Back to the blog
IMY warning 9 min read

Did you get a warning from IMY? Here is how to handle it step by step

A letter from the Swedish data protection authority (IMY) in your inbox, or just the gut feeling that you are in the danger zone. Here is what actually happens, what you need to do now, and how to close the window before it gets expensive.

What an IMY warning actually is

The Swedish data protection authority (IMY) does not send automatic fines when you get something wrong. The process is staged: first an informal inquiry, then a formal review, then an injunction, and only after that an administrative fine. A "warning" can be any one of the first three steps.

If you have received a letter where IMY asks you to account for how you handle web analytics cookies or transfers to third countries, it is not a fine. It is a conversation that opens the process. How you respond over the coming weeks decides whether the case is closed or escalates.

The four IMY decisions you need to know about

In the summer of 2023, IMY published decisions against four Swedish companies (CDON, Coop, Dagens Industri, Tele2) that used Google Analytics. The conclusion in all of them: the transfer of personal data to the US via GA4 violates GDPR. Most warnings and injunctions sent out today refer back to those decisions.

This means that if you got a warning in 2026, the matter is already settled in case law. There is no "yes but we have a consent banner" or "we anonymize the IP address" answer that holds up. IMY has already looked at those objections and rejected them. Do not try to win on substance, focus on fixing the problem.

  1. Jul 2020
    Schrems II

    The Court of Justice of the EU invalidates Privacy Shield. The US becomes a third country without an adequate level of protection.

  2. 2022
    Italy, France, Austria

    Three EU data protection authorities ban GA4. Sets the precedent.

  3. Jul 2023
    IMY decision Sweden

    Four Swedish companies are found liable for GA4 use. Administrative fines between 0 and 12 million kr.

  4. 2024-2026
    Broader review

    IMY sends inquiries to more companies based on the same reasoning.

Step 1: The first 7 days

Acknowledge receipt

Respond to IMY within the deadline stated in the letter (usually 14 to 30 days). Do not ask for an extension to "have time to analyze". It signals that you are not on top of things, which makes the review go deeper.

Turn off or migrate GA4 immediately

You have two choices: turn off the GA4 tracker on the site right now, or migrate to an EU-based alternative. Leaving it running while the case is ongoing is the worst possible choice, it suggests a deliberate violation.

Spårlös takes 90 seconds to set up and runs in parallel with GA4 if you want continuity. You can switch off GA4 the next day and still have continuous analytics data.

Document what you have done, with dates

Create an internal document with dates, actions, responsible person. "2026-05-25: disabled the GA4 tracker on all domains, responsible: Anna Andersson, CTO." This becomes the evidence if IMY asks "when did you take action?".

Step 2: The first 30 days

Review ALL third-party transfers, not just GA4

Many companies only focus on GA4 after a warning and miss that the same reasoning hits other US-based services. Go through the list: Hotjar, Mixpanel, Facebook Pixel, Google Tag Manager, Google Maps, YouTube embeds, Stripe (if you have checkout data), HubSpot, Salesforce, Mailchimp. Everything that sends visitor data to the US is in the same boat.

Write a new privacy policy + cookie policy

Reflect the new reality: you no longer use GA4, you have switched to an EU-based web analytics provider that does not set cookies. The new policy should mention sub-processors explicitly and link to the provider's DPA.

Get a DPA under GDPR Art. 28

This is mandatory between you (the data controller) and your new provider (the processor). Many privacy-analytics providers offer a pre-filled DPA as a PDF, ready to send to legal. The Spårlös DPA can be downloaded directly at /en/dpa without registration.

Step 3: The first 90 days

Respond to IMY with a substantive action letter

When you respond to IMY, describe:

  • Which date GA4 was disabled.
  • Which EU-based provider replaced it.
  • That you have established a DPA under GDPR Art. 28 with the new provider.
  • That the privacy policy and cookie policy are updated.
  • That other third-party transfers have been reviewed and remediated.
  • That you have introduced an internal process for assessing new tool choices against a GDPR checklist.

A well-written action letter closes 90% of cases without further action. IMY's goal is not to punish, it is to achieve compliance. When they see that you have actually acted, they lose the reason to continue.

Set up an internal process for future tool assessments

Build a template that your team uses BEFORE you adopt a new SaaS tool: which jurisdiction is the provider in? Is there a DPA? Is data sent outside the EU? Is there a sub-processor list? It prevents the same situation from repeating in 18 months when someone in the marketing department wants to try a new ad tracker.

What it costs NOT to act

The administrative fines in the 2023 decisions ranged from 0 (Coop, for active cooperation) to 12 million kronor (Tele2). The size depended on the company's turnover and how cooperative they were during the investigation.

But the direct cost is not the worst part. Ending up in a published IMY investigation is a PR event. Dagens Industri reported extensively on named companies. Procurement officers at your customers will refer to it when they negotiate. Acting late is more expensive than acting early.

Why Spårlös as a replacement

We built Spårlös specifically for this gap. Not ad-tech that adds a consent banner, not a US tool with an "EU mode" toggle. EU-hosted architecture, a cookie-free tracker, a daily rotating visitor hash, a DPA that is generated automatically on signup.

Migration takes 90 seconds: swap the script tag, connect your site on our dashboard, done. You can run it in parallel with GA4 for a few days to verify that your data looks the same.

Take something concrete with you

Our DPA is pre-filled, references Swedish law and lists all sub-processors openly. Download it, email it to your DPO or IT manager, start the conversation with a document in hand.

What IMY does NOT do

  • They do not approve tools in advance. No tool is "IMY-approved".
  • They do not call you. All communication goes via letter or secure government mail. If someone calls and claims to be IMY it is a scam.
  • They do not give legal advice. They review whether you follow the law, not how you should do it. That is why we have put together this guide.
  • They do not send fines straight away. There is always an opportunity to put things right before an administrative fine is imposed.

Summary: your checklist

  • Acknowledge the IMY letter within the deadline, do not ask for an extension
  • Disable GA4 on all domains the same day
  • Migrate to EU-based analytics (Spårlös, Plausible EU, Matomo self-hosted)
  • Document actions with dates and responsible people
  • Review all US-based third-party services, not just GA4
  • Update the privacy policy and cookie policy
  • Get a DPA under GDPR Art. 28 with the new provider
  • Respond to IMY with a substantive action letter
  • Set up an internal process for future tool choices

This guide is written to help, not to scare. If you got an IMY warning it is not the end. It is a signal to close a chapter you should have closed long ago anyway. Act fast, document clearly, switch tools, move on.

Questions? We are not lawyers, but we have helped several Swedish companies through the migration. Email [email protected] and we will reply within 24 hours.

Get started free. No card required.

Set up Spårlös in parallel with GA4 so you can see that your data is consistent before you switch off Google.

Did you get a warning from IMY? Here is how to handle it step by step | Spårlös