September 2021

1. Governing Texts

1.1. Legislation

• The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). For requirements under the GDPR, please see our EU - Vendor Privacy Contracts Guidance Note, or select 'EU' within the Comparison tool
• Act with Supplementary Provisions to the GDPR (SFS 2018:218) (also available in Swedish here)
• Ordinance with Supplementary Provisions to the GDPR (SFS 2018:219) (also available in Swedish here)

1.2. Regulatory authority guidance

The European Data Protection Board ('EDPB') has released:

• Opinion 14/2019 on the draft Standard Contractual Clauses submitted by the DK SA (Article 28(8) GDPR) (12 July 2019)
• Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (version under public consultation)

The Swedish Authority for Privacy Protection ('IMY') has issued the following guidance:

• For you who are a personal data processor (only available in Swedish here) ('the Data Processor Guidance');
• Personal data processor agreement (only available in Swedish here) ('the Agreement Guide');
• Keep records of processing (only available in Swedish here) ('the Records Guidance');
• Obligations of the personal data processor (only available in Swedish here) ('the Obligations Guidance'); and
• Personal data incidents (only available in Swedish here) ('the Data Incidents Guidance');
• Appoint a data protection officer (only available in Swedish here) ('the DPO Appointment Guidance');
• Cross-border processing of personal data (only available in Swedish here) ('the Cross-border Guidance').

1.3. Regulatory authority templates

The European Commission has released the following decisions on standard contractual clauses ('SCC') for transfers of personal data to jurisdictions outside of the EU/EEA:

• Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;
• Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; and
• Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC).

The Article 29 Working Party ('WP29') released the following documents, which have been endorsed by the EDPB:

• Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018);
• Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018);
• Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018); and
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018).

2. Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

The Agreement Guide details requirements for contracts as provided for under the GDPR. In addition, the Agreement Guide states that the agreement ensures that

• both parties comply with the GDPR;
• both parties are aware of their commitments and obligations to each other and the data subjects;
• both parties protect the personal data of customers, personnel and other categories of data subjects;
• both parties document more clearly and thus can more easily show that they follow the rules (liability).

3.2. What content should be included?

The Agreement Guide notes that it is very important that the data controller clearly clarifies which personal data processing operations are to be transferred to the data processor.

Furthermore, the Agreement Guide notes that the data controller and data processor can always supplement the minimum requirements under Article 28(3) of the GDPR with additional contract terms.

In relation to providing instructions to a processor, the Agreement Guide notes that the instructions from the data controller can follow directly from the agreement or be given in writing in another way, for example via e-mail. However, the instructions must be able to be saved so that they are documented.

The Agreement Guide also emphasises that it is beneficial if the agreement states as clearly as possible how the processor can assist the controller in fulfilling its obligations. One example is that the data processor takes technical measures to strengthen its ability to detect personal data incidents and takes organisational measures such as designing a clear reporting routine in the event of a personal data incident.

With respect to codes of conduct and certification, the Agreement Guide notes that codes of conduct and certification can be a way for the data processor to show that the processing complies with other provisions of the GDPR. Prior to the conclusion of a data processing contract, the data processor may use codes of conduct and certifications to provide guarantees that its processing will comply with the provisions of the GDPR.

With respect to the expiry of the contract, the Agreement Guide notes that the purpose of Article 28(3)(g) of the GDPR is to ensure continued protection of personal data even after the termination of the contractual relationship. It is therefore ultimately up to the data controller to decide what happens to the personal data that the data processor has processed. The Agreement Guide also notes that it is important to keep in mind that the removal of personal data is carried out in a secure manner and that the provisions of Article 32 are complied with. There may be times when in practice it is difficult to delete personal data immediately after the end of the contract period, for example when it comes to personal data in large archives.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

Data processors have a general obligation to assist the data controller in fulfilling its obligations under the GDPR. Among other things, processors should help to respond to requests for electronic register extracts and to assist the data controllers to ensure that the security of the processing is sufficient (the Data Processor Guidance).

The Agreement Guide also suggests that an example of a relevant measure is that the processor designs their systems so that they can provide the data controller with relevant information when a data subject requests, for example, an extract from the register, correction or deletion.

For further information see Sweden– Data Subject Rights.

For further information on data subject rights under the GDPR see EU-GDPR Data Subjects Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Similar to the GDPR, the Data Processor Guidance notes that data processors must keep a record of all categories of processing carried out on behalf of the data controller. The record shall include, among other things, the names and contact details of the data processor and the data controller, which categories of processing are carried out on behalf of each data controller, as well as information on third-country transfers and security measures. There are some exceptions to this obligation for smaller companies.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Data processors have their own responsibility to take appropriate technical and organisational measures to ensure that the level of safety of the processing is adequate. Among other things, this may mean that the processor needs to consider issues such as pseudonymisation and encryption of personal data, how to ensure that systems are sufficiently secure and resilient and how to continuously test and evaluate systems (the Data Processor Guidance).

The measures that are necessary depend on the special risks that exist with the processing. For example, processors need stronger protection if they process sensitive personal data, such as data related to health or religious beliefs (the Data Processor Guidance).

The increased responsibility of the data processor does not mean that the data controller's own responsibility is reduced. The responsibility for ensuring that the security of the personal data processed is sufficient will lie with both the data controller and the data processor (the Data Processor Guidance).

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

If the processor is exposed to data breaches or in any other way loses control of the data they process, a so-called personal data incident, the processor must notify the data controller without undue delay. It may be sensible to designate where in an organisation such a reporting obligation should lie, because if a personal data incident occurs, the processor must act urgently (the Data Processor Guidance).

If an organisation is hired as a data processor by several data controllers, then it must inform all data controllers who are affected by the personal data incident (the Obligations Guidance).

The data processor is required to report to the data controller as soon as they become aware of a personal data incident. If the processor does not have all the information available from the beginning, they may communicate the information as they come to learn of it (the Obligations Guidance).

The agreement must state how the data processor is to act if they discover a personal data incident and to whom within the data controller's organisation they must report to. It must also be stated in the agreement if the processor has been authorised to report the personal data incident directly to the IMY and, if necessary, to the data subjects who have been affected. However, note that the legal responsibility for reporting the personal data incident remains with the data controller (the Obligations Guidance).

For further information see Sweden – Data Breach.

For further information on breach notifications under the GDPR, see EU – GDPR – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

If a data processor wants to hire a subprocessor, it must first obtain prior written permission from the data controller. If the processor has been given a general permit to hire subprocessors, it must still inform the data controller about its plans to hire a new subprocessor, so that the data controller can object to this (the Data Processor Guidance).

The agreement between the processor and the subprocessor does not have to be identical to the agreement between the data controller and the processor. At the same time, an agreement must be signed which means that a subprocessor is subject to the same obligations that the processor has towards the controller. If the subprocessor does not fulfil their obligations, the processor can, according to the GDPR, become fully liable to the controller (the Agreement Guide).

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

There are no national variations. For more information see Sweden - Data Transfers.

Following the publication of the CJEU's judgment C-311/18 Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems ('Schrems II') on 16 July 2020, which generally validated the SCCs while invalidating the EU-US Privacy Shield data transfer certification mechanism, the EDPB has released its Recommendations on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data, as well as complementary Recommendations on the European Essential Guarantees for Surveillance Measures, aimed to assist controllers and processors to 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'

For further information on data transfers under the GDPR, see EU – GDPR – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

The Data Processor Guidance notes that processors have an explicit obligation to cooperate with the IMY upon request.

The Agreement Guide also notes that a data processor may assist a data controller to:

• protect personal data
• report a personal data incident to the supervisory authority;
• inform the data subjects of a personal data incident
• make an impact assessment when required; and
• consult with the supervisory authority if the impact assessment shows that the processing would lead to a high risk for the data subjects' freedoms and rights that cannot be remedied.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Data Protection Officer ('DPO')

All organisations must make their own assessment of whether they need a DPO. It may happen that a data processor needs a DPO even if its client does not need a DPO (the DPO Appointment Guidance).

In some cases, data processors are obliged to appoint a data protection officer. The obligation to appoint data protection officers includes, among others, public authorities and organisations whose activities involve high risk processing, such as regular and systematic monitoring of data subjects on a large scale or extensive processing of sensitive personal data. Instances of particularly privacy-sensitive processing may therefore require that a data protection officer be appointed from both the data controller and the data processor (the Data Processor Guidance).

The person appointed must have sufficient knowledge of data protection and receive the support and powers required to carry out his or her duties in an efficient and independent manner (the Data Processor Guidance).

For more information see Sweden - Data Protection Officer Appointment.

For further information on DPOs under the GDPR, see: EU - GDPR - Data Protection Officer Appointment.

Representative

There are no national variations.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

The Agreement Guide notes that the data processor must be able to show the data controller that all the provisions of Article 28 of the GDPR have been complied with. The processor agreement itself does not have to state that the data processor must keep a record of its processing - but it can be one of several ways that show that the rules have been followed. The data processor must still keep records of  its processing in accordance with Article 30(2) of the GDPR (the Agreement Guide).

A data processor can also become liable for damages if it has violated the provisions that are specifically aimed at processors or has processed data in violation of the controller's instructions. The person who has suffered damage is in principle entitled to compensation for the entire damage from either the controller or processor. They then in turn have to regulate this among themselves. However, a controller or processor has no obligation to pay compensation if they can show that they are not in any way responsible for the damage (the Data Processor Guidance).

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.