How do I comply with GDPR in Sweden — IMY’s specific guidance?

IMY (Integritetsskyddsmyndigheten, Swedish DPA) is one of the EU’s most enforcement-active regulators — multi-million-SEK fines for cookie violations, broken DSARs, and over-retention are routine. Sweden adds two layers on top of GDPR:

1. Marknadsföringslagen (Marketing Act) + ePrivacy — opt-in consent for marketing cookies, pre-checked boxes are illegal, “continued use = consent” banners are illegal.
2. Bokföringslagen (Accounting Act) — receipts and invoices must be retained seven years, in immutable digital form.

We ship a Cookiebot / Klaro / Usercentrics setup wired to Google Tag Manager + Magento’s native cookie API, with the banner copy reviewed against IMY’s published guidance. DSAR + DPO automation built into the customer-account flow.