read more about the fines for not complying with GDPR). Therefore, the Finnish Data Protection Authority starts a GDPR Compliance investigation of every notification received about possible infringement.

According to the public data, there are already 1300 data protection, 300 cross-border as well as 300 national infringement related complaints. Therefore, the Finish Data Protection Authority will visit hot-spots of infringements, where the search will be conducted in 1-2 days each.

Sanctions That Worth Millions – only one of the options

After the Finnish National Law regarding personal data protection coming into force, the supervisory power of the data protection authority enhances significantly. Therefore, GDPR infringement can lead to sanctions of up to 10 million euros or alternatively up to 2% of the worldwide revenue. However, it is possible that the sanction is merely a warning, or no consequences will follow.

According to the Finnish Data Protection Authority, every alleged infringement will be evaluated individually. Though, the sanction is only one of the options.  For instance, companies might face restrictions or changes to make within the company. Therefore, the use of monetary sanctions will happen in accordance with European practice.

Sweden Started Investigation Already in June

The National Law regarding data protection is already in force in Sweden. As a result, it allowed starting an investigation on how companies comply with the new GDPR already back in June. An investigation report. is available and probable sanctions will be ready by the end of 2018.

A list of 66 companies under investigation was previously released by the Swedish Data Protection Authority to the Di Digital magazine. The list contains:

  • 13 trade unions;
  • 5 telecommunication service providers;
  • 5 insurance companies;
  • 3 public transport service providers;
  • 3 banks;
  • 2 health service providers; and
  • 35 different public authorities.

In total, 362 objects from both the public and private sectors were investigated. On the 31st of October, the Swedish Data Protection Authority published an overview of the complete investigation.  It revealed that approximately 16 % of the investigated companies lack GDPR compliance. As a result, out of 66 listed cases, 57 reprimands and 2 injunctions were given. The rest (7 companies) didn’t face any consequences.

Investigated companies include operators Tele2 and Telia, money exchange service Forex Bank and Resurs Bank and others. 

Read more on this topicGDPR Compliance Checklist for 2019

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data