The digitalisation of society has meant that processing of personal data has become a prerequisite – and an independent value – for the activities of companies, public authorities and other organisations. In parallel with this, requirements regarding protection of employees’ and customers’ privacy have increased significantly.
The EU has the world’s strictest regulations on personal data processing and they continue to be developed by means of new legislation and judicial case law. Lindahl has solid, extensive experience of data protection and closely follows legal developments in this field. We provide our clients with practical, concrete assistance to implement data protection requirements in the client’s specific environment and operations and according to the client’s circumstances.
"High skills, strong competence within the organisation and lengthy experience within privacy law."
How we help your company
Lindahl has extensive experience of advising on data protection, acquired over a long period of time. We routinely advise companies on matters relating to data protection, including everything from personal data processing agreements and privacy policies to legal opinions. We assist as counsel in contact with the Swedish Privacy Protection Authority (Integritetsskyddsmyndigheten (IMY)) as well as in legal proceedings in court.
We offer advice on transfer of personal data to third countries, where solutions adapted to groups are applicable, as well as more extensive implementation measures such as the drafting of binding corporate provisions.
We investigate and advise on complex issues relating to Life Science and medical research, establishment of boundaries between GDPR and the Swedish Constitution in areas such as press freedom and carry out impact assessments on camera surveillance.
We conduct special due diligence on behalf of our clients on companies’ processing of personal data and other data that is sensitive in terms of privacy and we help ensure that processing takes place in accordance with applicable rules.
Our extensive knowledge, acquired over a long period of time, enables us to offer our clients a unique combination of business understanding and legal expertise in order to generate business value.
Frequently asked questions
Who is responsible for ensuring compliance with the General Data Protection Regulation (GDPR)?
As far as companies and other organisations are concerned, the personal data controller is responsible for
ensuring compliance with the GDPR within the business. As a rule, the company itself is the personal data controller, but it may also be the case that another party has the actual influence with regard to the purposes and resources applicable to the personal data processing. It is also possible to engage a personal data processor that provides sufficient guarantees of compliance with the GDPR on the personal data controller’s behalf. A personal data processing agreement is required in such cases. Under certain circumstances, the personal data controller and the personal data processor must also appoint a data protection officer. The Swedish Privacy Protection Authority (IMY) is the public authority supervising compliance with the GDPR in Sweden.
What are the basic principles of data protection?
In order to process personal data, the personal data controller must have legal support in the GDPR. This is often described as a principle of legality, accuracy and transparency which means, among other things, that personal data processed must be accurate and there must also be transparency with regard to what data is processed and according to what principles. A principle of purpose limitation also applies. This means that the person collecting and processing personal data must only do it for specific, expressly stated and legitimate purposes. The processing must not involve more personal data than is necessary for the purposes (principle of data minimisation). Personal data must be deleted when it is no longer required (principle of storage minimisation). The person who is responsible for the personal data in accordance with the GDPR must also ensure that the personal data is protected from unauthorised access or loss or destruction (principle of integrity and confidentiality). Ultimately, the personal data controller needs to be able to show how compliance with the requirements of the GDPR is achieved.
Can we transfer personal data to our subsidiary in the US?
Previously, what was referred to as Privacy Shield applied to transfer of personal data from the EU to a recipient in the US. The so-called Schrems II judgment in summer 2021 invalidated those guidelines. The European Court of Justice found that the EU Commission’s standard contractual clauses in force at that time could be used to secure a legal basis for third-country transfers, but that they might need to be supplemented by additional safeguards. In other words, the recipient country must ensure a significantly equivalent level of protection for the personal data as that applying within the EU/EEA. Following the Schrems II judgment, the European Commission has produced new standard contractual clauses to remedy previous defects.
You can also read more about the Schrems II judgment in our article here (in Swedish).
Could we face any sanctions if we fail to comply with the requirements of the GDPR?
The Swedish Privacy Protection Authority (IMY) can issue warnings, reprimands, injunctions, restrictions, prohibitions and administrative fines against an operator that is in breach of the GDPR. In accordance with the GDPR, the sanctions must be effective, proportionate to the breach and must serve as a deterrent. According to the established practice of the Swedish Private Protection Authority and other supervisory authorities in other parts of Europe, the level of sanctions has been set relatively high, usually based on the annual turnover of the company on which the sanction is imposed. A person whose personal data has been improperly processed may also file a claim for damages against the company processing the personal data.
For how long may we store personal data?
Personal data may be stored for as long as is necessary with regard to the purposes of the processing. When such purposes no longer exist, the data must be deleted or anonymised. Please also note that other laws and regulations, such as rules on accounting obligations, may require a longer storage period for some data.
In accordance with the GDPR, the person that processes personal data has an obligation to inform the data subject of the fact that the personal data is being collected, even if this forms part of having so-called cookies on the website. That means that it is advisable to investigate which cookies and “cookie-like technologies” are currently being used on the website and to analyse them from a data protection perspective and provide information on them in the correct way. Cookies are also subject to regulations other than the GDPR.
You can also read more about cookies in our article here (in Swedish).