SWEDEN Law and Practice Contributed by: Robert Stromberg and Malin Dunér, Advokatfirman Cederquist KB
tion Act (2008:567). Otherwise, a legal ground may be found through a legitimate interest assessment – ie, balancing the interest of the employer to pro - cess an employee’s data to investigate something with the employee’s interests and rights. • Observing the principle of data minimisation – ie, not collecting and processing more personal data than is necessary for the given purpose. • Ensuring that the collected and processed person - al data is accurate. • Erasing or anonymising personal data as soon as it is no longer needed. Routines and procedures for such erasure should be established. • Ensuring that the data is well protected by taking appropriate security measures. • Assessing whether it is permissible for the personal data to be transferred to a third country. The GDPR generally prohibits the processing of per - sonal data that is deemed sensitive (special catego - ries of personal data). This includes information about trade union membership, health, sexual orientation etc, and personal data relating to criminal convictions and offences. Such data may, as an exception, be pro - cessed by an employer when necessary to establish, assert or defend legal claims – ie, in the context of a dispute/litigation. Other rules and principles in the GDPR must, however, be complied with. For the processing of personal data related to the fol - low-up of a report, additional rules under the Swedish Whistleblowing Act (2021:890) must be considered: • personal data may only be processed if neces - sary for follow-up, to enable the implementation of measures required in accordance with the informa - tion provided in the case and to enable reports to be used as evidence in legal proceedings or any other lawfully permissible manner; and • personal data in a whistle-blowing channel may only be accessed, on a need-to-know basis, by independent and impartial persons or functions assigned to manage the whistle-blowing channel. 7.2 Specific Rules There are a number of obligations to consider when collecting and/or processing personal data for an HR internal investigation.
• The individuals involved, for whom personal data processing is needed, have the right to be informed that their data is being collected, and of the purpose thereof and how the data will be used. This information must be provided at the time of data collection at the latest. Such information is normally already provided through the employer’s privacy notice. It is therefore generally recommend - ed that such privacy notice encompass the col - lection of personal data in connection with internal investigations. • The individual must also be informed about their rights to access personal data, have personal data rectified or erased, limit the processing of personal data, port personal data, object to the processing of personal data and not be subject to automatic decision-making. • Following the principle of storage limitation, per - sonal data relating to an investigation should gen - erally be retained for the duration of any applicable statute of limitation connected to claims by indi - viduals. Under the Whistleblowing Act (2021:890), personal data stored following an investigation should be erased two years after closure of the case. 7.3 Access Individuals whose personal data is collected as part of the investigation have the right to access this data, and other information, by submitting a request. Such information may include: • a copy of the processed personal data; • information about the purpose and categories of processed personal data; • the receivers of the data in; and • the period over which it is anticipated that the per - sonal data will be stored, etc. There is also a right to information concerning whether the personal data has been subject to any automatic decision-making (see 7.4 AI ). It is often sufficient to provide the individual with a summary of all the processed personal data. There may be circumstances in which information should not be disclosed, for example due to provisions in other legislation or because disclosure of the infor -
369 CHAMBERS.COM
Powered by FlippingBook