All companies that in any way process and store personal data has to have a data protection policy, i.e. a GDPR policy. All information that has a connection to you in some way, whether directly or indirectly, is considered personal data. It can be anything from name, address, phone number and social security details to email address containing your name, ID card number and even your IP address. Even pictures, videos and sound recordings are considered as personal data.

In your GDPR policy, there are a number of details you must have easily accessible to your users. The information has to be straight-forward and easy to understand. Otherwise, the risk is you can be fined for violating GDPR. And above all, there has to be a legal ground that allows you to collect other people’s personal data.

There are six legal grounds that allows you to process personal data. Organizations that process personal data in any way has to fulfill at least one of these grounds:

• You need consent from the user to be able to save their data.
• You need to have an agreement with the user that requires their personal data to be saved.
• You need to have a legal obligation that requires you to save certain personal data by law.
• You need to show that you’re processing personal data to be able to protect peoples fundamental interests, for example to save their lives. This mainly applies to healthcare.
• You need to be an authority and process personal data as part of your work as an authority and in the interest of the public.
• You need to have your interests to process personal data outweigh the interests of your users making processing personal data necessary. This can apply to when your organisation is part of a large group and you having to share personal data with others within the group in order to be able to pay salaries and the like.

1. Your GDPR policy must include who’s responsible of the personal data

Who’s responsible for personal data depends on the form of the company. It’s usually not a person, but the organization itself. If you’re a company, then the company is responsible for personal data. If you’re an association, it’s the association who’s responsible. One individual can also be responsible for personal data, such as in individual companies.

2. Why do you collect personal data?

Different organizations have different reasons for collecting personal data. What’s important to keep in mind is that the personal data you collect doesn’t only apply to your users, but also to your employees. For example, data you collect in payroll systems has to comply with GDPR. The same goes for when you want to communicate with your users, for example through a newsletter.

Regardless of the reason, it’s particularly important to be clear about why you’re collecting personal data. Both so your users can easily get that information, but also because you can’t use the information you’ve collected in any other way than how you’ve specified. For example, you can’t collect email addresses when your users create accounts at your webpage and then at a later stage use the same information to start sending newsletters to them. If you want to change the purpose, you have to disclose the information to your users and be clear about how the changes affects them and why you’ll collect their personal data going further.

3. Where do you store the personal data?

Do you store the data within the EU or do you store it in a country outside of the EU? Depending on where you store the data, you need to check that the country has a sufficiently high level of protection of personal data according to the EU/EEA standard. If the country doesn’t, you can’t store personal data in that country. So you need to check whether there is a decision from the European Commission regarding the level of protection in the country you want to store the data in. If there’s no such decision, you need to have standard contract clauses that the European Commission has decided on. But since such clauses sometimes means you also need to take other protective measures according to the EU Court, it would be a good idea to bring in a GDPR expert who can make sure that your GDPR policy is air-tight.

4. The type of personal data you collect has to be included in your GDPR policy

Even when it comes to which personal data you collect, you have to be clear and can’t change and collect other personal data without approval. If there’s a change in your systems that causes you to collect new personal data, you have to share that information with your users. Remember that it’s important to be clear and include exactly all information that’s considered personal data. All information that can in any way be linked to individuals is personal data and must be categorized in your GDPR policy.

5. Who will have access to the personal data?

Are there other parties who will have access to the data? Do you have external suppliers who have access to them? Or are there other parties you collaborate with who will have access to the personal data you collect? Then this has to be stated in your policy. You also have to clarify rights and obligations your partners have. The important thing here is that the personal data you collect isn’t at risk of being misused by partners using it for purposes other than what you’ve informed your users about.

6. How long will you store the data?

Depending on how you intend to use the personal data, the period for how long you intend to store it varies. Simply put, you can save the data as long as you need it for the purpose you’ve specified in your policy. When the purpose is no longer relevant, you have to delete the data.

Sometimes, however, you may need to state that you don’t know how long you’ll need to store the personal data. Then you instead have to state why you can’t limit the storage in time.

7. Your users’ rights have to be stated in your GDPR policy

According to the GDPR, everyone has the right to access their personal data from organizations collecting them. Everyone has the right to both receive an extract and have information changed if it’s incorrect. In addition, everyone has the right to request to have their data deleted in the vast majority of cases. It’s only if there are no other legal obstacles that prevent you from deleting the data that this doesn’t apply. However, this exception mainly applies to authorities. For most companies, if a user wants the company to delete the person’s data, the company has to do so.

8. Where do users submit any complaints?

In January 2021, the Data Inspectorate changed its name to The Swedish Authority for Privacy Protection. They’re the ones who ensure that Swedish organizations comply with the GDPR. It’s also where private individuals can report complaints if they’re concerned about how an organization handles their personal data. That’s why you have to include contact information to the Authority for Privacy Protection in your policy so that your users can easily contact them about any questions, concerns and complaints.

Do you need legal help?

We have several lawyers who can help you with this. Book an appointment if you have questions and need counseling, or email us to hire one of the lawyers. We recommend: Adib Hosseini

The Swedish Authority for Privacy Protection (IMY) has now stated that four large companies in Sweden have violated the GDPR while using Google Analytics (GA) as a measurement tool. The four companies IMY has reviewed are CDON, Coop, Dagens Industri and Tele2, all of which now have to stop using GA. In addition, Tele2 receives a fine of SEK 12 million and CDON of SEK 300,000. The version of GA the companies used is from August 14, 2020.

The basis is how the four companies transfer personal data to the United States through GA. The European Court of Justice determined in 2020 that the United States doesn’t have a sufficiently high level of protection of personal data. Because of that, forwarding personal data from a country within the EU/EEA to the USA is a violation of GDPR. GA is a common measurement tool for many companies. So this case is also relevant for other companies in Sweden that use GA.

According to IMY, information has been transferred that IMY believes can be connected with other unique information also being passed on. IMY also believes that the companies haven’t taken any technical measures to protect users personal data according to EU/EEA standard. Even if the companies have other technical solutions aiming to protect personal data, they aren’t sufficient. The companies have also used standard contract clauses as a basis for decisions on the transfer of personal data.

– These decisions have bearing not only on these four companies, but can also provide guidance for other organizations that use Google Analytics, says Sandra Arvidsson, lawyer who led the reviews of the companies.

Spotify receives fine of SEK 58 million for violations of the GDPR

Spotify was also fined in June for violating GDPR. At the time, IMY determined that the information from Spotify isn’t clear enough regarding how they use saved personal data. According to GDPR, every individual has the right to know which personal data a company handles and how it’s used.

Ensuring that a company follows GDPR regulations isn’t always easy. As a company, you can transfer personal data if the country you forward the data to is one that the EU Commission has decided has a sufficiently high level of protection of personal data. If it’s a country the EU Commission hasn’t made a decision about, companies can transfer data with the support of standard contract clauses that the EU Commission has decided on. However, sometimes additional protective measures has to be taken as well along with standard clauses according to the EU Court.

Making sure your company follows GDPR regulations isn’t always easy. Especially when you also have to make sure that the tools and programs you use also comply with GDPR.

Do you need legal help?

We have several lawyers who can help you with this. Book an appointment if you have questions and need counseling, or email us to hire one of the lawyers. We recommend: Adib Hosseini

Even though social media has now been around for many years, the rules and laws surrounding what you can and can’t do when advertising on social media are difficult to navigate around. This is because social media is an incredibly fast-growing phenomenon and it’s difficult to keep up with what’s happening, both on a national and global level. Many companies violate advertising laws. So to make things clearer, we’re listing the most important rules for companies that advertise in social media.

1. Respect copyright and trademark protection

This may seem obvious but companies often miss this in their marketing. It’s easy to think that you can freely use memes and popular songs that are widely spread on social media, but the fact is that even the most popular visual and audio content on social media are covered by copyright.

On many sites, you can sign up and pay to be able to use content for social media. The websites will state in their terms how you’re allowed to reuse the content. In most cases, this is the safest way to ensure that the content you’re using is legally okay to use. If you still want to reuse content that is trending in social media, you need to try to find out who the author of the content is and ask for permission to use it.

Do you need legal help?

We have several lawyers who can help you with this. Book an appointment if you have questions and need counseling, or email us to hire one of the lawyers. We recommend: Mirella Nunes Siqueira

2. What are the rules regarding UGC?

User generated content is content that social media users who use your products and/or services have created. Most often, UGC-content is created by smaller influencers who recommend products and services on their platforms. As a company, you can pay influencers to create user-generated content for you, and by default companies usually state that the copyright to the material in these cases belongs to the company.

Many companies also send samples to social media users which leads to the recipients creating user generated content. In these cases, it’s important that you ask the influencer if it’s alright to reuse the content, especially if you intend to advertise it. Best practice is to offer the influencer a fee to be able to advertise the content. How big the fee should be depends on how big a reach you expect to get, how long you intend to let your ad run and how well established the influencer in question is.

3. All paid ads with influencers must be clearly marked

If you want to use influencers to get your message out, it is especially important to mark the content as advertisement. On Instagram, among other platforms, you can now collaborate with influencers with branded content. This way, a branded content label appears above the post. But when it comes to advertising rules, this is usually not enough. According to Swedish practice, it should never be possible to misinterpret whether content in social media is a paid ad or not. Since the branded content labeling through Instagram is so small, it’s important that the influencer also writes in the caption that the collaboration is a paid collaboration between you and them.

The same applies to you as a company if you post the material on your channel as well. Otherwise, the risk is that you’ll be accused of false marketing.

4. GDPR also applies to social media

The purpose of advertising on social media can be different. It’s not always a company wants to sell a product or service, but sometimes the purpose may be to market a future launch where users can sign up to receive information in advance. Sometimes the aim is to get more subscribers to a newsletter. And sometimes you might want to promote your loyalty program. When collecting user data, you have to comply with applicable data protection laws. In Sweden, this simply means that you need to comply with the European Data Protection Regulation (GDPR).

It needs to be clear in your ad how you intend to use the data. The people you target must be able to give consent and approve that you may use their data in future communications. Although it can be seen as approval when a person enters their email address, it’s important that it’s clearly stated what the person in question actually agrees to when entering their email.

5. Be genuine and honest when advertising on social media

Last but not least, be transparent. Be clear and honest about who benefits from what you sell, why your concept is strong and what the customer actually gets when buying from you. In order to be heard through the social media noise, it can feel tempting to embellish the message, but the risk is that you’ll be reported for false marketing. And in today’s digital society, it’s incredibly easy for users to quickly find information about which companies have been reported and which ones receive critical reviews.

So make sure to use the strengths you have without embellishing them too much. If you have a good product or service, that will be enough. And in turn, that will only lead to the customers positive experiences giving your marketing an extra boost.

Drafting contracts is an important part of everyday life as a business owner and entrepreneur. Regardless of the type of contract, it’s important you secure your business, avoiding potential disputes. Although contracts tend to look different depending on the purpose, there are some paragraphs that are always good to include. We list the 7 most important ones below.

1. Clearly identify the parties

The most important thing in any contract is to correctly identify the parties involved. So make sure you state all names, addresses, telephone numbers and other relevant contact details. It should be clear without risk of being misinterpreted in any way.

2. Describe the purpose of the contract

Clarify the purpose of the agreement in a way that is clear to all parties. List and accurately describe all the services and/or products you will deliver. Also, describe the expectations the parties have of each other and what the conditions are? Be overly clear rather than allowing for different interpretations of the deliveries. This makes the contract the same for everyone and makes the collaboration easier to implement.

3. Terms of payment

Here, it’s important to both state what things cost and what will happen if the payment isn’t fulfilled on time. Specify how much is to be paid, when the payment is to be made and in what way. Also, specify how the customer will be charged in the event of a delay in payment. State the payment charges for delay and what the interest rate is on late payments.

4. Time frames and deadlines

Having clear time frames and deadlines is essential to ensure that all parties are in agreement. This includes dates for both partial and final delivery. Here, you can also specify the timeframes for any feedback and corrections. And if the customer should have a chance have changes made before delivery, you hve to state how many revisions the customer gets within the terms of the contract. By limiting the time for revisions, you can ensure that the collaboration stays effective.

5. Responsibilities and authorities

It’s important to clarify what you need to be able to deliver according to the contract. In many cases, the customer needs to supply certain information in order for the work to be carried out. And in some cases you’ll need authorization from the customer to be able to deliver. By clarifying what the responsibilities and authorities are for each party, you ensure that you’re not held liable if you don’t get what you need to deliver successfully.

6. Confidentiality and intellectual property rights

If the collaboration and the contract mean that you’ll share confidential information, it’s important to include a confidentiality clause. And the contract should also state who owns the intellectual property rights if any. Usually, the customer owns the intellectual property rights for what is created. Sometimes however, the customer may need to purchase the rights meaning you need to state how this is done, what exactly the customer is buying and how much it costs.

7. You should never draft a contract without a force majeure clause

The force majeure clause usually appears in all contracts that are drawn up. It exempts you from liability if anything happens that is beyond your and the customer’s control. This applies, for example, to natural disasters, war and similar events that make it impossible to perform according to the contract.

Depending on the type of contract you’re writing, there may be other important paragraphs to include. So make sure to review the contract carefully so that you address and clarify all relevant issues before signing. It can be helpful to hire a lawyer to help you draft the contract. That ensures that you don’t end up in an unnecessary dispute that costs both money and a lot of time.

Do you need legal help?

We have several lawyers who can help you with this. Book an appointment if you have questions and need counseling, or email us to hire one of the lawyers. We recommend: Mirella Nunes Siqueira

Starting to freelance is an exciting challenge, but there are a some legal aspects you need to be aware of before you get started. We have put together a checklist, perfect if you’re thinking of starting to work as a freelancer.

1. Decide on a business form before you start freelancing

Before you start freelancing, you need to decide on which business form you want for your business. You can of course use a third party company to invoice your clients, but in the long run you’ll benefit more from invoicing directly from your own company.

There are various company forms to choose from, such as sole proprietorships, trading partnerships and limited or incorporated companies. Which form suits you best depends entirely on the business you want to run. Make sure to take the time to research and choose the form best suited for your needs.

2. Register your company

Once you have chosen a suitable company form, you have to register your company. The registration process might vary depending on the form you choose. If you start a sole proprietorship or trading partnership, you’re required to register your company with the Swedish Tax Agency (Skatteverket). If you start a limited or incorporated company, you’ll also have to register your company with the Swedish Companies Registration Office(Bolagsverket).

3. Create invoice and payment templates

It is important that you have a clear plan of how to handle deposits and withdrawals, and also any late payments to your company. Start by creating a standard invoice that you can use to invoice your clients. Your invoice should include:

• the date you issue the invoice.
• due date.
• unique invoice numbers for each invoice you send.
• both your and your clients’s addresses.
• your organization number.
• what the late payment interest will be if you have to send your client a payment notice.
• a description of what you are invoicing for and how much it costs.
• VAT for each service or item you invoice for.
• total VAT amount.

4. Get the right insurances before you start freelancing

You also need to make sure you have the right insurances to protect yourself and your business. A common insurance policy for freelancers is liability insurance, which protects you if a client sues you for injury or loss caused by your work. You may also need other insurances depending on the type of work you do.

5. Manage your taxes and VAT

As a freelancer, you have to manage your own taxes and VAT. So it’s important you find out which taxes and fees apply to your business and that you make sure you’re registered for all necessary taxes. If your business requires that you pay or recieve VAT, you have to register your company for VAT according to Swedish law.

6. Manage your agreements and contracts

As a freelancer, it’s important that you have all your agreements and contracts in place to protect both yourself and your clients. Make sure to read and fully understand the contracts you sign with your clients. And make sure you have a standard agreement that you can use to formalize your services and terms. There are many templates for standard agreements that you can download for free, but to make sure that your agreements really do protect you and your company, reviewing your agreements with a lawyer is always a good thing.

Do you need legal help?

We have several lawyers who can help you with this. Book an appointment if you have questions and need counseling, or email us to hire one of the lawyers. We recommend: Mirella Nunes Siqueira

7. Protect your intellectual property rights

As a freelancer, your work is your brand and your ideas are your assets. Because of that, make sure to protect your intellectual property rights by registering trademarks and patents where possible before you start to freelance. This can help you avoid someone else using your ideas without your permission and making sure you get paid for your work.

In conclusion, in a lot of ways being a freelancer will give you freedom. However, there are several legal aspects that are important to consider. By making sure you’re well prepared, you can protect yourself and your business while also focusing on developing your skills and expanding your business. And remember, there are great resources available to help you navigate the legal side of being a freelancer, so don’t attempt to solve any issues yourself if you don’t feel comfortable with it.