Sweden Recording Laws: One-Party Consent, GDPR & AI Rules (2026)

---

title: "Sweden Recording Laws: One-Party Consent, GDPR & AI Rules (2026)" meta_description: "Sweden permits one-party consent recording under Brottsbalken Ch. 4 §9a. Full guide: GDPR, Dataskyddslagen, workplace rules, voyeurism, deepfake, AI Act, and penalties." slug: "world-laws/world-recording-laws/sweden-recording-laws" last_updated: "2026-05-15"

Sweden occupies an unusual position in European recording law. While much of the EU leans toward stricter two-party or all-party consent frameworks, Swedish criminal law permits individuals to record their own conversations without notifying anyone else involved. This one-party consent principle has been part of the Swedish Penal Code (Brottsbalken) since 1975 and remains in effect today.

The full picture is more complex than a simple "you can record" summary. Sweden layers criminal statutes, EU data protection regulation, a national implementing act, workplace co-determination law, and recently expanded camera surveillance rules on top of each other. This article covers all layers, including newer provisions on covert photography, non-consensual intimate-image sharing, identity impersonation, and AI-generated deepfakes.

Quick Answer: Is Sweden a One-Party Consent State?

Sweden follows one-party consent for audio and video recording. Under Brottsbalken Chapter 4, Section 9a (BrB 4 kap. 9a §), a person who uses a technical device to secretly listen to or record speech in private, conversations between others, or proceedings at closed meetings commits the offense of olovlig avlyssning (unlawful eavesdropping), but only when the recorder is not a participant in the conversation. The key phrase in the original Swedish statute is "i vilket han icke sjalv deltager" (in which they do not themselves participate). If you are part of the conversation, Section 9a does not criminalize your recording. You do not need to inform the other party. This rule applies equally to phone calls, in-person meetings, and video conferences.

The one-party consent principle applies to private individuals. Businesses face additional obligations under GDPR and Dataskyddslagen that require notifying the person being recorded. The criminal law permissiveness does not override the data protection notification duty in commercial contexts.

Brottsbalken Chapter 4 §9a: The Core Statute

The foundation of Swedish recording law sits in the Penal Code, enacted in 1962 and in force as SFS 1962:700. Chapter 4 addresses offenses against personal liberty and integrity. Section 9a was introduced by Law (1975:239) and defines the offense of olovlig avlyssning (unlawful eavesdropping).

The provision covers three specific scenarios, each requiring the use of a "tekniskt hjalpmedel" (technical device) and that the recorder is NOT a participant:

• Recording private speech. Secretly capturing a person speaking privately using a concealed device.
• Recording conversations between others. Planting a microphone or recording device to capture a conversation between two or more people in which you take no part.
• Recording closed meetings. Using technology to capture proceedings at conferences, gatherings, or meetings not open to the public.

Simply overhearing a conversation with your own ears is not covered by §9a. The statute requires a technical device.

The Participant Carve-Out

The participant carve-out is absolute in the criminal statute. Swedish law does not require "reasonable expectation of privacy" balancing for participant recordings, nor does it require that the recorder disclose the recording after the fact. A party to a conversation has the right to record it, full stop, under criminal law.

This differs from some EU member states. Germany requires all-party consent under §201 StGB. France requires prior consent under Article 226-1 of the Penal Code. Sweden's one-party rule more closely resembles the approach in Norway and Denmark.

Penalties for Unlawful Eavesdropping

The penalty under §9a is fines (boter) or imprisonment for up to two years (fangelse i hogst tva ar). The statute of limitations is five years from the date of the offense.

Section 9b of the same chapter criminalizes preparation for unlawful eavesdropping. Installing a recording device with intent to commit an offense under §9a carries the same penalty range: fines or up to two years. This provision was amended by Law (2013:366).

Related Provision: Breach of Postal and Telecommunications Secrecy

BrB 4 kap. 8 § (brytande av post- eller telehemlighet) protects communications in transit through postal and telecommunications infrastructure. Amended by Law (2012:280), it criminalizes unlawfully accessing communications delivered by postal or telecom providers through electronic communications networks. The penalty is the same: fines or up to two years. This provision targets interception at the infrastructure level rather than direct recording of conversations.

GDPR, Dataskyddslagen, and IMY Enforcement

Sweden's permissive criminal law framework operates alongside two layers of data protection law that impose additional obligations on anyone recording in a commercial or organizational context.

Layer 1: GDPR (Regulation EU 2016/679)

The EU General Data Protection Regulation applies directly in Sweden without requiring national transposition. Voice recordings of identifiable individuals constitute personal data under Article 4(1) GDPR. Any recording made in a professional or business context triggers GDPR obligations, regardless of what the criminal law permits.

Key GDPR requirements for business recording:

• Lawful basis (Article 6): Every recording needs a documented legal basis. The most common basis in Sweden is legitimate interest (Article 6(1)(f)), which requires a documented balancing test showing the business purpose outweighs the individual's privacy interest. Consent (Article 6(1)(a)) is also used, but must be freely given; power imbalances in employer-employee or business-customer relationships can undermine its validity. Legal obligation (Article 6(1)(c)) applies where financial regulation or other law mandates recording.
• Transparency (Articles 13-14): Businesses must inform people that recording is occurring, state the purpose, identify the controller, and explain how long recordings are retained.
• Data minimization (Article 5(1)(c)): Record only what is necessary for the stated purpose.
• Storage limitation (Article 5(1)(e)): Delete recordings once they have served their stated purpose. Common retention windows in Sweden range from 3 to 12 months for quality-assurance recordings.
• Security (Article 32): Store recordings using appropriate technical measures; keep within the EU where possible.
• Data subject rights (Articles 15-22): Individuals can request access to their recordings, request deletion under Article 17, and object to processing under Article 21.

Layer 2: Dataskyddslagen (SFS 2018:218)

Sweden's national complementary data protection law, the Dataskyddslagen, came into force on May 25, 2018 (the same day as GDPR). It provides national derogations and supplements to GDPR where EU law allows member states to set their own rules. Key areas where Dataskyddslagen adds to GDPR in the Swedish context include processing by public authorities, processing of sensitive personal data in employment contexts, and the designation of IMY as the national supervisory authority.

Dataskyddslagen does not create a separate consent requirement for personal (non-commercial) recordings. The domestic-purpose exemption in GDPR Article 2(2)(c) continues to apply, meaning purely personal recordings not shared beyond the recorder's household fall outside both GDPR and Dataskyddslagen.

IMY Enforcement Record

Integritetsskyddsmyndigheten (IMY) is Sweden's data protection authority. In 2024, IMY closed 326 supervisory matters and imposed fines in six cases totaling SEK 60.6 million (approximately EUR 5.5 million). Notable recent enforcement actions from IMY include:

• Trygg-Hansa: SEK 35 million fine (2023 decision) for a security vulnerability allowing 650,000 customer records to be accessed through simple URL manipulation without authentication, violating GDPR Article 32.
• Apoteket: SEK 37 million fine for transferring personal data to Meta without lawful basis.
• Apohem: SEK 8 million fine in the same Meta data-transfer investigation.
• Sportadmin: SEK 6 million fine for GDPR Article 32 security failures (2026 decision).

IMY's 2026 supervision priorities are crime prevention data processing, children and young people's data, and AI use in the public sector. New complaint-processing rules that took effect in March 2025 require IMY to acknowledge within two weeks whether it will open supervision after a three-month waiting period.

Lagen om Elektronisk Kommunikation and Cross-Border Recording

Lagen om elektronisk kommunikation (SFS 2022:482, amended through SFS 2025:1511) implements the EU European Electronic Communications Code and governs telecommunications providers in Sweden. It contains provisions on confidentiality of communications and the authority for secret interception under court or prosecutor authorization.

For civilian recordings, LEK is most relevant in cross-border contexts. When a person in Sweden records a call with someone in another EU country, the relevant question is which country's law governs:

• Swedish caller, Swedish participant: BrB 4 kap. 9a § applies. One-party consent. Recording is permitted.
• Swedish caller, participant in Germany: Germany requires all-party consent under §201 StGB. A German resident on the call may have civil or criminal recourse in Germany regardless of Swedish law. The safer approach for international business calls is to notify all parties.
• Swedish caller, participant in France: France requires prior consent under Article 226-1 French Penal Code. Same cross-border risk analysis applies.
• GDPR cross-border consideration: If the recording is for business purposes, GDPR applies regardless of the other party's location if the recording controller is established in the EU.

Sweden's cross-border principle for ECHR-compliant interception under Rattegangsbalken Chapter 27 requires court authorization and applies only to law enforcement investigations, not civilian recordings.

Penalties: Full Reference Table

Offense	Statute	Penalty
Unlawful eavesdropping (olovlig avlyssning)	BrB 4 kap. 9a §	Fines or up to 2 years
Preparation for eavesdropping	BrB 4 kap. 9b §	Fines or up to 2 years
Breach of postal/telecom secrecy	BrB 4 kap. 8 §	Fines or up to 2 years
Offensive photography (kränkande fotografering)	BrB 4 kap. 6a §	Fines or up to 2 years
Unlawful identity use / impersonation	BrB 4 kap. 6b §	Fines or up to 2 years
Unlawful integrity violation (intimate images)	BrB 4 kap. 6c §	Fines or up to 2 years
Aggravated integrity violation	BrB 4 kap. 6d §	6 months to 4 years
Defamation (fortal)	BrB 5 kap. 1 §	Fines
Aggravated defamation (grovt fortal)	BrB 5 kap. 2 §	Fines or up to 2 years
GDPR violation	EU Regulation 2016/679	Up to EUR 20 million or 4% global turnover

All offenses under BrB 4 kap. §§6a, 6b, 6c, 6d, 9a, and 9b require the victim to report the offense before prosecution can begin, unless the public prosecutor determines prosecution is warranted in the public interest.

Civil Liability for Recording Violations

Criminal liability is not the only consequence of unlawful recording in Sweden. Civil remedies are available through two main routes.

Skadestandslagen (SFS 1972:207)

Sweden's Tort Liability Act (Skadestandslagen) provides a basis for civil damages claims where a recording caused measurable harm. A plaintiff alleging unlawful eavesdropping under BrB 4 kap. 9a §, or an unlawful integrity violation under §6c, can pursue compensation for economic loss and non-economic damages (such as harm to dignity or reputation). The Riksdag enacted amendments to Skadestandslagen in 2026 to strengthen crime-victim compensation, with changes taking effect September 1, 2026.

GDPR Article 82

Where a recording constitutes a GDPR violation, Article 82 provides individuals with the right to receive compensation from the controller or processor for material or non-material damage resulting from the infringement. Non-material damage includes distress and loss of dignity. Swedish courts apply this provision directly. GDPR Article 82 claims are independent of any IMY administrative fine.

Practical Considerations

A victim of unlawful recording in Sweden can pursue criminal charges (by reporting to police), an IMY complaint (for GDPR violations), and a civil damages claim under Skadestandslagen or GDPR Article 82 simultaneously. These three routes are not mutually exclusive.

Recording Phone Calls

Swedish law draws no distinction between recording a phone call and recording a face-to-face conversation. The one-party consent rule under BrB 4 kap. 9a § applies equally to all communication media.

If you are a participant in a phone call, you may record it without informing the other party. This applies to:

• Standard telephone calls
• VoIP and internet calls
• Video calls (the audio component is covered by §9a; the video component of your own screen is governed by ordinary use of your device)
• Calls through messaging applications

For businesses, GDPR and Dataskyddslagen impose notification requirements on top of this criminal-law permissiveness. A company recording customer service calls must announce the recording at the start of the call, state the purpose, and operate under a documented lawful basis.

Recording In-Person Conversations

The same one-party consent principle applies to in-person meetings. If you are present at a meeting, you may record it. No notification is required under criminal law. This covers:

• Private one-on-one conversations
• Workplace meetings you attend
• Public gatherings and conferences you participate in

The line is whether you are a participant. A journalist who hides a microphone at a private dinner where they are a guest is a participant and may record. A journalist who plants a recording device in a boardroom and then leaves has become a non-participant and risks prosecution under §9a.

Watch out: "Participant" status can be contested. If you enter a conversation briefly and then withdraw from the room while a device continues recording others, prosecutors and courts may treat the subsequent recording as non-participant eavesdropping. Physical presence and active engagement in the conversation strengthen the participant claim.

Recording Police Officers

Filming or recording police officers performing their public duties in public spaces is lawful in Sweden. No provision of BrB Chapter 4 prohibits it. BrB 4 kap. 9a § applies only to private conversations where the recorder is not a participant; police activity in public is not a private conversation.

The Fundamental Law on Freedom of Expression (Yttrandefrihetsgrundlagen, 1991:1469) and the Freedom of the Press Act (Tryckfrihetsforordningen) protect the production and dissemination of technical recordings. Every person has the right to produce and disseminate recordings under Swedish constitutional law.

Practical constraints do apply:

• GDPR domestic-purpose limit: If you record police activity and then post it online, that may constitute processing of personal data beyond purely personal use. You should have a lawful basis for publication, typically freedom of expression or public interest journalism.
• Obstruction: You may not physically obstruct police while recording. Your right to record does not include interfering with police operations.
• Police instructions: Police may not lawfully order you to stop recording their public-duty activities in public spaces. However, in practice some officers attempt this. The legal right to record in public stands regardless of an officer's instruction.

There is no specific Swedish statute creating a "right to record police" comparable to some US state laws; instead, the right flows from constitutional freedom-of-expression protections and the absence of any prohibition.

Workplace Recording: MBL and IMY Guidance

Workplace recording is one of the most regulated areas of Swedish privacy law. Two distinct legal frameworks govern employer surveillance: the Employment (Co-Determination in the Workplace) Act and IMY's GDPR-based guidance.

Medbestämmandelagen (MBL, SFS 1976:580): The Co-Determination Obligation

Before any employer introduces video surveillance of employees, Medbestämmandelagen (MBL) §§11-14 require the employer to negotiate with the relevant trade union(s). This is not merely a consultation; the employer must initiate formal co-determination negotiations and complete them before the surveillance system goes live. Failure to negotiate before installing surveillance exposes the employer to claims under MBL.

This obligation covers both new surveillance systems and material changes to existing ones. Replacing an analog camera system with a modern AI-enabled system would likely trigger a new MBL negotiation requirement.

IMY Guidance on Employer Surveillance

IMY's guidance under GDPR and Dataskyddslagen provides the substantive rules on what surveillance is permitted after the MBL process is complete:

Audio recording: IMY's position is clear: recording sound is generally not permitted at a workplace. This applies even in settings where video surveillance is justified. An employer who installs cameras with integrated microphones must disable the audio function. The rationale is proportionality: audio captures far more personal information than video, including private conversations between employees that have nothing to do with legitimate business purposes.

Video surveillance: Permitted only with strong documented justification. Acceptable purposes include monitoring hazardous industrial processes in real time, preventing robbery or theft in retail environments, and monitoring small crime-prone storage areas containing valuable goods.

Prohibited video uses under IMY guidance:

• Systematic monitoring of employee work performance
• Surveillance of changing rooms, break rooms, or rest areas
• Hidden cameras without proper notification
• Using footage for purposes beyond the original stated reason
• Sharing surveillance images with other employers or online

Visible signage is mandatory for all monitored areas, identifying the purpose and the data controller's contact information.

Employee Right to Record Employer Conversations

The employer restrictions above do not limit an employee's personal rights under BrB 4 kap. 9a §. An employee who participates in a meeting with HR or a conversation with a supervisor may record it without notice. Swedish labor advocates, including the SAC trade union, have recommended that workers record conversations with employers as a way to document workplace disputes.

What the employee does with the recording matters. Sharing it publicly may raise defamation concerns under BrB Chapter 5. Using it to harm the employer's reputation without factual basis could create liability under the general tort framework.

Voyeurism and Non-Consensual Intimate Images: §§6a, 6c, 6d

Swedish law created a layered set of integrity offenses over the period from 2013 to 2018 that address covert photography, non-consensual intimate image distribution, and related harms. These provisions are separate from the eavesdropping framework of §9a.

BrB 4 kap. 6a §: Kränkande Fotografering (Offensive Photography)

Introduced by Government Proposition 2012/13:69, this provision criminalizes secretly photographing a person indoors in a residence, bathroom, changing room, or other similar private space using technical equipment, when the photographer lacks the right to be in that space. The offense requires both secrecy and unauthorized access to the space.

Penalty: fines or up to two years imprisonment.

Key limitation: the offense requires the photographer to be located outside the space being photographed, or to lack authorization to be in it. A participant in a private meeting who records video of others present is not committing kränkande fotografering (though other provisions may apply). The provision targets hidden cameras placed in bathrooms, changing rooms, or private residences without authorization.

BrB 4 kap. 6c §: Olaga Integritetsintrång (Unlawful Integrity Violation)

This provision, introduced January 1, 2018 (Law implementing SOU 2016:7), criminalizes the distribution of certain categories of images or information about a person when that distribution is liable to cause the person serious harm. The categories covered are:

• Images or information about the person's sexual life
• Images or information about the person's state of health or medical history
• Information that the person has been subjected to a crime (e.g., a sexual assault)
• Images of the person in a highly vulnerable situation
• Images of the person's naked or partially naked body

Penalty: fines or up to two years (basic offense, §6c). Aggravated form (§6d, grovt olaga integritetsintrång): six months to four years. Aggravating factors include the scale of distribution, whether the image was recorded without consent, and the severity of harm.

The "liable to cause serious harm" threshold means that not every unauthorized distribution triggers criminal liability; the harm must be substantial and foreseeable. Courts assess the nature of the image, the scale of distribution, and the characteristics of the victim.

A 2025/26 Riksdag motion (Motion 2025/26:114 by Angelica Lundberg) proposes expanding the scope of olaga integritetsintrång to cover additional categories. As of May 2026, this motion is pending committee review.

Deepfake and AI Identity Impersonation: §6b

BrB 4 kap. 6b §: Olovlig Identitetsanvändning (Unlawful Identity Use)

This provision was introduced July 1, 2016 by Law implementing Proposition 2015/16:150. It criminalizes impersonating another person by unlawfully using that person's identity information and thereby causing harm or inconvenience to them.

The statute was enacted to address identity theft and online impersonation. Its application to deepfakes and AI-generated content is analytically straightforward: if a person uses AI-generated audio or video to impersonate a real, identifiable individual and causes that individual harm or inconvenience (for instance, by posting fabricated statements under their name), §6b provides a criminal remedy. The statute does not require that the impersonation involve financial fraud; reputational harm or emotional distress qualifies.

Penalty: fines or up to two years.

Limitation: §6b requires that the impersonation cause harm or inconvenience to the specific individual impersonated. Deepfake content that impersonates a public figure for satire, without causing material harm, sits in a grayer area. Swedish courts have not yet published guidance on where the satire exception ends and criminal impersonation begins.

Pending Legislation on Deepfake Labeling

Two tracks of legislation are developing in parallel:

1. EU AI Act Article 50 (Regulation EU 2024/1689): Requires that providers of AI systems generating synthetic media, including deepfakes, implement technical measures ensuring the output is labeled as machine-generated. The labeling obligation applies to AI-generated video, image, audio, and text that could be mistaken for genuine content or that purports to inform the public on matters of public interest. Full enforcement from August 2, 2026. Providers who placed systems on the market before that date have a six-month transitional period.

2. Sweden SOU 2025:101 (Anpassningar till AI-forordningen): In October 2025, a national committee submitted its report proposing complementary Swedish legislation for the AI Act. The proposed new Swedish law and ordinance are designed to enter force on August 2, 2026, alongside full AI Act enforcement. PTS (Post- och telestyrelsen) is proposed as the primary market surveillance authority. A separate Riksdag motion (2025/26:1815) proposes mandatory watermarking of all AI-generated material to counter disinformation.

Recording Police: Constitutional Protections and Limits

Sweden's constitution provides two overlapping protections relevant to recording in public. The Tryckfrihetsforordningen (Freedom of the Press Act) and the Yttrandefrihetsgrundlagen (Fundamental Law on Freedom of Expression, 1991:1469) together establish that every person has the right to produce and disseminate technical recordings. This constitutional protection encompasses filming police officers performing their duties in public spaces.

No provision of BrB Chapter 4 prohibits this. BrB 4 kap. 9a §'s prohibition on non-participant recording applies to private conversations; police activity on a public street is not a private conversation within the meaning of the statute.

The Riksdag's own photo and film guidance, published for public access to parliamentary activities, confirms that photography and filming of public activities is generally permitted under these constitutional provisions.

If a recording of police activity contains identifiable personal data and is shared beyond purely personal use, GDPR obligations may apply to its further distribution, though public-interest journalism and freedom-of-expression exceptions in Article 85 GDPR and Dataskyddslagen often cover this context.

State Surveillance: 2025 Expansions

Beyond the civilian recording framework, Sweden expanded government surveillance powers significantly in response to a surge in organized crime. The country experienced a dramatic increase in bombing incidents, from seven in September 2024 to over 30 in January 2025.

Secret Coercive Measures for Children Under 15

The law permitting secret and preventive coercive measures against children under 15 suspected of crimes came into force October 1, 2025. It applies to offenses carrying prison sentences exceeding four years and requires a higher degree of suspicion than would apply to adult suspects. Originally planned for summer 2026, implementation was accelerated. This expanded law enforcement's ability to use secret wiretapping and surveillance against juvenile suspects in the organized crime context.

Data Retention Legislation

The proposed data retention law (Datalagring och tillgang till elektronisk information) would require electronic communications providers to store user communications and grant law enforcement access, including to end-to-end encrypted messages. As of May 2026, this legislation is still in the legislative process, with entry into force proposed for March 1, 2026, though final passage has not been confirmed. IMY objected to a geographically targeted storage provision that would affect over 7.4 million Swedes. The proposal drew international criticism, with over 230 organizations from more than 50 countries urging the Riksdag to reject the bill.

Law Enforcement Wiretapping Under Rattegangsbalken

Sweden's Code of Judicial Procedure (Rattegangsbalken) Chapter 27 governs secret wiretapping (hemlig avlyssning) by law enforcement. Key requirements:

• A court order is generally required before wiretapping begins.
• The suspect must be reasonably suspected of a crime.
• In emergency situations, a prosecutor may authorize temporary wiretapping while awaiting court approval.
• Room interception has stricter requirements than telephone wiretapping.

These provisions are entirely separate from the civilian recording rules under BrB Chapter 4.

Admissibility of Recordings in Court

Swedish courts follow the principle of free evaluation of evidence (fri bevisvärdering). There are no rigid exclusionary rules barring evidence based on how it was obtained. A recording made in violation of BrB 4 kap. 9a § by a non-participant is still admissible in Swedish court proceedings. The judge assesses its reliability and weight alongside all other evidence. The person who made the illegal recording may face criminal charges, but the recording itself is not excluded.

This is a significant departure from jurisdictions such as France and Germany, where illegally obtained recordings face automatic exclusion or strong presumptions against admissibility. It also differs from US federal practice under the exclusionary rule, though the US rule applies primarily to state actors rather than private parties.

Participant recordings made under the one-party consent rule are fully admissible and regularly used in both civil and criminal proceedings to document disputed conversations.

Sharing and Distributing Recordings

Recording a conversation lawfully does not create unlimited rights to distribute it. Swedish law creates liability points at the distribution stage.

Defamation (BrB 5 kap. 1 §): Sharing a recording that exposes someone to contempt constitutes fortal (defamation). Standard defamation carries a fine. Aggravated defamation (grovt fortal, BrB 5 kap. 2 §) takes into account the scale of dissemination and potential damage; penalty is fines or up to two years.

Olaga integritetsintrång (BrB 4 kap. 6c §): If the recording contains images or information in the protected categories (sexual life, health, naked body, etc.) and distribution is liable to cause serious harm, criminal liability under §6c may apply even if the underlying recording was lawful.

GDPR Article 6: Distributing a recording of identifiable individuals beyond purely personal use requires a lawful basis. Publishing online, sharing with media, or circulating within an organization all constitute data processing subject to GDPR.

The safest approach: lawful recordings may be shared with legal counsel, used in legal proceedings, or retained as personal documentation, but broader distribution warrants a careful analysis of defamation, integrity-violation, and GDPR exposure first.

Nordic Comparison

Sweden's one-party consent approach aligns with its Nordic neighbors, though details vary.

Norway: One-party consent for personal recording. Participants may record without notifying others. Businesses must comply with GDPR notification requirements. Distributing private recordings is restricted.

Denmark: One-party consent for personal recording. For business call recording, the Danish Data Protection Agency (Datatilsynet) has required explicit opt-in consent from customers in commercial contexts. Spreading or disseminating private conversations is illegal under Danish law.

Finland: Participants may record under Section 12 of the Finnish Constitution (freedom of expression). GDPR compliance mandatory for businesses.

All four Nordic countries share one-party consent for personal recordings, business GDPR obligations, and distribution liability. Sweden stands out for its explicitly codified criminal provision (§9a) and its comprehensive supplementary offenses (§§6a-6d) covering covert photography, identity impersonation, and non-consensual intimate images.

Business Compliance Checklist

Companies in Sweden recording calls, meetings, or interactions should follow these steps:

1. Determine your GDPR legal basis. Document a legitimate-interest assessment for quality-assurance recording.
2. Notify all parties being recorded. Use an automated announcement at the start of calls or clear signage for in-person settings.
3. State the purpose. Quality assurance, training, regulatory compliance, or dispute resolution.
4. Set a retention period. Delete recordings after serving their stated purpose, typically 3 to 12 months.
5. Restrict access. Only authorized personnel should review recordings.
6. Encrypt and store within the EU. Follow GDPR Article 32 technical security requirements.
7. Honor deletion requests. Respond to GDPR Article 17 (right to erasure) requests within the required timeframe.
8. Document all processing activities. Maintain records under GDPR Article 30.
9. Prohibit workplace audio surveillance. Follow IMY guidance: audio recording in employee work areas is generally not permitted.
10. Complete MBL negotiations before installing surveillance. Negotiate with trade unions under §§11-14 before any workplace video surveillance system goes live.
11. Update camera-surveillance documentation. Conduct and document legitimate-interest assessments for all video surveillance under the post-April 2025 rules.
12. Monitor AI Act compliance for synthetic media. If your business uses AI tools that generate audio or video, verify Article 50 labeling obligations before August 2, 2026.