SWEDEN Trends and Developments Contributed by: Jenny Welander Wadström, Björn Johansson Heigis, Andreas Hallbeck and Säde Märgel, Roschier
regarding employees’ processing of personal data in the context of background checks under the GDPR remain intact. Due to the legal complexity of background checks, and the recognised need to carry out such checks on the labour market, the Swedish government recently initiated a government enquiry to examine the need to regulate the practice of conducting background checks, and to present legislative proposals. Legal basis, transparency and purpose limitation A recurring issue in internal investigations is the iden - tification of a legal basis for processing personal data – eg, reviewing employees’ emails in the context of an internal investigation. Consent is generally not considered an appropriate legal basis for an employ - er’s processing of employees’ personal data due to the imbalance in power between the employer and the employee. Instead, the legality of such process - ing often needs to be subject to a legitimate interest assessment in accordance with the GDPR. Additionally, the employer must comply with its trans - parency requirements under the GDPR, including informing about the processing of personal data in the context of any internal investigations. For example, where employers intend to access employees’ email accounts or logs, the employers must have communi - cated that such actions may take place – eg, through internal policies, IT guidelines or privacy notices. Other general data protection requirements, such as data minimisation, must also be considered when conducting the actual review to avoid unnecessary processing of personal data. The review should be limited to what is necessary, for example by defining relevant keywords, time periods and parties involved in the communication. Furthermore, detailed docu - mentation of the steps taken to ensure privacy to the extent possible should be maintained in order to dem - onstrate compliance with data protection legislation. In addition, processing of personal data must be tied to specific, explicit purposes. If data were originally collected for one purpose (for example, routine HR administration), the employer must assess whether subsequent use of such data for investigative purpos -
es is compatible with that original purpose, or whether a new legal basis is required. This purpose limitation requirement can complicate efforts to reuse existing datasets in investigative contexts. Documentation, retention and access control Internal investigations generate a wide range of docu - mentation, including initial reports, scoping decisions, interview notes, correspondence, and draft and final reports. The GDPR requires that personal data con - tained in these materials be retained only for as long as necessary for the purposes for which they were collected. In practice, employers often align retention periods for investigative files with limitation periods for potential employment disputes, subject to case- by-case assessments. The security of personal data processing is another key element. Access controls and other technical and organisational security measures are necessary to avoid integrity risks and ensure compliance. The sensitive nature of the personal data that is often pro - cessed in connection with an investigation requires particular attention in this respect. For example, con - trols that limit access to personal data to those peo - ple who have a legitimate need for such data (such as investigators and relevant HR or legal personnel) should be implemented. The Whistleblower Act adds an additional layer of requirements by imposing stat - utory confidentiality obligations regarding the iden - tity of the reporting person and the other individuals involved. For multinational organisations operating in Sweden, cross-border transfers of personal data present fur - ther complexities. Transfers of investigation-related personal data to countries outside the EU/European Economic Area (EEA) must comply with the GDPR’s rules on international transfers, typically requiring standard contractual clauses, data transfer impact assessments and other appropriate safeguards.
Increased Use of External Investigators Drivers of engaging external support
Swedish employers are increasingly turning to exter - nal investigators – typically external law firms or other consultants – to handle all or part of internal investiga - tions. Several factors explain this trend.
377 CHAMBERS.COM
Powered by FlippingBook