Whistleblower law in Sweden #
Sweden implemented Directive (EU) 2019/1937 through Lag (2021:890) om skydd för personer som rapporterar om missförhållanden, in force since 17 December 2021. Sweden combines the standard 50-worker trigger with a sectoral external-authority model and supervision of internal-channel obligations by the Swedish Work Environment Authority.
Applicable law #
- Lag (2021:890) om skydd för personer som rapporterar om missförhållanden — official Riksdag text
- Government English translation of the Act
Who must establish an internal channel #
Public and private organisations with at least 50 workers must establish internal reporting channels under the Swedish act.
External reporting authority #
Sweden does not rely on one universal whistleblowing authority. The Ordinance (2021:949) designates multiple competent external authorities depending on the sector. The Swedish Work Environment Authority also receives reports that an employer has failed to maintain internal channels and procedures.
Data protection authority #
For GDPR complaints relating to whistleblower data handling, the relevant authority is the Swedish Authority for Privacy Protection (IMY) .
Key compliance points #
- Swedish law is structurally clear but operationally decentralised, so country-specific legal content matters more than generic “EU-compliant” messaging.
- Employers should tell users which external authority is relevant for the kind of breach being reported, not just that an “external authority” exists.
- The Work Environment Authority is the clearest official supervisory body if the issue is the employer’s failure to operate a compliant internal channel.
Official sources #
- Lag (2021:890) — official Riksdag text
- Government — English translation of the Act
- Ordinance (2021:949) — designated competent authorities
- Swedish Work Environment Authority — contact and internal-channel supervision
- IMY — file a GDPR complaint
Deploy your reporting channel →
Last updated: