Sweden Democrats – Order (Sweden, 2025)

A data subject lodged a complaint with the Swedish Privacy Protection Authority (IMY) after receiving a text message from the Sweden Democrats , the controller, urging it to vote for the party in the 2024 European Parliament elections. IMY initiated an investigation. The data subject stated that they had not provided its personal data to the party and was unable to unsubscribe or contact the sender, as the sender’s details were hidden. The Sweden Democrats argued that they were not the controller, claiming an external company handled the mailing. They asserted that the legal basis for processing was legitimate interest to inform eligible voters ahead of the election. The controller determined the content, purpose, and recipient selection (based on postal codes with low party support) and relied on data obtained from public registers through third parties. IMY held that the Sweden Democrats were the data controller under Article 4(7) GDPR, as they determined the purpose and means of the processing, even though they did not have direct access to the personal data. IMY found no valid legal basis for the processing. To rely on legitimate interest as a legal basis under Article 6(1)(f) GDPR, three conditions must be met: a legitimate interest, necessity, and a balance of interests. While the controller’s interest in informing voters was considered legitimate, and the processing was deemed necessary for achieving that communication purpose, IMY held that the third condition, the balancing of interests, was not fulfilled. Sending unsolicited political text messages without prior consent was considered intrusive, and since the data subject had no prior relationship with the controller and had not provided their data, the processing fell outside reasonable expectations. IMY therefore concluded that the data subject’s rights and freedoms outweighed the controller’s legitimate interest, and the legitimate interest basis under Article 6(1)(f) GDPR was not satisfied. IMY also