IMY’s supervisory and guidance priorities for 2025
This post concerns the Swedish Data Protection Authority (IMY)’s priorities for 2025. For the latest position, please refer to our newer post on IMY’s priority supervisory areas for 2026.
The Data Protection Agency has set out its supervision and guidance priorities for 2025. It highlights the areas that will be examined more closely and where guidance will be strengthened. For organisations acting as data controllers or data processors under the General Data Protection Regulation (GDPR), this is an important opportunity to strengthen compliance.
Below is a summary of the priority areas and what they mean for organisations that process personal data.
Processing of personal data in working life
Processing employees’ personal data remains a focus area. The Agency points to the imbalance between employer and employee as the reason for particular scrutiny of working life, including:
- Monitoring of employees using new technologies, engaging workplace privacy considerations.
- Location data and workplace camera surveillance.
- Background checks and the processing of data about criminal offences.
Such checks often entail significant privacy risks. This focus is linked to the external environment, hybrid working, and the monitoring opportunities that have arisen through the use of new, inexpensive technologies.
AI and the processing of personal data
AI is embedded in an increasing number of public and private services. The Agency signals that the use of personal data by AI systems will be scrutinised, particularly in sensitive environments such as health and social care. Key questions include:
- How AI systems are trained on personal data, including the management of ai training data and special categories of personal data.
- Which legal basis is used, reflecting data controller obligations and data processor obligations.
- How transparency and data subject rights are safeguarded, ensuring transparency in AI systems.
The Agency will continue to offer support through its regulatory sandbox, while emphasising that supervision of AI will intensify during 2025.
Digitalisation in health and social care
The Swedish National Audit Office (Riksrevisionen) has identified shortcomings in information security within regions and municipalities. The Agency concurs and is making data protection in healthcare a specific supervisory priority. The risks concern:
- Patient safety.
- Trust in healthcare.
- Protection of sensitive data, including special categories of personal data.
According to the Agency, governance structures and security routines need to be strengthened. It will follow up during the current year.
Camera surveillance and new legislation
A new camera surveillance law will enter into force in spring 2025. Permit requirements will cease, shifting responsibility to the surveillance operator. This includes:
- A documented balancing test is required.
- A record of all surveillance must be maintained.
- The balancing test must be demonstrable during supervision.
The Agency will both provide guidance and conduct supervision in this area.
Children’s and young people’s privacy
Children benefit from particular protection under the GDPR, and the Agency sees a need to increase knowledge among children, guardians and service providers. Focus areas include:
- Algorithmically curated content on platforms.
- Risks associated with image sharing and communication.
- Adults’ contact-seeking, for example recruitment for criminal activity.
The Agency will provide enhanced guidance for children, young people and their guardians and continue to press for greater responsibility from digital service providers.
How a data controller should act
If you are responsible for processing personal data in any of the priority areas, you should:
- Review your privacy protection processes, especially in relation to AI, monitoring and sensitive data, supported by a privacy risk assessment.
- Ensure legal bases are documented and communicated, evidencing the GDPR accountability principle.
- Assess how camera surveillance is managed, including workplace camera surveillance.
- Update internal documentation and training, particularly within HR and in the use of AI, aligned with your data controller obligations and data processor obligations.
Morling Consulting provides practical GDPR support
At Morling Consulting, our GDPR specialists help companies across Europe interpret and operationalise the requirements of the GDPR in practice. We can support you to:
- Conduct GDPR gap analysis aligned to the Agency’s supervisory focus, including a gdpr readiness assessment.
- Update your documentation for 2025.
- Assess legal bases, consent and risks, including a privacy risk assessment.
- Prepare for potential supervision or audit, grounded in gdpr gap analysis and the GDPR accountability principle.
We welcome a discussion on how we can help you with GDPR.
