Mannheimer Swartling cares about privacy and protecting the personal data processed by the firm. All personal data is processed in accordance with applicable data protection legislation.
When parties such as clients or their representatives, business partners and consultants, foreign representatives, witnesses, counterparties, representatives or counsel of counterparties are in contact with us or occur in connection with our engagements, this entails personal data being provided to us or obtained by us. When individuals visit our offices we normally register their information in a visitor management system. Our support organisation also collects and processes personal data about contact persons of suppliers and other external parties. Below we describe how we collect, process and share personal data in such cases. Further down we also provide information about the rights of data subjects in relation to us as controller as well as our contact details.
What personal data do we process?
Much of our communication takes place by telephone and email, which essentially always entails the processing of personal data. Emailing or phoning us generally means that personal data that can be linked to individuals are provided.
We collect the personal data provided to us in connection with our engagements or that are otherwise processed during the preparation or administration of an engagement. We primarily collect personal data directly from the individuals concerned. However during engagements we sometimes receive information about individuals involved without the information being provided directly from them. We may also supplement the personal data provided by obtaining information from private and public records and sources. Normally, there is no obligation to provide us with personal data. However, if we do not receive certain personal data, we will not be able to accept an engagement, since we will not be able to comply with our obligations, inter alia, to perform conflict of interest and money laundering checks. Our support organisation also collects and processes personal data when in contact with e.g. suppliers and other external parties.
The personal data we process may consist of contact details (e.g. name, title, work address, telephone number and email address), identification details (e.g. passport details and date of birth /ID number), as well as invoicing information (e.g. account number and tax details). In specific engagements the personal data may also comprise other information, e.g. course of events or other circumstances, or other information relevant to the engagement. In connection with visits at our offices, we normally register the visitor's name and employer (or equivalent).
What are the purposes of our processing of personal data?
We process personal data provided or obtained in connection with engagements so we can fulfil our obligations and safeguard our clients' interests, and also for administration in connection with engagements, as well as obligations which follow from law or the rules issued by the Swedish Bar Association. Before we accept engagements, we must also perform compulsory conflict of interest and money laundering checks.
Our support organisation also processes personal data so that we can manage and administrate our relationships with suppliers and other external parties, as well as visits to our offices.
We may also use personal data as a basis for our market and client analyses, business and methodology development, as well as for statistical purposes, risk management, and marketing purposes.
What is the legal basis for our processing?
In relation to information about clients who are private individuals, the legal basis for processing personal data is performance of the contract which governs the engagement. In relation to clients' representatives, business partners and consultants, foreign representatives, representatives and counsel of counterparties, etc., our processing of personal data is normally based on a balancing of interests. This entails that we consider it necessary to process the personal data for the purposes that concern our client's or, where applicable, our legitimate interests and that these outweigh any opposing interests or fundamental rights and freedoms.
The processing of personal data in connection with the conflict of interest and money laundering checks and archiving of documents after an engagement has been concluded are based on our duty to comply with our legal obligations (e.g. under accounting and anti-money laundering legislation, as well as the Swedish Bar Association Code of Conduct).
We may have additional grounds for the processing in connection with the various engagements we have accepted.
Processing of personal data relating to suppliers or their representatives and other external parties is based on our legitimate interest in administrating the relationship and performing our contractual obligations.
In relation to the information registered in connection with visits at our offices the legal basis for our processing is – in addition to the fact that the processing may be covered by the preceding paragraphs – our legitimate interest in managing the visits, and/or our duty to comply with our legal obligations.
When we process personal data in order to analyse and develop our business, and for marketing communication, processing is based on our legitimate interest in improving and marketing our business.
Who has access to the personal data that we process?
We employ appropriate technical and organisational security measures to help protect the personal data we process from loss and to guard against, inter alia, access from unauthorised persons.
Transfers of data outside the EU/EEA are made in line with applicable data protection laws and for the purposes specified above. When personal data is transferred to the firm's international offices, the data may be transferred to countries outside the EU/EEA. Transfers of this type are normally based on the EU Commission's standard contractual clauses. Transfers to countries outside the EU/EEA may also occur within the scope of a given engagement insofar as is necessary to establish, exercise or defend our client's legal claims.
Mannheimer Swartling will not disclose personal data to anyone outside the firm, except where
(i) it has been agreed between us and the person whose personal data we process;
(ii) it is necessary within the scope of a given engagement to safeguard our clients' rights and interests;
(iii) it is necessary so we can fulfil a statutory obligation, comply with a decision of a public authority or a court of law, or the rules issued by the Swedish Bar Association;
(iv) we engage an external service provider or business partner who performs services on our behalf. Such service providers and business partners may only process personal data in accordance with our instructions, and may not use personal data for their own purposes; or
(v) it is otherwise permitted by law.
How long will we keep personal data?
We do not save the personal data longer than necessary given the purpose of the processing, unless otherwise required or permitted by law.
The personal data that may be processed before and during the performance of an engagement are subsequently saved in accordance with Mannheimer Swartling's obligations under the Swedish Bar Association Code of Conduct after the engagement has been concluded. This means that the personal data are saved for at least ten years from and including the date the engagement was concluded, or for a longer period as required by the nature of the engagement.
Anyone who does not wish to receive invitations to our events or marketing material from us can unregister by contacting us at firstname.lastname@example.org.
What are the rights of the data subject?
Mannheimer Swartling Advokatbyrå AB, Reg. No. 556399-4499, having the address Norrlandsgatan 21, SE-111 87, Stockholm, is the controller of the personal data processing as described above. This means that we are responsible for ensuring that the personal data are processed correctly and in accordance with applicable data protection laws.
Data subjects have – unless this is prevented by the duty of confidentiality set by the Swedish Bar Association – the right to know what personal data we process about them. A data subject also has the right to request that we rectify or erase inaccurate or incomplete personal data about them (e.g. if the personal data are no longer needed for the purpose or if the consent is withdrawn). Data subjects are also entitled to object to specific processing of personal data and request that processing of personal data be restricted. Finally, data subjects have the right to receive, in machine-readable format, personal data they have provided, and have the data transferred to another party responsible for data processing.
Note that the above rights may be limited by the duty of confidentiality and archiving obligation applying to members of the Swedish Bar Association. Restriction or erasure of personal data may mean that we are unable to meet our commitments.
Anyone who is dissatisfied with how we process their personal data is entitled to report this to the Swedish Data Inspection Board (Sw. Datainspektionen), which is the supervisory authority for our processing of personal data.
If you have any questions or complaints about how we process your personal data or wish to exercise any of your rights set out above, you are welcome to contact us by email at email@example.com or by post to the address above.