EnrichNode Wiki

KB IMY Decisions

2 min read

What is covered

One live article and one unwired draft module on IMY (Integritetsskyddsmyndigheten) enforcement.

Live article

enforcement/imy-fines-2023-2024

KB/src/kb/index.ts:347–384. Short overview: IMY’s enforcement uptick since 2022, direct-marketing scrutiny under LI, recurring failure modes (no LIA, incomplete Art. 13/14 notices, slow erasure response, deficient processor agreements, cookie consent). Cites IMY enforcement decisions database.

Unwired draft

enforcement/imy-decisions.ts

KB/src/kb/enforcement/imy-decisions.ts (~130 lines, 7 sections). The most detailed IMY content in KB/:

  • Structure and powers — IMY established 25 May 2018 succeeding Datainspektionen; Art. 58 investigative + corrective powers; ~100–120 staff; Art. 60 one-stop-shop in English.
  • Decisions timeline 2019–2025 — Google SEK 75M (2020), Klarna SEK 7.5M (2022), IVO SEK 12M + Region Stockholm SEK 4M (2021 healthcare analytics case), Polismyndigheten SEK 6.3M (2021), SVT SEK 1.3M (2022), two recruitment companies SEK 2.1M + 3.4M (2024), and the 2023 sector investigation into data brokers (the directly relevant precedent for DBPOC).
  • 2025 written LIA requirement — IMY guidance formalising what an adequate LIA must contain. Per-activity LIAs expected; a single general LIA is insufficient.
  • Investigation procedurebegäran om yttrande (request for statement, typically 30-day response), assessment phase, remiss (consultation draft), final decision, appeal to Förvaltningsrätten within 3 weeks.
  • Current priorities (2024–25) — AI/automated decision-making, cookies, data brokers, DPAs under Art. 28, Schrems II Transfer Impact Assessments, breach response.
  • How to respond to an inquiry — eight-point playbook, headline rules: engage counsel, request extension early, lead with strongest compliance evidence, never delete records after receipt of inquiry.
  • Fine quantum table — Swedish fines historically lower than peer DPAs; <€10M turnover companies see SEK 1–5M for first violations; >€100M turnover sees SEK 5–75M.

Broken import ("../../types").

Why this matters for DBPOC

The 2023 sector investigation and 2025 written-LIA requirement are direct regulatory pressure on the exact processing model DBPOC implements. The Bisnode precedent (referenced throughout — see Bisnode case) is the controlling enforcement example.

See also

KB Content Index, KB B2B Enrichment, KB GDPR Articles, Bisnode case, GDPR Legitimate Interest.

See also

Graph View

Backlinks