We care about your personal privacy and protecting your personal data. This privacy policy describes the processing of personal data that we carry out in connection with client engagements, agreements with suppliers, consultants or other external parties, recruitment, communication, mailings and events, alumni contacts, and visits to our website and premises. The privacy policy describes your rights, explains what personal data is collected, for what purposes personal data is processed, what legal basis the processing rests on, how we protect your personal data, when deletion occurs, how any transfer to third countries or international organisations occurs, and how you can exercise your rights. The privacy policy also contains information on how to submit complaints if you are dissatisfied with our personal data processing.
Gernandt & Danielsson Advokatbyrå KB (“Gernandt & Danielsson” or “we”), company registration number 969695-3703, Hamngatan 2, Box 5747, 114 87 Stockholm, is the controller for the processing of personal data, which means that Gernandt & Danielsson is responsible for how your personal data is collected, processed and deleted.
Gernandt & Danielsson processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection legislation.
Please note that Gernandt & Danielsson has no control over the content of third-party websites mentioned below.
Under the GDPR, you have the right to control your personal data and the right to obtain information about how we process your data. In the below you can read about your rights. Your rights apply to the extent provided by applicable data protection legislation and there may be exceptions to your rights. We may need more information to confirm your identity before we proceed with your request to exercise your rights.
If you have any questions, complaints or wish to exercise any of your rights, please contact us at GDPR@gda.se or by post to:
Gernandt & Danielsson Advokatbyrå KB
Att. GDPR, Box 5747, 114 87 Stockholm
+46 8 670 66 00
If you are dissatisfied with our processing, you may also contact the Swedish Authority for Privacy Protection or the supervisory authority in the country where you live or work. More information is available on the Swedish Authority for Privacy Protection’s website.
When you exercise your rights, we may sometimes wholly or partially deny your request. As a law firm, we are required to comply with certain obligations such as professional secrecy and archiving, which follows from the Swedish Bar Association’s regulations and other applicable laws and rules. We may therefore be legally prevented from accommodating your rights (Article 23(1) GDPR and applicable legislation). We may also deny your request if the data is necessary to establish, exercise or defend legal claims (for example, Article 17(3)(e) GDPR).
If your request is manifestly unfounded or excessive (Article 12(5) GDPR), we have the right to refuse to comply with the request or charge a reasonable fee covering our administrative costs. An example of such a request is if you repeatedly request the same information.
More information about when requests can be denied is available on the Swedish Authority for Privacy Protection’s website.
We will respond to your request no later than one (1) month after we receive it. If necessary, the time may be extended by a further two (2) months, of which you will be notified. An extension may occur, for example, if the request is complicated or we receive many requests simultaneously.
More information about time limits is available on the Swedish Authority for Privacy Protection’s website.
If we process your personal data based on your consent, you may withdraw all or part of your consent at any time. You can withdraw your consent by contacting us, and we will then cease the processing to which the withdrawal relates. Please note that withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal.
More information about consent is available on the Swedish Authority for Privacy Protection’s website.
You have the right to request information from us about the use of personal data concerning you and to receive a copy of your personal data together with certain detailed information about how we process your personal data, a so-called register extract.
More information about the right of access is available on the Swedish Authority for Privacy Protection’s website.
You have the right to request that we correct inaccurate, or supplement incomplete, personal data concerning you.
More information about the right to rectification is available on the Swedish Authority for Privacy Protection’s website.
You have the right to request deletion of your personal data without undue delay. Following such a request, we will delete your personal data if:
If personal data is required for us to fulfil our legal obligations, you may not be able to have the data deleted. The same applies if we have an interest in continuing to process the personal data that outweighs your interest.
More information about the right to erasure is available on the Swedish Authority for Privacy Protection’s website.
You have the right to request restriction of processing of your personal data. Following such a request, we will restrict processing if:
If processing of your personal data has been restricted, the data may only be used (in addition to being stored) if you consent to it, if processing is necessary for legal reasons, to protect the rights of another person, or for important reasons of public interest within the EU or in a Member State.
More information about the right to restriction of processing is available on the Swedish Authority for Privacy Protection’s website.
If our processing of your personal data is based on your consent or the performance of a contract with you, you have the right to receive the personal data you have provided to us in an electronic format.
If technically possible, you can also have the personal data transferred to another controller. Please note that the right to data portability does not include personal data that we process manually.
More information about the right to data portability is available on the Swedish Authority for Privacy Protection’s website.
You have the right to object to processing of your personal data when it is based on our or a third party’s legitimate interest. If you object, we must demonstrate our legitimate interests for the processing and that these outweigh your interests, rights and freedoms in order to continue with the processing.
More information about the right to object is available on the Swedish Authority for Privacy Protection’s website.
This section concerns clients or counterparties, employees of, representatives of or owners of clients, counterparties or target companies, and persons closely related to such persons. We process personal data obtained in connection with engagements and providing legal services, as well as in the preparation, administration and follow-up of engagements.
Personal data processed in connection with engagements may include name, date of birth, personal identity number, telephone number, postal address, email address, passport details or other identification details, portrait photo, citizenship, tax information, whether the person is a politically exposed person, whether the person is a relative of a politically exposed person, whether the person is the beneficial owner of a legal entity, whether the person is a representative of a legal entity, invoicing information and correspondence.
The information provided may be supplemented with information obtained from public websites, public databases or paid databases in order to ensure that the personal data is correct.
We may in individual cases process special categories of personal data (so-called sensitive personal data), such as information about race, ethnic origin, political opinions, religious or philosophical beliefs, health, trade union membership, sexual orientation or individual information about criminal offences if it is relevant to the preparation or performance of the engagements.
Personal data is processed to perform engagements and fulfil obligations. This includes case management, communication, booking meetings, time and fee reporting, invoicing and payment, as well as documentation and archiving after completion of engagements.
In connection with engagements, we are required to fulfil obligations under the Swedish Bar Association’s regulations and applicable legislation regarding anti-money laundering, market abuse, accounting, conflicts of interest and tax, and to take appropriate internal risk management and reporting measures. In connection therewith, personal data is processed to carry out conflict checks, obtain client due diligence and achieve other regulatory compliance.
As part of improving our operations, personal data is processed for statistical purposes.
Personal data may also be processed to defend us against legal claims.
The legal basis for processing personal data in connection with engagements is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We assess that the processing is necessary to conduct law firm operations and fulfil obligations, as well as related administration for the performance of engagements. We assess that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for personal data processed in order to comply with the Swedish Bar Association’s regulations is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR) and that the processing is necessary to fulfil a legal obligation (Article 6(1)(c) GDPR and Chapter 8, Section 4 of the Swedish Code of Judicial Procedure (1942:740)). We assess that the processing is necessary to comply with the Swedish Bar Association’s regulations and that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for personal data processed in order to comply with applicable legislation regarding anti-money laundering measures, market abuse, accounting and tax, as well as taking appropriate internal risk management and reporting measures, is legal obligation (Article 6(1)(c) GDPR).
To the extent that special categories of personal data are processed, this is done on the legal basis that the processing is necessary to establish, exercise or defend legal claims (Articles 6(1)(f) and 9(2)(f) GDPR) or consent (Articles 6(1)(a) and 9(2)(a) GDPR). If personal data is processed on the legal basis of consent, the processing will continue on that legal basis until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
Special categories of personal data are also processed on the legal basis that the processing is necessary to fulfil obligations under labour law (Articles 6(1)(c) and 9(2)(b) GDPR).
Information about criminal offences is only processed on the legal basis of support in national law when checking conflicts of interest (Section 4 of the Swedish Authority for Privacy Protection’s Regulations (2024:1) on the Processing of Personal Data Relating to Criminal Offences) and when it is necessary for legal claims to be established, exercised or defended, or to fulfil a legal obligation under law or regulation (Section 5 of the Swedish Regulation (2018:219) Containing Supplementary Provisions to the GDPR).
After completion of the engagement, we retain personal data in accordance with specified retention periods below.
If personal data has been processed to fulfil obligations under the Swedish Bar Association’s regulations, it will be retained for at least ten (10) years or for the longer period required by the nature of the client relationship or engagement.
If personal data has been processed due to a legal obligation under anti-money laundering legislation, it will be retained for five (5) to ten (10) years, depending on whether it is deemed necessary to detect or prevent money laundering or terrorist financing.
If personal data has been processed due to a legal obligation under market abuse legislation, it will be retained for five (5) years.
If personal data has been processed due to a legal obligation under the Swedish Accounting Act (1999:1078), it will be retained for seven (7) years after the last event subject to accounting.
Data may also be retained for a longer period if necessary for the client relationship, other legitimate interests or in accordance with the rules applicable to law firms at any given time.
We mainly share personal data with our IT suppliers within the EU/EEA.
This section concerns suppliers, consultants or other external parties, as well as persons who are employed by or otherwise related to such persons.
We receive and process personal data relating to employees and contractors of suppliers, consultants or other external parties in connection with business relationships between us and these parties.
Personal data that may be processed in connection with entering into agreements with suppliers, consultants or other external parties includes name, date of birth, personal identity number, telephone number, postal address, email address, passport details or other identification details, portrait photo, citizenship, tax information, invoicing information and correspondence. In some cases, individual details may be included such as whether the person is a politically exposed person, a relative of a politically exposed person, or a beneficial owner or representative of a legal entity.
The information provided may be supplemented with information obtained from public websites, public databases or paid databases in order to ensure that the personal data is correct.
Personal data is processed to evaluate agreements and fulfil obligations under such agreements, as well as to administer invoicing and payments related thereto.
In connection with the review and administration of agreements with suppliers, consultants or other external parties, we are required to comply with obligations under the Swedish Bar Association’s regulations and applicable legislation regarding anti-money laundering, market abuse, accounting and tax, and to take appropriate internal risk management and reporting measures. In connection therewith, personal data is processed to carry out conflict checks, obtain client due diligence and achieve other regulatory compliance.
Personal data may also be processed to defend us against legal claims.
The legal basis for processing personal data in connection with entering into and performing agreements with suppliers, consultants or other external parties is that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR) or legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that the processing is necessary to review and evaluate agreements, perform and administer invoicing and payments related thereto. We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for processing personal data for the purpose of complying with the Swedish Bar Association’s regulations is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR) and that the processing is necessary to fulfil a legal obligation (Article 6(1)(c) GDPR and Chapter 8, Section 4 of the Swedish Code of Judicial Procedure (1942:740)). We assess that the processing is necessary to comply with the Swedish Bar Association's regulations. We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for processing personal data for the purpose of complying with applicable legislation regarding, for example, market abuse, accounting and tax, and taking appropriate internal risk management and reporting measures is legal obligation (Article 6(1)(c) GDPR).
The legal basis for processing personal data for the purpose of defending us against legal claims is that the processing is necessary for the performance of a contract (Article 6(1)(b) GDPR) and legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
We do not retain personal data longer than necessary with regard to the purpose of the processing. This means that deletion or de-identification is performed when the data is no longer relevant for the purpose for which it was collected.
Personal data is retained for the time required to fulfil obligations under agreements and to administer invoicing and payment, and also to the extent it fulfils a legitimate interest after a needs assessment. Otherwise, we retain personal data in accordance with specified retention periods below.
If personal data has been processed to fulfil obligations under the Swedish Bar Association’s regulations, it will be retained for at least ten (10) years or for the longer period required by the nature of the client relationship or engagement.
If personal data has been processed due to a legal obligation under market abuse legislation, it will be retained for five (5) years.
If personal data has been processed due to a legal obligation under the Swedish Accounting Act (1999:1078), it will be retained for seven (7) years after the last event subject to accounting.
We mainly share personal data with our IT suppliers within the EU/EEA.
This section concerns participants in recruitment processes at Gernandt & Danielsson and includes personal data provided in application documents, communication via email and social media, as well as data from interviews, recruitment agencies, checks and references, tests or other evaluations.
Personal data processed in connection with recruitment includes name, date of birth, personal identity number, telephone number, postal address, email address, passport details or other identification details, citizenship, company involvement, finances, CV, portrait photo, educational qualifications, work references, employment certificates, references and correspondence.
The information provided may be supplemented with information obtained from public websites, public databases or paid databases in order to ensure that the personal data is correct.
In certain cases, we may process special categories of personal data (so-called sensitive personal data) if it is necessary to fulfil obligations under applicable labour law.
We process personal data obtained in connection with recruitment to carry out the recruitment process and fulfil related obligations, including administration, communication, booking meetings, interviews, evaluation, checking for conflicts of interest and archiving. We may also, with your consent, save your details for future positions that may be suitable.
Certain processing during recruitment is necessary for us to fulfil legal obligations under the Swedish Bar Association’s regulations and applicable labour law.
Personal data may also be processed to defend us against legal claims.
The legal basis for processing personal data in connection with recruitment is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that the processing is necessary to carry out recruitment processes and fulfil related obligations. We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for processing personal data for the purpose of complying with the Swedish Bar Association’s regulations is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR) and that the processing is necessary to fulfil a legal obligation (Article 6(1)(c) GDPR and Chapter 8, Section 4 of the Swedish Code of Judicial Procedure (1942:740)). We assess that the processing is necessary to comply with the Swedish Bar Association’s regulations. We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for processing personal data for the purpose of complying with applicable labour law is legal obligation (Article 6(1)(c) GDPR).
The legal basis for processing personal data when we save your details for future employment is consent (Article 6(1)(a) GDPR). If personal data is processed on the legal basis of consent, the processing will continue on that legal basis until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
The legal basis for processing personal data for the purpose of defending us against legal claims is that the processing is necessary for the performance of a contract (Article 6(1)(b) GDPR) and legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
To the extent that special categories of personal data are processed, this is done on the legal basis that the processing is necessary for the performance of obligations under labour law (Articles 6(1)(c) and 9(2)(b) GDPR).
We do not retain personal data longer than necessary with regard to the purpose of the processing. This means that deletion or de-identification is performed when the data is no longer relevant for the purpose for which it was collected.
Personal data is retained for as long as necessary to administer the recruitment process and fulfil related obligations. After completion of the recruitment process, we retain personal data in accordance with specified retention periods.
If personal data has been processed to fulfil obligations under the Swedish Bar Association’s regulations, it will be retained for at least ten (10) years after completion of the recruitment process.
If personal data has been processed due to a legal obligation under labour law, it will be retained for two (2) years after the recruitment process ends. Data may be retained for a longer period if necessary for claims under discrimination law and related proceedings.
If personal data has been processed for possible future employment based on consent, the data is processed for this purpose until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
We mainly share personal data with our IT suppliers within the EU/EEA.
We process personal data that you voluntarily provide, for example when you communicate with us via email or other communication channels.
Data processed when you communicate with us includes name, postal address, email address, telephone number, title, employer, and the business relationship that we have with you. The type of personal data varies depending on the communication channel you use.
Personal data is processed to communicate with you via the means of communication you have chosen.
The legal basis for processing personal data in connection with communication with us is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that the processing is necessary to enable communication and that this interest outweighs any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
We do not retain personal data longer than necessary with regard to the purpose of the processing. This means that deletion or de-identification is performed when the data is no longer relevant for the purpose for which it was collected.
If personal data processed in communication with clients has been processed to fulfil obligations under the Swedish Bar Association’s regulations, it will be retained for at least ten (10) years from completion of the engagement, or for the longer period required by the nature of the client relationship or engagement.
Data may also be retained for a longer period if necessary for the client relationship.
We mainly share personal data with our IT suppliers within the EU/EEA.
We process personal data that you or your employer provide when you request marketing material, newsletters or similar, and when you participate in events, seminars and courses.
Personal data processed in connection with mailings and events includes name, telephone number, postal address, email address, CV, portrait photo, audio and video recordings, preferences regarding mailings, preferences regarding food and drink, and correspondence.
In connection with our events, special categories of personal data (so-called sensitive personal data) may be processed if relevant to the event (for example, allergies).
Personal data is processed to send various types of mailings and to organise events, seminars and courses, and administer participation, including communication, contact registers, participant lists, documentation, booking meetings, marketing, providing food and drink, and also to fulfil obligations under applicable legislation regarding accounting and marketing.
We may also, with your consent, save your details for future employment opportunities that may be suitable.
As part of improving our operations, personal data is processed for statistical purposes.
Personal data may also be processed to defend us against legal claims.
The legal basis for processing personal data in connection with mailings and events is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that the processing is necessary to enable mailings and to plan and organise events, and that this interest outweighs any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for processing personal data for the purpose of complying with applicable accounting and marketing legislation is legal obligation (Article 6(1)(c) GDPR).
The legal basis for processing personal data when we retain your details for possible future employment is consent (Article 6(1)(a) GDPR). Under “Your rights” there is information on how to withdraw consent.
The legal basis for processing personal data for the purpose of defending us against legal claims is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
To the extent that special categories of personal data relating to health are processed, this is done on the legal basis of consent (Articles 6(1)(a) and 9(2)(a) GDPR). If personal data is processed on the legal basis of consent, the processing will continue on that legal basis until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
We do not retain personal data longer than necessary with regard to the purpose of the processing. This means that deletion or de-identification is performed when the data is no longer relevant for the purpose for which it was collected.
If personal data has been processed due to a legal obligation under the Swedish Accounting Act (1999:1078), it will be retained for seven (7) years after the last event subject to accounting.
If personal data has been processed based on consent, the data is processed for this purpose until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
We mainly share personal data with our IT suppliers within the EU/EEA.
This section concerns members of the alumni group.
Personal data processed in connection with alumni group membership includes name, telephone number, email address, information about previous employment with us, CV, audio and video recordings, preferences regarding mailings, food and drink preferences, and correspondence.
The information provided may be supplemented with information obtained from public websites and social media.
During our events, special categories of personal data (so-called sensitive personal data) may be processed if relevant to the event (for example, allergies).
Personal data is processed to communicate with alumni group members, administer membership and organise events, as well as to fulfil obligations under applicable accounting and marketing legislation, including communication, contact registers, participant lists, documentation, booking meetings, marketing and providing for example food and drink.
The legal basis for processing personal data for alumni group members who receive mailings and invitations is consent (Article 6(1)(a) GDPR). You can leave the alumni group at any time by contacting us. If personal data is processed based on consent, the processing will continue until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
The legal basis for processing personal data in connection with ongoing alumni group membership is legitimate interest (Article 6(1)(f) GDPR). We assess that the processing is necessary to enable communication and to plan and organise events for the alumni group, and that this interest outweighs any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
The legal basis for processing personal data for the purpose of complying with applicable accounting and marketing legislation is legal obligation (Article 6(1)(c) GDPR).
To the extent that special categories of personal data, such as allergies, are processed, this is done based on consent (Articles 6(1)(a) and 9(2)(a) GDPR). If personal data is processed based on consent, the processing will continue until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
We do not retain personal data longer than necessary with regard to the purpose of the processing. This means that deletion or de-identification is performed when the data is no longer relevant for the purpose for which it was collected.
If personal data has been processed based on consent to alumni group membership, the data is processed for this purpose until consent is withdrawn. Under “Your rights” there is information on how to withdraw consent.
If personal data has been processed due to a legal obligation under the Swedish Accounting Act (1999:1078), it will be retained for seven (7) years after the last event subject to accounting.
We mainly share personal data with our IT suppliers within the EU/EEA.
This section concerns visitors to our website. Our website collects personal data using cookies during your visit. More information is available in our Cookie Policy and on the Swedish Post and Telecom Authority’s website.
Information created by cookies set when you visit our website consists of data such as anonymised IP address, length of visit, number of page views, choices made and how you found www.gda.se. More information is available in our Cookie Policy.
The purpose of the processing is to facilitate and optimise the use of the website and for statistics to evaluate the website’s content, structure and navigation etcetera.
The legal basis for processing personal data when you visit our website is legitimate interest (Article 6(1)(f) GDPR). We consider that the processing is necessary to provide a well-functioning website, which is an important part of our operations and how we convey information, and that these interests outweigh any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
We do not retain personal data longer than necessary with regard to the purpose of the processing. This means that deletion or de-identification is performed when the data is no longer relevant for the purpose for which it was collected.
How long certain information is retained varies depending on which cookie is used. Specific retention periods are available in our Cookie Policy and in the cookie banner on www.gda.se.
We mainly share personal data with our IT suppliers within the EU/EEA and cookie providers in accordance with our Cookie Policy.
This section concerns visitors to our premises. If you do not want personal data obtained through surveillance cameras to be processed, we may be prevented from granting you access to our premises.
To the extent a person in the recording is identifiable, the recording constitutes personal data in the form of recording and image capture. The recorded material may contain information about criminal offences.
Personal data is processed to prevent and investigate crimes, identify and manage risks, increase security for employees and visitors, ensure client confidentiality and protect our property. The processing includes camera surveillance with recording and image capture. Cameras are activated only during entry or exit.
The legal basis for processing personal data in connection with visits to our premises is legitimate interest according to a balancing of interests (Article 6(1)(f) GDPR). We consider that camera surveillance and personal data processing are necessary to prevent and investigate crimes, identify and manage risks, increase security for employees and visitors, ensure client confidentiality and protect our property, and that this interest outweighs any conflicting interests, such as your right not to have your data processed for this purpose and other rights and freedoms. Under “Your rights” there is information on how to object to this assessment.
To the extent personal data concerning criminal offences are processed, the legal basis is that processing is necessary for legal claims to be established, exercised or defended (Articles 6(1)(f) and 9(2)(f) GDPR and Section 5 of the Swedish Regulation (2018:219) Containing Supplementary Provisions to the GDPR).
The main rule is that recorded material is retained for three (3) days after the recording occurred, after which the material is automatically deleted.
When certain material is required to take legal action against a person who has been recorded, for example when filing a police report, the material is retained as long as necessary to take these actions and then deleted.
Employees at Gernandt & Danielsson who need access to your personal data to fulfil the purposes listed above have access to the data.
Personal data will not be disclosed to third parties except when:
In cases where we may disclose data to third parties who are independent controllers, such as banks, debt collection companies, insurance companies, the Swedish Tax Agency, the Swedish Police Authority, the Swedish Enforcement Authority or other authorities, that company’s or authority’s privacy policy applies to the processing of personal data.
In cases where we may disclose data to other companies that process personal data on our behalf (so-called processors), they may not use the personal data for their own purposes.
As a main rule, personal data will not be transferred to countries outside the EU/EEA.
If a transfer to a country outside the EU/EEA or to an international organisation is to be made, the transfer will take place in accordance with applicable data protection legislation. The country in question must have an adequate level of protection or another appropriate safeguard ensuring the transfer occurs in accordance with applicable legislation, for example through use of the EU Commission’s standard contractual clauses together with other security measures that may be relevant in the individual case. Information about countries with adequate levels of protection is published on the EU Commission’s website and in Swedish on the Swedish Authority for Privacy Protection’s website. You have the right to obtain a copy of any safeguards taken by contacting us via the information provided under “Contact information”.
It is important for us that personal data is protected. Therefore, we take appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration or destruction.
Our measures are continuously updated to ensure that our organisation and systems are secure and protected.
If we engage an external supplier to support our operations, data processing agreements, confidentiality agreements and other relevant regulatory agreements, are signed by the supplier before the service is used.
This privacy policy may, from time to time, be changed or updated.
The latest version will always be published on our website. Please visit our website for any changes made.
This privacy policy was published by Gernandt & Danielsson 1 April 2026.
For questions, complaints or to exercise any of your rights, please contact us at GDPR@gda.se or by post to:
Gernandt & Danielsson Advokatbyrå KB
Att. GDPR, Box 5747, 114 87 Stockholm
+46 8 670 66 00
If you are dissatisfied with our processing of your personal data, you may also contact the Swedish Authority for Privacy Protection or the supervisory authority in the country where you live or work. More information is available on the Swedish Authority for Privacy Protection’s website.
This is an English translation of the privacy policy, if and to the extent the English translation does not correspond to the Swedish version, the Swedish-language version shall apply.