SWEDEN Trends and Developments Contributed by: Niclas Rockborn, Astrid Svensson and August Hansson, Gernandt & Danielsson
Protection against external malicious attacks is important from a security perspective. Inter - nal, continuous and systematic data protection flaws are as important to ensure a high level of security as protection from external threats. IMY issued several notable decisions regarding security breaches involving personal data being accidentally transferred over the internet. In two cases – Apohem AB and Apoteket AB – breach - es occurred when the companies inadvertently transmitted customer purchasing records and contact information to Meta via the Meta Pixel website tracking software. IMY determined that the transferred information constituted sensitive personal data and concluded that the companies had failed to implement appropriate technical measures to ensure a level of security commen - surate with the risks. IMY issued administrative fines of SEK8 million to Apohem AB and SEK37 million to Apoteket AB for violating the GDPR. Financial sector The Swedish financial sector is highly digitalised, including traditional banks and, to a large extent, fintech leaders such as Trustly, Klarna, and Zet - tle. This digitalisation follows data protection and information and communication technology (ICT) risks, making the Swedish financial system, in particular, more vulnerable to data protection risks, cyber threats, and ICT disruptions. In addition to the GDPR, the EU Digital Opera - tional Resilience Regulation (DORA) implements requirements to address ICT-related risks for nearly all entities operating within the Swedish financial sector. DORA aims to mitigate ICT vul - nerabilities and establish uniform rules across the EU. It introduces, among other things, requirements for cybersecurity information, con - tinuity planning to recover operations after inci - dents, managing risks from outsourcing ICT to
third parties, resilience testing, and frameworks for information sharing. Effective January 2025, DORA and supple - mented technical standards apply to banks, investment firms, insurance companies, and other stakeholders in the Swedish financial sec - tor, such as intermediaries managing alternative investment funds and crypto service providers. As the financial sector has become predomi - nantly digital and reliant on third-party infrastruc - ture and service providers, an important aspect of DORA is that these ICT providers are included within the regulation’s scope. The Swedish Act (2024:1278) with supplemen - tary provisions to DORA, includes supplemen - tary Swedish legislation, and encompasses spe - cific provisions on threat-led penetration testing, fees, the supervision of the Swedish Financial Supervisory Authority ( Finansinspektionen ) and sanctions. In addition to the requirements applicable to engaging a processor of ICT services set forth in the GDPR, DORA poses certain data protec - tion requirements that must be fulfilled. Financial entities must properly assess the ICT risks and discontinuation provisions and ensure appropri - ate data protection prior to entering into a con - tractual arrangement on the use of ICT services under DORA. This includes provisions on avail - ability, authenticity, integrity, and confidentiality in relation to the protection of data, including personal data. Swedish bank secrecy Along with the GDPR and DORA, entities with - in the Swedish financial industry also have to comply with the Swedish banking secrecy rules. The banking secrecy rules apply in parallel to the GDPR. Hence, data may fall under the scope of
409 CHAMBERS.COM
Powered by FlippingBook