1 Information about the processing of your personal data
1.1 Gernandt & Danielsson Advokatbyrå KB, registration number 969695-3703, (“Gernandt & Danielsson”) is the controller of personal data in respect of the processing of your personal data that takes place. This means that Gernandt & Danielsson is responsible for the manner in which your personal data is collected, processed and erased once the purpose of the processing has ceased.
1.2 Your privacy is important to us at Gernandt & Danielsson and we are committed to protect your personal data. Therefore, Gernandt & Danielsson processes your personal data in accordance with the General Data Processing Regulation (EU) 2016/679 (“GDPR”) and other legislation governing the protection of your privacy.
1.3 “Personal data” means all information, which can be used, directly or indirectly, to identify a living physical person.
1.5 The Policy also describes which personal data is collected, the purposes for which personal data is collected, the legal basis for the processing, the manner in which Gernandt & Danielsson protects your personal data, when elimination/erasure takes place, the manner in which any transfer to a third country or international organisation takes place and, if so, which security measures are taken, and how you are able to protect your rights. In addition, information is provided as to how you can complain if you are dissatisfied with Gernandt & Danielsson’s processing of personal data.
2 Personal data that is processed
2.1 Gernandt & Danielsson processes personal data that we receive in connection with performance of legal services/engagements or which is otherwise processed when preparing or administering the engagement. The personal data, which may then be relevant, includes, for example, name, personal ID number, title, contact details, invoicing details and other business-related information provided to us by a client, a client’s representative or counterparty.
2.2 Within the scope of Gernandt & Danielsson’s business, occasional processing may take place of special categories of personal data (so-called sensitive personal data) and regarding violations of law if relevant for performance of the service/engagement. Occasional sensitive personal data concerning race, ethnic origin, political views, religious or philosophical convictions, health, union membership or sexual orientation may be processed if relevant for performance of the engagement. Information regarding violations of law, which we may process, involve information concerning bans on trading, money laundering or other criminality, which is relevant to the performance of the engagement.
2.3 Gernandt & Danielsson also receives and processes personal data concerning employees and clients of suppliers in connection with the business relationship between Gernandt & Danielsson and your employer or client or which you provide to us within the context of the business relationship. The personal data, which may then be collected, may include, for example, names, telephone numbers and email addresses.
2.4 Gernandt & Danielsson processes personal data that you provide to us voluntarily, for example when you communicate with us by email or other means of communication, ask us to send you newsletters or suchlike, or when you register for an event/course. The data, which we then process, includes your name, regular postal address, email address, telephone number, title and employer, or your business relationship with us. If you are a member of our alumni group, we also process certain information about previous employment with us and, in certain cases, your private telephone number, residential address and email address.
2.5 Gernandt & Danielsson also processes personal data in connection with applications for employment. In connection with your application, we receive information about, for example, your name, personal ID number, address, telephone number, email address, possible photograph, education, educational grades and employers, professional experience and other information that you provide in the application.
2.6 The information that you provide may be supplemented with data that we obtain from public websites, public databases or payment databases such as the Swedish Companies Registration Office, InfoTorg, UC, SPAR, with the aim of ensuring that the personal data is correct.
2.7 Gernandt & Danielsson processes personal data in conjunction with camera surveillance of the office's entrance doors and emergency exits. The camera surveillance involves recording video footage. The cameras are activated only in connection with entry and exit.
2.8 Your provision of personal data is not a statutory requirement but is necessary in order for you to enter into an agreement with us as a client and to enable us to perform necessary checks regarding conflicts of interest and money laundering. If you do not provide your personal data, we do not have the possibility to perform the agreement with you or to perform our obligations in relation to you. We will also not be able to invite you to events, courses, send newsletters, etc.
3 Purpose and legal basis for the processing of your personal data
3.1 Gernandt & Danielsson processes your personal data only if there is an established purpose and a legal basis for the processing.
3.2 Gernandt & Danielsson processes personal data in order to perform the agreement with you. This involves preparing, performing and administering an engagement, performing mandatory checks regarding conflicts of interest and money laundering, for the protection of your interests and for accounting and invoicing purposes. The processing is thus based on our obligation to perform the agreement with our client as well as Gernandt & Danielsson’s legitimate interest in being able to deliver legal services.
3.3 The processing of data also takes place for the performance of legal obligations incumbent on Gernandt & Danielsson pursuant to judicial or public authority decisions or pursuant to statute or ordinances, for example the Money Laundering and Financing of Terrorism (Prevention) Act (2017:630) or the Accounting Act (1999:1078).
3.4 Processing of data also takes place to perform the obligations incumbent on Gernandt & Danielsson in accordance with the statutes and rules of the Swedish Bar Association.
3.5 In those cases where occasional processing is carried out of special categories of personal data (so-called sensitive personal data) or regarding violations of law, this takes place since it is necessary to establish, assert, or defend a legal claim.
3.6 Personal ID numbers, which in a GDPR context are deemed particularly worthy of protection, are processed pursuant to consent, agreement or where clearly justified based on the purpose and importance of a secure identification.
3.7 Personal data belonging to contact persons at a legal person with whom Gernandt & Danielsson has a business relationship is processed pursuant to the agreement with the client, the supplier or the service provider, for the purpose of invoicing, payment and administration of the contractual relationship, handling deliveries and communication. As the contact person of a client or supplier, you cannot expect other than that such processing of your personal data will take place and Gernandt & Danielsson has a legitimate interest in being able to administer agreements and perform our obligations to our clients and suppliers. Where applicable, Gernandt & Danielsson also processes your data as an employee or service provider of a supplier for accounting purposes, e.g. invoicing or payment for services or products, in order to perform legal obligations pursuant, e.g. to the Accounting Act (1999:1078).
3.8 Data may also be used for business and methods development, market analysis, statistics and risk management. The data, which is processed in this respect, will be processed based on our legitimate interest in developing the business and managing any risks.
3.9 The personal data processed in conjunction with the camera surveillance takes place on the basis of our legitimate interest in preventing and investigating crimes, with the aim of identifying and managing risks and thereby increasing the safety of employees and visitors, as well as ensuring client confidentiality and protecting Gernandt & Danielsson’s property. Further information about our camera surveillance can be found in our information about this, published on our website.
3.10 The data processed for the purpose of communicating with you, which includes the sending of newsletters, alerts concerning changes to statutes and case law, invitations to events and courses, or in order to keep our contact register updated, takes place based on our legitimate interest in maintaining client and business relationships and the possibility of communicating with you concerning our business and our events.
4 Access to personal data
4.1 Only those Gernandt & Danielsson employees who require access to the personal data for the performance of the purposes listed above will have access to the data.
4.2 Your personal data will not be disclosed to outside parties other than in those cases where:
(i) specifically agreed between Gernandt & Danielsson and you;
(ii) necessary to protect your rights within the scope of a particular engagement;
(iii) necessary to enable us to perform a statutory obligation or to comply with a public authority decision or judicial decision;
(iv) we retain outside service providers to perform work on our behalf, primarily to update and support Gernandt & Danielsson’s IT system; or
(v) the data is disclosed to courts, public authorities, counterparties and/or counterparty counsel in those cases where necessary to protect your rights.
5 Transfer to third countries
5.1 As a main rule, your personal data will not be transferred to countries outside the EU/EEA.
5.2 If transfer to a country outside the EU/EEA or to an international organisation is relevant, this will take place in accordance with the governing legislation in the data protection area and requires that the country in question has an adequate protection level or that other adequate protective measures are in place, entailing that the transfer takes place in accordance with applicable legislation, for example through use of the EU Commission’s standard agreement clauses, as well as other technical, organizational and legal security measures that may be relevant in the individual case.
5.3 The term ‛EU/EEA’ is deemed to include the UK up to 31 December 2020. Thereafter, the EU Commission must have decided that the country has an adequate protection level and, if not, Gernandt & Danielsson will take other appropriate protective measures.
6 Storage periods for your personal data
6.1 The personal data is stored in accordance with the obligations incumbent on Gernandt & Danielsson pursuant to the Swedish Bar Association’s Code of Conduct or pursuant to statutes or ordinances, for example the Money Laundering and Terrorist Financing (Prevention) Act (2017:630), the Accounting Act (1999:1078), the Discrimination Act (2008:567) or the Limitations Act (1981:130). The Code of Conduct prescribes that data must be stored for a period of ten (10) years from the conclusion of the matter or termination of the business relationship, or such longer period as dictated by the nature of the matter.
6.2 Gernandt & Danielsson does not store your personal data for a longer period than necessary in light of the purpose of the processing. Accordingly, we engage in systematic elimination, erasure and pseudonymisation of your personal data when it is no longer relevant for the purpose for which it was collected.
6.3 Gernandt & Danielsson may, however, store personal data for which there is no longer a relevant purpose, during a longer period if prescribed by law or in accordance with a judicial decision or public authority decision. Gernandt & Danielsson may also store personal data for a longer period due to performance of an agreement or as a result of a dispute.
6.4 Processed personal data that you have voluntarily provided to us, for example when you communicate with us by email or other means of communication, request that we send you newsletters or suchlike or when you register for an event or are a member of our alumni group, is stored in accordance with the above purpose for such time as you have a business relationship with us. If you no longer wish to receive newsletters, information or invitations from us, you can so notify us by email to GDPR@gda.se, whereupon your data will be immediately erased.
6.5 In the event Gernandt & Danielsson ceases to exist, e.g. through liquidation or bankruptcy, your personal data will be erased provided it need not be stored for the performance of obligations pursuant to statutes, ordinances or public authority decisions.
7.1 Gernandt & Danielsson also collect information with the help of cookies that are placed when you visit our website. We process the information created by the website’s cookies such as anonymized IP address, the length of the visit, the choices that were made, the number of page viewings and how you navigated to www.gda.se.
7.2 The purpose of the processing is to facilitate and optimize the use of the website by our visitors and for statistics in order to be able to evaluate the website's content, structure, navigation, etc. Gernandt & Danielsson processes the data based on a balancing of interests between your interests and Gernandt & Danielsson’s legitimate interest.
8.1 In connection with a recruitment procedure, Gernandt & Danielsson processes the personal data that you provide to us in your application documents. The personal data, which may then be relevant, includes, for example, name, personal ID number, address, telephone number, email address, photos, educational grades and work grades.
8.2 Processing of personal data in connection with recruitment takes place based on Gernandt & Danielsson’s obligations to comply with employment law, a balancing of interests or your consent. This means that Gernandt & Danielsson is able to comply with the requirements set out in, e.g. the Discrimination Act (2008:567) and also to assess and consider other candidates, to administer and to summon for interviews. Gernandt & Danielsson can also, following your consent, store your data for future employment, which may be suitable for you.
8.3 Processing of personal data based on a balancing of interests does not, as a main rule, take place after the recruitment procedure has ended.
8.4 Processing of personal data based on a legal obligation, for example pursuant to the Discrimination Act (2008:567), takes place during two (2) years following conclusion of the recruitment procedure.
8.5 Processing of personal data based on your consent for future possible employment involves processing of your data for this purpose until you revoke your consent or the purpose no longer applies.
8.6 In connection with the recruitment procedure, Gernandt & Danielsson shares personal data with parties, which perform processing on our behalf, for example Teamtailor AB, which provides Gernandt & Danielsson’s recruitment platform.
8.7 For further information about our processing of personal data in connection with recruitment, see our relevant policy on www.karriar.gda.se.
9 Technical and organisational security measures
9.1 Protection of your personal data is important for Gernandt & Danielsson. Therefore, we take all appropriate technical and organisational security measures required to protect your personal data against unauthorised access, disclosure, alteration or destruction.
9.2 Gernandt & Danielsson regularly reviews its security policies and procedures to ensure that the organisation and systems are secure and protected.
9.3 In the event Gernandt & Danielsson retains an outside provider to support the business, Gernandt & Danielsson ensures that the provider applies corresponding technical and organisational security measures and only processes personal data in the manner approved by Gernandt & Danielsson. Personal data processing agreements, confidentiality agreements and other relevant regulatory agreements are signed with the provider before the service is taken into use.
10 Your rights
10.1 You are entitled to request information from Gernandt & Danielsson about the use of the personal data that concerns you.
10.2 You can at any time withdraw all or parts of any provided consent. Gernandt & Danielsson will then immediately cease the processing to which the revocation relates.
10.3 At your request or on our own initiative, we will without unnecessary delay rectify or erase personal data that is not updated, is incorrect, incomplete or processed contrary to the above-stated purposes or relevant legislation. In such cases, you can also request that Gernandt & Danielsson restrict the processing of such data.
10.4 You can also request to receive your personal data in a mechanically readable form. This applies to personal data that you have provided to Gernandt & Danielsson, where the processing takes place automatically and is based on consent or an agreement. Where technically possible, you may also have personal data transferred to another controller of personal data.
10.5 You are also entitled, in certain cases, for example, when the processing is based on a balancing of interests, to object to Gernandt & Danielsson’s processing of your personal data.
10.6 You are also entitled to object to Gernandt & Danielsson’s processing of your personal data for direct marketing; in the case of such objection, Gernandt & Danielsson will immediately cease the processing.
10.7 A request by you will be answered as soon as possible, and not later than one month after the request has reached Gernandt & Danielsson. Where necessary, the time may be extended by a further two months, in which case you will be notified thereof.
10.8 If your request is clearly unfounded or unreasonable, Gernandt & Danielsson is entitled to refuse to meet the request, or to charge a reasonable fee, which covers the administrative costs involved therein.
10.9 If you wish to exercise any of your rights, you should submit a request to Gernandt & Danielsson in accordance with the contact details below.
10.10 If you are dissatisfied with Gernandt & Danielsson’s processing of your personal data, you may file a complaint to a supervisory authority, which in Sweden is the Integritetsskyddsmyndigheten (https://www.imy.se). You may also turn to the supervisory authority in the country in which you are living or working.
11 Changes to the Policy
This Policy may be changed or updated from time to time. The most recent version of this Policy will always be published on our website. Therefore, feel free to visit our website in order to learn of any updates or changes.
Contact us on GDPR@gda.se or the address below if you wish to exercise any of your rights or have questions or comments concerning our processing of personal data.
Gernandt & Danielsson Advokatbyrå KB
114 87 Stockholm
+ 46 8 670 66 00
* * *
Gernandt & Danielsson’s MP most recently adopted the policy on 3 May 2021.