SWEDEN Trends and Developments Contributed by: Niclas Rockborn, Astrid Svensson and August Hansson, Gernandt & Danielsson
both the GDPR and Swedish banking secrecy rules, requiring careful assessments to ensure compliance with both sets of rules. Swedish bank secrecy is regulated in the Swedish Bank - ing and Financing Business Act ( Lag (2004:297) om bank- och finansieringsrörelse ) but also in other laws applicable to specific sectors within the financial industry. The Banking and Financ - ing Business Act provides that a credit institution may not disclose an individual’s relationship to the credit institution without authorisation. This duty of secrecy imposes obligations on the credit institution and its representatives, such as employees, the CEO, and contractors. If a bank violates the bank secrecy undertakings, it could be liable for damages if the individual can prove that the relevant breach has caused them financial harm. Such violations may also prompt the Swedish Financial Supervisory Authority to revise the bank’s general procedures, potential - ly resulting in sanctions if the authority deems these routines inadequate. The individuals to whom the right to confidential - ity applies are the bank’s natural and legal cus - tomers. It applies to all current and former cus - tomer relations, regardless of the duration and extent of the relationship, and extends beyond the death of the natural person or the dissolu - tion of the legal entity. The protected informa - tion is interpreted broadly to include all informa - tion about the customer that the bank obtains because of the customer relationship, both per - sonal data and trivial private information, even if it is not obtained directly from the customer. Exceptions to banking secrecy apply when pro - viding information to legal guardians, during criminal investigations, and in other instances, provided there are legitimate grounds. Confiden - tiality may also be waived by a provision in law or based on other specific legitimate grounds
(not to be confused with “legitimate interest” as per the GDPR). Banking secrecy does not apply to the customer themselves or when the cus - tomer has consented to a specific information disclosure. Additionally, already publicly known information is not considered confidential and, therefore, not protected by banking secrecy regulations. AI and Data Protection AI Act The AI Act came into effect in August 2024, and its provisions are being implemented gradually. The AI Act governs the development, provision, and use of AI systems in the EU. It employs a risk-based approach, where AI systems are divided into the following categories of risk: • unacceptable; • high; • limited; and • minimal. Different requirements apply based on the risk category. General-purpose AI models are an additional category posing specific transpar - ency requirements. Violations of the regulation can result in penalties based on a company’s annual turnover, comparable to the GDPR. The AI Act will apply in parallel with the GDPR. A national review of the need for national adap - tions because of the AI Act is ongoing and will be presented at the latest 30 September 2025. Sweden is no exception to the increasing global interest in AI. The use and integration of AI in various sectors raise significant concerns from a data protection perspective, which needs to be evaluated on a case-by-case basis. One of the foremost challenges is understanding the impact of the GDPR on AI and vice versa. Close collabo -
410 CHAMBERS.COM
Powered by FlippingBook