SWEDEN Law and Practice Contributed by: Anders Bergsten and Victoria Nordenberg, Mannheimer Swartling
Controller Responsibilities and Data Processing Agreements
Data Breach Entities processing personal data must adhere to the GDPR’s specific provisions regarding per - sonal data breaches. A personal data breach involves a security incident resulting in acci - dental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. If a breach risks individuals’ rights and freedoms, the controller must notify the Swedish Authority for Privacy Protection within 72 hours of aware - ness. The notification shall at least include a descrip - tion of: • the nature of the breach; • the likely consequences of the breach; • the measures taken or proposed to mitigate the consequences of the breach; and • contact information for further inquiries. If a breach likely poses a high risk to individu - als’ rights and freedoms, the data subject should generally be informed. All breaches must be documented by the controller, regardless of risk level. However, it should be noted that the Data Pro - tection Act stipulates that if an incident that con - stitutes a personal data breach is to be notified under the Protective Security Act, the notifica - tion and information obligations under Articles 33 and 34 of the GDPR shall not be applicable. 6.2 Cybersecurity and AI The Swedish government has launched an inquiry to evaluate the need for national adjust - ments in response to the AI Act. The inquiry will recommend necessary legal changes and
A legal entity that determines the purposes and means of processing personal data is a controller under the GDPR. While a controller can appoint a processor to process data on its behalf, the ulti - mate responsibility for compliance remains with the controller. To ensure the processor adheres to GDPR requirements, the parties must enter into a data processing agreement that governs the processing activities and outlines both par - ties’ obligations and rights. Protective Measures and Data Subject’s Rights The GDPR requires controllers to implement appropriate technical and organisational meas - ures to protect the processed personal data from unauthorised access. The appropriate measures should be determined based on the risk of the processing. This may include: • pseudonymisation and encryption of personal data; • ensuring ongoing confidentiality, integrity, availability, and resilience; • ensuring data restoration; and • regularly testing, assessing, and evaluating measures. The controller must also inform data subjects about the processing of their personal data and of their rights. The data subject’s rights include: • right to access personal data and information; • right to rectification; • right to erasure; • right to restriction of processing; • right to data portability; and • right to object.
264 CHAMBERS.COM
Powered by FlippingBook