.svg)
Europe's robust privacy framework presents regulatory hurdles that businesses must carefully navigate to operate successfully. This is particularly the case when operating in any of the countries within the industry-famed Nordic region: Denmark, Finland, Iceland, Norway, or Sweden.
Since its inception in 2018, Nordic and EU countries have implemented the GDPR through their respective localizations. As these countries share a similar status as leaders in digital innovation and e-government, and are home to sophisticated, tech-savvy populations, a robust legal framework to safeguard personal data is crucial.
In recognizing this need, Nordic countries have swiftly embraced the GDPR, while adapting its implementation to suit socio-cultural and geographical contexts. This article provides an in-depth examination of Nordic data protection, highlighting the harmonized principles, enforcement frameworks, and local nuances that shape the region’s privacy landscape.
The GDPR & its local adaptations across the Nordic region
The GDPR laid the groundwork for data protection across the European Union (EU) and the European Economic Area (EEA), which includes the Nordic countries. It also provided for supplemental legislation or derogations to address concerns that are unique to member states.
Data protection in Denmark
Entering into force at the same time as the GDPR, the Danish Data Protection Act (Act No. 502 of 23 May 2018), Databeskyttelsesloven, replaced the former Danish Act on Processing of Personal Data (Act No. 429 of 31 May 2000) on the 25th day of May 2018. This reinforces the GDPR through stricter provisions on data retention periods and employee monitoring.
The Act also recognizes the Danish Data Protection Authority (“Datatilsynet”) as the official enforcer, particularly in matters concerning cookie consent and automated decision-making. Learn more about Danish privacy laws.
Data protection in Finland
In Finland, the GDPR is incorporated through its Data Protection Act (1050/2018), Tietosuojalaki. The act prioritizes children’s privacy and the processing of sensitive data.
The Office of the Data Protection Ombudsman, Tietosuojavaltuutetun toimisto, as the local supervisory authority, has issued guidelines on AI-driven profiling, which reflect the country’s stance on the ethical use of AI technology. Learn more about Finnish privacy laws.
Data protection in Iceland
Though not an EU member, Iceland’s application of the GDPR is through the EEA Agreement.
The country has further enforced protections through the Icelandic Data Protection Act (90/2018), Persónuverndarlög. The Icelandic DPA, the Data Protection Authority of Iceland (Personuvernd), has also taken a stance against the misuse of biometric data, particularly regarding workplace surveillance.
Data protection in Norway
While not an EU member, the GDPR was incorporated into the EEA Agreement by a Joint Committee Decision dated July 6, 2018.
The new Act on the Processing of Personal Data (Personal Data Act), Personopplysningsloven, also implements GDPR and became effective as of July 20, 2018. The act is administered by the Norwegian Data Protection Authority, Datatilsynet. Learn more about Norwegian privacy laws.
Data protection in Sweden
Home to one of the foremost data protection laws globally in 1973 in the form of the Data Act (Datalegen), Sweden localizes the GDPR through the Act containing supplementary provisions to the EU General Data Protection Regulation, Lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning or The Data Protection Act (Dataskyddslagen).
The Swedish DPA, the Swedish Authority for Privacy Protection, Integritetsskyddsmyndigheten (IMY), remains one of the most active regulators in the Nordic region. Learn more about Swedish privacy laws.
Nordic data privacy standards in practice
Nordic DPAs share notable commonalities driven largely by their shared commitment to the EU’s General Data Protection Regulation (GDPR):
Proactive collaboration
First among these traits is proactive collaboration, which is achieved through frameworks for cross-border cooperation. Denmark’s Datatilsynet, Sweden’s Integritetsskyddsmyndigheten (IMY), Finland’s Tietosuojavaltuutetun toimisto, and Norway’s Datatilsynet have all engaged in joint efforts towards tackling pressing data protection matters.
A case in point was in May 2024, when Nordic DPAs met during their annual Nordic Meeting in Oslo to form a common declaration on designated areas that demanded their cooperation. The meeting concluded with the joint adoption of principles on children’s rights in online gaming, an agreement on the need for increased regulatory oversight in light of EU Digital laws, and the regulation of emerging technologies, such as AI, in relation to the GDPR.
Consent standards and GDPR principles
Another common denominator in Nordic data privacy practice can be seen in their enforcement of consent standards and GDPR principles. Key principles of accountability and transparency drive the demand for informed and explicit consent.
Nordic DPAs strictly enforce these expectations, while also ensuring that data controllers are clear, unambiguous, and granular, using mechanisms that allow users to opt into different processing purposes separately, with the option to withdraw their consent.
Transparency requirements
Nordic DPAs are recognized for demonstrating a high level of commitment to transparency in specific sectors, including healthcare and education. They demand and issue public documentations that explain data breach incidents, their inquiry, and the rationale behind their decisions.
This approach aligns with the GDPR, addressing data breaches and individual privacy rights violations without hindering innovation.
Electronic marketing compliance
Electronic marketing (including SMS, emails, and other digital communications) is another area Nordic regulators protect data subjects.
Nordic companies are required to use legitimate interest assessments (where legitimate interest is relied upon as a legal basis) or clear, affirmative consent (whether consent is relied upon as a legal basis) to justify data processing before engaging in any marketing activity. Any form of unsolicited marketing would attract enforcement actions.
Importance of sensitive data
Protecting sensitive data categories (including health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation/sex life, biometric data used for identification, and genetic data) is also a priority in the region.
As seen in the Grindr case (more information is provided later in the article), Nordic DPAs maintain a zero-tolerance policy for the improper handling of sensitive personal data.
Notable enforcement & fines in the Nordic region
When it comes to enforcement across the Nordic countries, a common thread is evident in how Nordic DPAs approach compliance with Article 5 (principles of lawfulness, fairness, and transparency in data processing) and Article 32 (Security).
Violations of these provisions remain the most common ground cited for sanctions meted out by Nordic DPAs. According to this DLA Piper Report, Nordic authorities recorded 17,481 data breaches from a timeline spanning 28 January 2019 to 27 January 2020, with Sweden and Denmark leading the charts in the number of breaches.
Notably, Finland did not impose GDPR fines until late 2021. Some of the enforcement actions taken across the board include:
1. Viking Line (€230,000)
In December 2022, the Finnish Supervisory Authority (SA) opened an investigation into Viking Line for processing employees’ health data without a lawful basis. A €230,000 fine was issued.
2. Yliopiston Apteekki (€1,100,000)
Sometime in May 2025, the Sanctions Board of the Office of the Data Protection Ombudsman issued a €1,100,000 fine on pharmacy chain Yliopiston Apteekki for certain data protection failures in the use of tracking services, which were found in its online store. (Specifically, their use of Google and Meta tracking technologies)
3. Grindr (~€5.65 million)
Following a complaint made by the Norwegian Consumer Council (Forbrukerrådet) and supported by noyb, Datatilsynet imposed an initial fine of NOK 100 million (approximately €9.63 million) on Grindr.
The record penalty was later reduced to NOK 65 million (approximately €5.65 million) for, among other violations, sharing sensitive personal data used to profile users of the Grindr app for targeted advertisement purposes, without consent.
4. Spotify (~€5 million)
In another complaint brought by Bits of Freedom and noyb, the Swedish IMY fined Spotify SEK 58 million (approximately €5 million) after it found an insufficient level of clarity in its data processing disclosures, even when requested by data subjects.
5. Google Workspace (Outright ban)
In July 2022, Denmark’s DPA, Datatilsynet, imposed a ban on schools in the Helsingør Municipality from using Google Chromebooks and Google Workspace (previously G-Suite) without measures like DPIAs and supervisory approvals.
Emerging trends in the Nordic region
Let’s look at some of the emerging trends in data privacy protection and enforcement across the Nordic region:
AI governance and algorithmic accountability
The seismic rise of global AI innovation is bringing algorithmic accountability into sharp focus. As governments increase investments in this field, Nordic DPAs are catching up with increased oversight.
In Sweden, the Integritetsskyddsmyndigheten (IMY) has initiated an investigation into the use of automated hiring tools over concerns about potential discrimination. Meanwhile, Finland has placed AI governance at the focus of its national data strategy; a move that underscores its position on the ethical and transparent deployment of algorithmic systems as a pressing need.
Legitimate interest as a legal basis
Nordic countries differ slightly in their approach to legitimate interest as a (legal) basis for data processing. The Swedish DPA is committed to scrutinizing legitimate interest claims, mandating the documentation of Legitimate Interest Assessments (LIAs), and issuing sanctions to non-compliant businesses.
This is quite common in employee monitoring and marketing contexts, where such interests must be clear, proportionate, and balanced against the privacy rights of data subjects, with robust safeguards in place.
Countries like Finland and Denmark are somewhat more lenient, provided robust risk assessments are conducted.
Consent collection requirements
As with Legitimate Interest Assessments, the Datatilsynet in Norway and other Nordic DPAs adopt a rigid stance on the use of consent as a legal basis for processing data.
Consent must be obtained (and validly given) where no customer relationship exists in electronic marketing contexts. A data subject must have the right to object to such marketing, and where consent is given, it must be capable of withdrawal.
Cross-border data transfers post-Schrems II (and likely, post-DPF)
The issue of cross-border data transfers remains relevant considering a potential collapse of the EU-US Data Privacy Framework (DPF) in the wake of a Trump-led administration. For Nordic companies, the uncertainty makes it wise to reduce exposure to GDPR non-compliance risks by:
- Prioritizing data residency within the EU and;
- Curtailing outbound data flow from the EU.
This trend aligns with the shift from U.S.-based cloud/analytics providers such as AWS or Google Cloud, to regionally hosted (EU-based) or local Nordic providers such as Tietoevry (in Finland), Basefarm (in Norway), or City Network (in Sweden)
Separately, Danish, Swedish, and Norwegian DPAs have held that Google Analytics and other US services violated the GDPR (due to concerns about inadequate safeguards against US surveillance). The ripple effect is already being felt. EU-hosted platforms are becoming the preferred option in the Nordic region, as they offer EU data residency and GDPR compliance.
Standard Contractual Clauses (SCCs) are another way businesses can shore up their safeguards against transatlantic data transfers. Meanwhile, Nordic DPAs will continue to monitor transfers to jurisdictions with weak protections against breaches and surveillance.
The question of cookie walls
Notwithstanding the withdrawal of the proposed ePrivacy Regulation, Nordic DPAs are aligning their enforcement practices with stricter cookie/consent standards of the ePrivacy Directive (the EU Cookie Law). In restricting the use of cookie walls, Norway is leading the charge. The January 2025 amendment to the Electronic Communications Act, or E-com Act (Norwegian: Lov om elektronisk kommunikasjon, ekomloven), obliges sites to remain accessible after a refusal but still allows limited-function access.
Denmark has also imposed fines for websites with non-compliant cookie banners, signalling a shift toward stronger user autonomy in digital environments.
Public sector oversight
Given their role in public surveillance (for national security, law enforcement purposes, and e-governance purposes), the public sector operates on a high level of public trust and expectation, as it collects and processes data on a large scale.
In the exercise of their regulatory mandate, Nordic DPAs also monitor the largest data controllers in the region. Sometime in January 2023, Finland’s Data Protection Ombudsman reprimanded three local libraries in the capital region of Helsinki for cross-border transfer of personal data through Google Analytics without the appropriate safeguards.
What steps can businesses take to comply with regulations?
The consequences of non-compliance with data privacy regulations in the Nordic regions can range from warning notices to investigations or heavy penalties, which could cause significant reputational damage.
It may also lead to legal action, which could be both costly and time-consuming. If you’re operating anywhere in the Nordic region, you can take the following active steps to comply:
1. Conduct legitimate interest assessments (LIAs):
Contrary to misconceptions, legitimate interest is not a ‘soft option’ when relying on a legal basis to process data. When relied upon, businesses must perform and document LIAs.
The European Court of Justice cited three criteria for conducting Legitimate Interest Assessments for the first time in the Rigas case (Case C-13/16). As further explained in the European Data Protection Board Guidelines, a valid LIA must pass a three-step test:
- An existing legitimate interest: The processing must be done in the pursuit of a controller’s (or third party’s) legitimate interest. Such an interest must be lawful, clearly defined, and real, not hypothetical or speculative;
- The necessity of processing: The processing must be strictly necessary for acting on a legitimate interest. If the same result can be achieved by less intrusive means, those alternatives should be used instead (in line with the principle of data minimization); and
- The ‘Balancing Test’: This test weighs the (proposed) legitimate interest of the controller against the rights/freedoms of the data subject. Where interests, rights, or freedoms of the data subject outweigh such legitimate interest, it cannot be relied upon as a valid legal basis.
The exercise must consider the nature of the data, the context of processing, and the reasonable expectations of data subjects in relation to the potential impact on their rights.
2. Obtain lawful consent
Consent obtained for data processing must be informed, explicit, and granular.
As this is a strictly enforced requirement by Nordic DPAs, we recommend using a Consent Management Platform (CMP) to allow users to opt into different processing purposes individually and withdraw consent at any time.
{{top-ten-best-cmp}}
3. Ensure electronic marketing compliance
Before engaging in electronic marketing (SMS, email, digital communication), companies should use legitimate interest assessments or obtain clear, affirmative consent.
Unsolicited marketing without a proper legal basis can attract enforcement actions.
4. Protect sensitive data
If recent fines in the region are anything to go by, Nordic DPAs operate a zero-tolerance policy towards the mishandling of sensitive data (e.g., health, ethnicity, political opinions, biometric data).
Businesses must implement strict safeguards when processing sensitive personal data.
5. Adopt adequate protection mechanisms for cross-border data transfers
Protection mechanisms, such as Standard Contractual Clauses (SCCs) and other Technical and Organizational Measures (TOMs), are crucial for international data transfers, particularly in light of the Schrems II decision. Conduct due diligence on data transfer destinations.
6. Verify cookie consent requirements
Aligning cookie and consent practices with the ePrivacy Directive and national laws must be a priority. In doubt, check out trustworthy resources or talk to experts for guidance.
Next steps: How Didomi can help with your compliance in the Nordic region
For businesses, the surge of regulatory activity in the region presents both challenges and opportunities. With stricter enforcement of cookie consent requirements (as seen in Norway’s ban on cookie walls) and heightened scrutiny around AI governance and accountability, the need for more proactive compliance strategies is evident.
The uncertainty surrounding cross-border data transfers and the Nordic DPAs’ strict stance on legitimate interest assessments (LIAs) and electronic marketing compliance necessitate robust data protection measures.
At Didomi, we help businesses implement privacy-first solutions to ensure compliance with global regulations like the GDPR, starting with our Consent Management Platforms (CMP). Our team is actively working with businesses across the Nordics to address compliance concerns, all while maintaining trust with customers.
If you're looking to strengthen your compliance framework in the Nordic region, book a call with one of our experts today and see how our solutions can support your needs:
{{talk-to-an-expert}}
.avif.avif){kind=tracking}
