Data privacy and data protection in Sweden

Cirio Advokatbyrå AB

Cirio Advokatbyrå AB’s Caroline Olstedt Carlström is a leading name in the Swedish market for data privacy and data protection work and acts as data protection officer for high-profile banks, stock markets, trade unions, IT suppliers and other data processors. The team regularly provides comprehensive advice on GDPR implementation and compliance issues and also assists with the handling of sensitive data on outsourcing projects, M&A transactions and the implementation of clients’ e-commerce platforms and digital services products. David Frydlinger is also a noted name in the field.

Practice head(s):

Caroline Olstedt Carlström


Caroline Olstedt Carlström is one of Sweden’s most prominent privacy lawyers. Her team has great legal experience and genuine business understanding.

Cirio, headed by Caroline Olstedt Carlström, is doing a very good job in the Swedish market and is probably the market leader.

Caroline Olstedt Carlström’s business understanding is what really separates her from being not just another legal expert. When we face difficult situations she always takes a business approach.

Caroline Olstedt Carlström stands out in the firm and in the market.

Key clients


Viking Line


Klarna Bank


Dustin Group



UC/Asiakastieto Group

Riksidrottsförbundet (The Swedish Sports Confederation)


FASAB (Service organisation to six trade unions)

Work highlights

  • Advised FABAB (a trade union administrator holding vast amounts of data) on assessments regarding data control and internal data flows.
  • Acting as data protection officer for Klarna Bank and advising on data protection impact assessments, security incidents and internal governance.
  • Advising Bankgirot on data privacy matters pertaining to its outsourcing of IT operations to Evry.

DLA Piper

With a long established practice in data privacy and an extensive global client base, DLA Piper is well-placed to handle the full suite of data issues including large-scale data processing applications, GDPR implementation and compliance work, cross-border data sharing matters and representation before the Data Inspection Board. Clients praised the firm’s provision of innovative tools and apps which help facilitate daily data privacy and protection requirements. Practice head Johan Sundberg is also part of the firm’s market-leading employment practice, and is well-placed to assist with employee data mandates.

Practice head(s):

Johan Sundberg


DLA Piper has a sound business understanding and has created many tools to simplify and enhance the implementation of complex matters, which in turn enhanced our level of compliance.

Johan Sundberg’s team has a unique business understanding of their clients and how to make privacy a business enabler in a wide range of situations.

Key clients

ICA Gruppen

ICA Sverige

ICA Handlarnas Förbund

Apotek Hjärtat

ICA Banken

AFA Försäkring

PwC Sweden

Wallenius Marine




Klarna Bank

Svensk Handel

Svensk Fastighetsförmedling


BNP Paribas Bank

SKL Kommentus


Work highlights

  • Advising on the full range of data processing activities for GE and acting as DPO for a number of its subsidiaries.
  • Assisted Svensk Handel with the drafting of sector-wide guidelines concerning the handling of personal data under GDPR in consumer loyalty schemes.
  • Advising AFA Försäkring on all data privacy issues linked to its preparations for, and implementation of, GDPR measures.

Advokatfirman Kahn Pedersen KB

The highly praised team of data protection and data privacy professionals at Advokatfirman Kahn Pedersen KB provides advice on the full spectrum of issues relating to GDPR, data sharing with third parties, data processing contracts and outsourcing issues. Stand-out individuals including practice head Johan Kahn, Daniel Lundqvist and senior specialist Martin Brinnen are advisors to high-profile insurance firms, public bodies, IT companies, financial institutions, online advertising platforms and retailers. The group also leverages the firm's wider IT expertise and is a go-to name for matters relating to the data protection aspects of cloud computing operations and digitalisation projects.

Practice head(s):

Johan Kahn


Quick, agile and professional.

The team offers value-driven advice appropriately adapted to the client’s size and needs.

Kahn Pedersen is clearly the leading firm for IT and data protection in Sweden. It is indeed a highly specialised practice which would never be in the shadow of any other practice groups such as could be the case with full-service firms. I would like to emphasize the firm’s deep legal knowledge, negotiation skills, solutions-oriented drive and creativity.

A pragmatic and down-to-earth team that is really nice to work with.

Young, fast and unpretentious.

Daniel Lundqvist has a hands-on approach, is alert and available.

Johan Kahn has a constructive and highly skilled way of dealing with challenging situations.

Daniel Lundquist is a great negotiator and has the ability to structure and manage complex projects in a very efficient and successful manner.

Martin Brinnen is extremely knowledgeable when it comes to data protection issues. His long experience with the supervisory authority clearly makes him the leading data protection expert in Sweden.

Martin Brinnen has an unusually deep experience in the data protection field, having a background working at the supervisory authority. His combination of knowledge in the data protection field as well as the experience from drafting legislation was of great value to us. He delivered quality results in a very effective way, and was always responsive to our needs.

Key clients

Länsförsäkringar AB

Getswish AB

Svensk Handel Juridik

Nordic Growth Market AB

Fortum Group (including Stockholm Exergi)

Landshypotek Bank AB

Munters AB


Akelius Residential Properties AB

Midroc Europe AB

Vossloh Group

Work highlights

  • Advised leading insurance company Länsförsäkringar on its large-scale GDPR project.
  • Advised Setswish, a provider of digital payment solutions, on data protection issues relating to sourcing procedures and service design.
  • Advised Midroc Europe on GDPR implementation work, data sharing issues, processing agreements and online marketing matters.

Mannheimer Swartling

Mannheimer Swartling is a prominent name in the field of data protection and privacy under the leadership of corporate sustainability and risk management group head Erica Wiking Häger. Alongside advice on the full scope of GDPR compliance work including implementation strategies and policy work, the team also assists multinational clients with cross-border data sharing and cybersecurity issues, breach prevention strategies, data processing agreements and matters relating to the use of facial recognition techniques. Clients regularly originate in regulated sectors including the financial services and telecoms industries; other key sectors include the healthcare, life sciences, retail, automotive and digital media arenas. Niklas Sjöblom leads the Gothenburg-based team.


Erica Wiking Häger is excellent.

Erica Wiking Häger is an excellent lawyer – responsive, solutions oriented and extremely knowledgable.

Erica Wiking Häger is exceptionally knowledgeable in GDPR and brings an expertise to the table which combines compliance and privacy.

Erica Wiking Häger is super good – very efficient and practical!

Key clients







Work highlights

  • Assisted cash-management company Loomis with its GDPR implementation project.
  • Advised real estate company Castellum on its GDPR compliance strategy.
  • Assisted electronics company Hexagon with designing and implementing a global data protection compliance programme.


Setterwalls is an established name for data privacy and data protection matters and advises a client roster of domestic and international corporates on the full scope of issues. Noteworthy instructions for Fredrik RoosJörgen S. Axelsson and specialist counsel Bobi Mitrovic involve privacy matters pertaining to the design and usage of e-commerce platforms and other technology systems. Marcus Svensson is a go-to name for GDPR compliance work for life sciences and medtech clients handling patient data. The team also has expertise in blockchain-related data work.


Pragmatic and to the point with a practical, balanced view.

Easy to get in touch with. They helped us with our GDPR project in a very competent way.

Fredrik Roos is an excellent support- he is my main go-to person for most issues and he has a great track record in getting new associates up and running quickly.

Fredrik Roos and Bobi Mitrovic gives quick and competent answers.

Setterwalls has a knowledgeable and committed team helping us with our different GDPR questions. They do the work in an efficient and trustworthy which we are very satisfied with.

Key clients

Mapillary AB

Safeture AB

Novo Nordisk Scandinavia AB

Alligator Bioscience AB

Harvey Nash

Trustly Group AB

Volvofinans Bank AB

Ford Motor Company AB

Health and Social Care Inspectorate

Meniga Sweden

Work highlights

  • Carried out a global GDPR project for Harvey Nash.
  • Advising Alligator Bioscience on its GDPR compliance issues including matters relating to the processing of personal data in clinical studies.
  • Advised security services provider Safeture on its GDPR project including drafting a data protection impact assessment.

Baker McKenzie

Peder Oxhammar and associate Jennie Nilsson lead on Baker McKenzie’s data privacy mandates, with noteworthy recent examples involving providing cross-jurisdictional support on implementing clients’ digital services and products, which involve high levels of user data; the team also provides general GDPR regulatory assistance. The diverse client base encompasses names from the retail, automotive, home appliances and healthcare sectors.

Practice head(s):

Peder Oxhammar; Jennie Nilsson


Provides expertise, pragmatism and attention to a clients’ needs.

Jennie Nilsson is practical and hands on, with a solid understanding of the business needs as balanced against compliance requirements in what is still an uncertain field.

Key clients


KRY (Webbhälsa AB)


Work highlights

  • Advising e-doctor platform KRY on the implementation of its services across Europe, which involves regulatory and data privacy issues.
  • Advising Storytel (a streaming platform for audio books) on its data privacy issues.
  • Providing data privacy guidance to directory platform Eniro.

Advokatfirman Cederquist KB

An extensive list of corporate clients from the financial services, insurance, construction and medtech sectors instructs Advokatfirman Cederquist KB on a range of data privacy and data protection issues. Practice co-heads Johanna Linder and Malin Allard advise on GDPR implementation projects and ongoing compliance support issues, data processing agreements, data breach responses and the use of user data for marketing and advertising purposes; associate Isabelle Emanuelsson regularly assists with the latter.

Practice head(s):

Johanna Linder; Malin Allard


All individuals are exceptional in their own way, the leadership seems to be good and you can tell that the firm is an employer where people genuinely like to work.

Johanna Linder is incredibly intelligent and has an eye for talent.

Sara Andersson is a true talent with extraordinary capacity.

Isabelle Emanuelsson builds trust like no counsel I have met.

Matilda Sanfridson brings much energy into the assignment.

Provides fast, pragmatic and hit-the-ground-running advice.

Key clients

PostNord AB

Lantmännen ek för

Bonnier Broadcasting

Skanska Fastigheter

Föreningen Svensk Elitfotball

Mr Green & Co.

Elekta AB

BillerudKorsnäs AB

Björn Borg AB

Bonava AB

Acast AB

GG Entertainment AB

Work highlights

  • Assisting agriculture company Lantmännen Group with its GDPR compliance relating to digital marketing based on user data.
  • Assisting PostNord, which retains data of the entire Swedish population, with maintaining compliance with GDPR.
  • Planning and structuring Skandia Fastigheter’s GDPR compliance project.

Advokatfirman Delphi

Agnes Hammarstrand is Advokatfirman Delphi’s go-to data privacy expert and leads the Gothenburg-based team, which advises on GDPR compliance work, data processing issues, online expansion matters and the privacy elements of IoT services. A substantial number of retailers feature on the group's client list, which also includes construction companies, student services businesses and car manufacturers.

Practice head(s):

Agnes Hammarstrand

Hannes Snellman

Hannes Snellman provides data privacy and protection expertise to clients across the financial services, telecoms, media and public sectors. Practice head Elisabeth Vestin is particularly praised for her analysis of data protection risk related to the procurement of cloud computing, IT systems and e-commerce platforms. The team also handles the full scope of GDPR assistance from implementing compliance programmes to reviewing internal policies and procedures.

Practice head(s):

Elisabeth Vestin


Working together with Elisabeth Vestin always creates the impression of working with an internal colleague. She is advising on a highly professional level, but at the same time, always argues down to earth and calmly while having our business interests in focus.

The team has deep knowledge within the legal field of data protection and privacy legislation. They are also quick to understand what issues are critical to us as a client and provide legal advice based on our specific requirements as we work in a highly policy-driven environment.

Elisabeth Vestin and Anna Ribenfors are standout. They are highly knowledgeable within their fields of expertise and have, what I find essential, in-house legal experience. This means that the legal advice provided is presented in a format which makes it easy for me to understand the key issues.

Key clients

Hi3G Access AB

SAP Svenska AB

Seeburger Group

Card Group

Ramirent Group

Work highlights

  • Structured and established a GDPR compliance programme for telecoms operator Hi3G Access.
  • Advised Swedish public entity Kammarkollegiet on Cloud Act and GDPR compliance issues applicable to the use of a web-based office suite.
  • Assisted Card Broup International with its GDPR compliance programme.


Roschier’s data protection practice counts notable IT, media, technology and telecoms clients on its roster. The group is headed up by Björn Johansson Heigis and handles large-scale GDPR programmes and provides ongoing support on data breaches, data processing agreements and audits. A number of senior associates including Johan Gerhardsson, Hanna Tilus and Emmy Petterson assist across all mandates including M&A and outsourcing transactions involving sensitive customer data.

Practice head(s):

Björn Johansson Heigis

Key clients

Telia Corporation

Epic Systems Corporation


Bonnier News

Work highlights

  • Advising Telia on all matters relating to GDPR including conducting a readiness audit covering the company’s functions and jurisdictions.
  • Advising Epic Systems on the handling of sensitive patient data for the delivery of IT projects.

Advokatfirman Vinge

At Advokatfirman Vinge, Henrik Borna is co-head of the TMT practice and advises on GDPR implementation and compliance issues and the processing of personal data. Fellow co-head Eva Fredrikson is a key name for commercial agreements, and Nicklas Thorgerzon, who co-manages the data privacy and data protection practice with Emelie Svensäter Jerntorp, handles data privacy projects for domestic and international clients. The team has recently advised clients from the telecoms, publishing, media, financial, security, retail and technology sectors.

Practice head(s):

Eva Fredrikson; Henrik Borna

Key clients




Ambea AB

Aller Media

ForSea AB (former HH Ferries)


Work highlights

  • Advised Tele2 on the data protection aspects of its merger with Com Hem.
  • Assisted Mastercard with the data elements of its cooperation with P27 Nordic Payments Platform relating to the establishment of the infrastructure for a new joint payment system in the Nordics.
  • Advised Ellevio on the data aspects of a public procurement relating to the supply of smart electricity meters.

Advokatfirman Westermark Anjou AB

At boutique firm Advokatfirman Westermark Anjou AB, group co-head Karolina Pekkari is a noted GDPR specialist who, with fellow co-head Johan Åberg, assists a diverse array of clients with their implementation processes. The team also provides ongoing support on regulatory compliance work and advises on data processing operations for businesses in the mining, engineering, IT, media, real estate and e-commerce sectors.

Practice head(s):

Karolina Pekkari; Johan Åberg


Very good business understanding gave us a very smooth and efficient process of implementation.

Cost efficient and hands-on advice in GDPR matters.

Professional and client oriented.

A highly competent and available team. A good number of specialists divided on different areas of expertise with a clear chain of command. Quick response on questions and issues.

Karolina Pekkari stands out for her clear and concise advice on data privacy matters and her good understanding of how to present things in a way which will be understood by the business. She is a likeable person who you want to call when you need advice or need to discuss a data privacy matter.

We always felt that whether a small errand or big project, the service and engagement were of the same high level.

I found Karolina Pekkari to be very attentive to the client’s problems and challenges and able to manage complex and critical issues under a heavy time pressure while constantly presenting deep knowledge within the field of data protection and general legal matters.  Further, me, my team and the client highly appreciated her good cooperation skills and her ability to explain the most complex applications of GDPR in a practical and useful way which in turn facilitated the project process. I consider Karolina Pekkari to be a highly professional solicitor who I would strongly recommend and hopefully will find an opportunity to work together with again.

Karolina Pekkari provides efficient, good advice and knowledge of our sector.

Johan Åberg always gives us professional consultation on all our questions regarding GDPR.

Johan Ãberg’s understanding of the GDPR framework and how to adapt our procedures to it is unmatched on the Swedish market. This paired with an understanding of our business and our business requirements makes him an excellent adviser to us.

Key clients

Boliden AB

IBM Svenska AB

Delivery Hero Sweden AB


Work highlights

  • Implemented and provided advice to mining company Boliden on its cross-border GDPR programme.
  • Advised IBM Svenska AB on the implementation of GDPR.
  • Advised Delivery Hero Sweden on the implementation of GDPR.

Bird & Bird

Data privacy mandates for Bird & Bird’s clients are handled by commercial practice head Mattias Lindberg, who recently joined from Affärsadvokaterna i Sverige AB to expand the firm's expertise. The team is handling GDPR compliance projects, data processing agreements and cross-border data sharing issues for clients in cutting-edge sectors including the fintech, medtech and life sciences industries. As an integrated offering with the firm's corporate and commercial practice, the group also routinely advises on data privacy issues arising from M&A transactions.

Practice head(s):

Mattias Lindberg

Key clients

AB Svensk Bilprovning

Tredje AP-fonden

Aleris X


RCO Security AB

Åke Sundvall Byggnads

Atomia AB

Orio AB


Work highlights

  • Providing strategic advice to Aleris X on the handling of personal data under GDPR for its web-based patient programme.
  • Negotiated data processing agreements for Åke Sundvall Byggnads’ customers and clients, as well as advising on the full scope of GDPR compliance.
  • Advising automotive company Orio on its GDPR compliance implementation project.

EY Law

David Ericson is a noted GDPR expert who, with Anna Byström, leads EY Law’s data privacy and data protection work as joint heads of the digital law practice. The team focuses on GDPR implementation and compliance projects and also handles training sessions, drafts data processing agreements and advises on data breaches. The client base includes banks, digital education platforms, recruitment companies, insurance firms and other companies with substantial personal data usage.

Practice head(s):

David Ericson; Anna Byström

Key clients

Barilla Sverige AB

Actic Group

Jurek Bemanning

DigiExam Solutions

Sweden AB

Nordnet Bank

Work highlights

  • Advising on GDPR compliance for Barilla Sverige as the client’s appointed data protection officer.
  • Assisted recruiting agency Jurek Bemanning with the assessment and implementation of GDPR including conducting workshops and drafting relevant privacy policies.
  • Advised Actic Sverige on the transfer of data following a company acquisition.

Magnusson Advokatbyrå

Magnusson Advokatbyrå’s data privacy and data protection mandates are handled by Helena Rönqvist and Caroline Landerfors. The team’s expertise includes drafting data processing agreements for sensitive patient and customer data, advising on internal GDPR audits and the necessary policy drafting, and assisting with data protection impact assessments. The client roster includes names in regulated sectors including the pharmaceuticals, healthcare, insurance and financial services industries.

Key clients

Aon Sweden AB

ICA Banken AB

Work highlights

  • Providing ongoing GDPR compliance advice to ICA Banken.

Morris Law

The group at Morris Law includes Jonas Toll and senior associates Henrik Almström and Siri Mårtensson, who provide the firm's client roster with data privacy and data protection support including transactional advice and guidance through the GDPR implementation process. The team also assists with auditing existing internal policies and advises on regulatory compliance.


The data privacy team at Morris Law has provided good support and advice in all matters they have been entrusted with a business-focused approach.

Key clients

White Arkitekter AB

Yellow Brand Protection AB

Campadre Scandinavia AB

G-Star RAW C.V.

New Wave Group AB

Work highlights

  • Provided GDPR compliance advice on Yellow Brand Protection’s sale to Corsearch.
  • Assisted White Arkitekter with managing personal data questions and GDPR compliance.

Synch Advokat AB

The data protection team at Synch Advokat AB advises on full-scale GDPR compliance and implementation projects, personal data transferals and data processing agreements for cutting-edge clients across the IT, consumer electronics, digital media, life sciences and retail sectors. The team has recently expanded with the addition of Gunilla Modén and associate Dena Dervanović from in-house roles, who bring extensive expertise and advise clients on data breaches, impact assessments and internal audits. Mathilda Nordmark heads up the practice.

Practice head(s):

Mathilda Nordmark


The team is ambitious and has good knowledge of the subject matter.

Key clients


Electronics Nordic AB

Industrial and Financial Systems AB

Capgemini Sverige AB

Sogeti Sverige AB

Collective Minds Radiology AB

Resurs Bank AB