Does the privacy policy have to be in Swedish?

What does the law say?

GDPR article 12.1 requires the information under articles 13 and 14 — in practice the privacy policy — to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. "Intelligible" is judged by the audience: the visitors must be able to take in the text, not the lawyer who wrote it.

To be honest: there is no provision that literally says a private actor's policy must be in Swedish. The requirement follows from the intelligibility and transparency principle. But the conclusion is hard to escape — if the website targets the Swedish public, a policy only in English is difficult to reconcile with article 12.1, because a significant part of the audience cannot make sense of it.

For public sector bodies the situation is simpler: under the Swedish Language Act (2009:600), section 10, the language of public authorities' activities is Swedish. There the requirement is direct — no interpretation needed. The same idea appears in marketing law, by the way: Swedish consumer marketing is expected to be in Swedish so the information actually reaches the consumer.

Who is covered?

What matters is who the website targets, not where the company is registered. A site with Swedish content, Swedish prices and a Swedish market addresses Swedish visitors — then the policy must be readable in Swedish. The requirement is not "Swedish always" but "the audience's language": a website genuinely aimed at an international, English-speaking audience is right to keep its policy in English.

Government agencies, municipalities and regions are always covered — for them the Language Act applies directly, regardless of what the website otherwise looks like. Other language versions are welcome as a complement, but the Swedish one is the baseline.

Common cases we see

• A Swedish website with a purchased English template policy — the whole site is in Swedish, but the policy came from a generator and was never translated.
• Only the cookie banner is translated: the visitor sees Swedish all the way up to the click on "Privacy policy" — then everything is in English.
• Mixed language — half the policy is Swedish, half English, often after an update where new paragraphs were pasted in untranslated.

How CompliantHQ tests this

The scanner verifies that a website targeting a Swedish audience has its privacy policy in Swedish. If the policy only exists in another language, we flag it — with reference to the intelligibility requirement in article 12.1, and for public authorities also to the Language Act.

It is a deterministic document check: we determine which language the policy is actually written in, not how well it is worded. The check is included in the free trial — you see right away whether your website passes it.

How to fix it

• Translate the policy into Swedish — and take the opportunity to check that it reflects your actual processing, not just the template it came from.
• By all means keep the English version in parallel if you have international visitors — the requirement is that the Swedish one exists, not that the English one disappears.
• Link correctly: the Swedish part of the website should link to the Swedish policy, not to the English one.
• Update both language versions at the same time when things change — otherwise you end up with mixed language or versions that say different things.
• Public sector body: Swedish is the baseline under the Language Act — other language versions are a complement, never a replacement.

Common questions

More deep dives

• Privacy policy contents
• The cookie policy
• Consent in forms
• The accessibility statement
• Right of withdrawal & the 2026 function
• Terms of purchase
• Encrypted forms
• The data protection officer
• Dental prices on the web
• Advertising trackers on healthcare sites