>
Home Privacy Policy

Privacy Policy

Last updated: June 2026

1. About this Privacy Policy

1.1 Purpose and scope
Your privacy and the security of your personal data are important to us at Moll Wendén Law AB, company registration number 556648-7939 (“Moll Wendén”, “we”, “us”). In this Privacy Policy, we explain how we process personal data in our business. We strive to provide you with information about our processing of personal data in a concise, transparent, intelligible and easily accessible manner, in accordance with Article 12 of the GDPR.

This Policy covers personal data processing carried out within the scope of our legal advisory services, our wider business activities, our external communications, our recruitment processes, our whistleblowing function, our events, and our use of digital tools and communication channels.

1.2 Controller
Moll Wendén is the controller for the processing of personal data described in this Policy.

1.3 How we process personal data
We process personal data only for legitimate, specific and explicitly stated purposes. We endeavour not to process more personal data than is necessary having regard to the purpose, and we work continuously to ensure that the data is accurate, relevant and protected.

1.4 Validity
This Policy applies from 25 May 2018, as subsequently updated. Its purpose is to provide information about how we process personal data, the legal bases on which we rely, how long data is retained, and the rights that data subjects may have.

2. What is personal data?

Personal data means any information relating to an identified or identifiable natural person, such as name, contact details, personal identity number, IP address, matter-related information, or any other information that can be linked, directly or indirectly, to a living person.

3. Specific information on legal advisory services, confidentiality and professional secrecy

3.1 Legal advisory services and professional secrecy
Moll Wendén provides legal advisory services. Our processing of personal data therefore takes place not only within the framework of data protection legislation, but also against the background of the specific rules and ethical guidelines applicable to our business, including AGRD Partners’ Code of Professional Conduct (the “Code”).

Our advisers are subject to a duty of confidentiality in respect of matters entrusted to them within the scope of the advisory services, or of which they otherwise become aware in connection with such services.

3.2 Limitations on information and rights
This means that our duties of confidentiality and professional secrecy will, in many cases, affect how we can provide information about our processing of personal data. It may also affect our ability to disclose personal data, provide copies, respond fully to questions, or otherwise comply with a request from a data subject, where disclosure would contravene law, other binding regulation, the Code, or would otherwise risk adversely affecting the rights and freedoms of others. The Swedish Data Protection Act expressly limits Articles 13–15 of the GDPR to the extent that the data may not be disclosed under law or other statutory instruments.

Our starting point is always to handle personal data with a high degree of restraint, integrity and confidentiality.

4. Which categories of data subjects are covered?

The personal data we process depends on your relationship with us. This Policy mainly covers the following categories of data subjects:

  • clients who are natural persons,
  • representatives, authorised signatories, beneficial owners and contact persons of clients,
  • potential clients and other persons who contact us to enquire about legal services,
  • opposing parties who are natural persons,
  • representatives, contact persons and other persons at opposing parties,
  • other persons who appear in matters, such as opposing counsel, witnesses, experts, arbitrators, judges, mediators, guarantors, security providers, consultants, employees, board members or persons whose data appears in agreements, transaction documentation, investigations, due diligence materials or other matter documentation,
  • whistleblowers, persons identified in whistleblowing matters and other persons appearing in such matters,
  • contact persons at suppliers, collaboration partners and other business contacts,
  • participants, speakers and contact persons at seminars, lectures, webinars and other events,
  • newsletter subscribers and recipients of other mailings,
  • job applicants, internship applicants and referees,
  • visitors to our website and persons who communicate with us by email, telephone, social media or other digital channels.

5. Which categories of personal data do we process?

Depending on the context, we may process the following categories of personal data:

  • identity data, such as name, personal identity number, date of birth and information in identity documents,
  • contact details, such as address, email address and telephone number,
    role and organisation data, such as title, position, employer, company affiliation, authority to sign for a company, ownership interest or information concerning beneficial ownership,
  • assignment and matter data, such as information relevant to accepting, administering, performing, documenting or following up an assignment,
  • communication data, such as the content of emails, letters, telephone calls, meeting notes and other correspondence,
  • control and verification data, such as data required for conflict checks, client due diligence, anti-money laundering checks, sanctions screening or identity verification,
  • financial and billing-related data, such as account numbers, payment information, invoice documentation and data required for accounting and bookkeeping,
  • technical data, such as IP address, logs, cookie-related information, data concerning the use of websites or digital systems, and other security or troubleshooting data,
  • recruitment data, such as CVs, covering letters, grades, assessments, test results, interview notes and reference information,
  • image and event data, such as photographs, registration details, participant lists and information concerning dietary preferences or accessibility requirements,
  • special categories of personal data under Article 9 of the GDPR, such as data concerning health, trade union membership, religious beliefs, political opinions or other sensitive data, where such data appears in an assignment or is otherwise necessary to process,
  • personal data relating to criminal offences under Article 10 of the GDPR, such as information concerning suspected offences, criminal judgments, coercive measures in criminal proceedings, or other data covered by the special protection for criminal offences. Such support exists, among other things, in Section 5 of the Ordinance (2018:219) containing supplementary provisions to the EU General Data Protection Regulation.

6. From where do we collect personal data?

We collect personal data from different sources depending on the context. The data may come from:

  • you,
  • our client or potential client,
  • an opposing party, opposing counsel or another external actor in a matter,
  • authorities, courts, arbitral institutions, banks or other organisations,
  • public registers, databases and other publicly available sources,
  • collaboration partners and suppliers,
  • referees and previous employers in recruitment contexts,
  • our website, social media, digital forms, mailing systems and other digital channels,
  • whistleblowing channels or persons who provide information within the scope of whistleblowing matters.

In many cases, we receive personal data indirectly because it is included in documentation, evidence, correspondence, register extracts or other material that is necessary for us to safeguard a client’s interests or fulfil our obligations.

In some cases, the provision of personal data is a statutory or contractual requirement, or a requirement necessary in order to enter into a contract. If you are a client or potential client, for example, we may need your identity and contact details in order to carry out statutory checks, enter into an engagement agreement and perform the assignment. If necessary data is not provided, this may mean that we cannot accept or perform the assignment, carry out required checks, or otherwise safeguard your interests.

Where we collect personal data from a source other than the data subject, we provide information about the processing within a reasonable period after obtaining the data, and no later than within one month, at the first communication with the data subject or, if the data is intended to be disclosed to another recipient, no later than at the time when the data is first disclosed. The obligation to provide information may be limited to the extent provided by law, professional secrecy or applicable ethical rules.

7. Why do we process personal data?

7.1 To assess whether we can accept an assignment
Before we accept an assignment, we generally need to carry out conflict checks, assess independence issues, identify the client relationship and otherwise ensure that we can act in accordance with the Code.

7.2 To carry out client due diligence and other checks required by law
Where required by applicable legislation, in particular anti-money laundering regulations, we carry out identity verification, client due diligence, verification of beneficial owners, verification of representatives and other necessary verification measures.

7.3 To enter into, administer and perform assignments
We process personal data in order to prepare, perform, document, administer and close assignments, and otherwise provide legal services.

7.4 To safeguard our clients’ interests
Within the scope of an assignment, we process the personal data necessary to analyse legal issues, conduct proceedings, negotiate, draft agreements, carry out investigations, handle disputes, complete transactions, provide advice, make legal assessments and otherwise establish, exercise or defend legal claims.

7.5 To administer client, supplier and business relationships
We process personal data in order to communicate with clients, suppliers and other business contacts, manage agreements, invoicing, payments, follow-up, quality assurance and other ongoing administration.

7.6 To communicate about our business
We process personal data in order to send newsletters, invitations, information about seminars and other relevant communications about our business to persons who have an existing relationship with us, or where such communication is otherwise relevant.

7.7 To plan, carry out and follow up events
We process personal data in connection with seminars, webinars, training sessions, networking events and other activities that we arrange or co-arrange.

7.8 To handle questions, enquiries and other external communications
When you contact us, we process your personal data in order to answer questions, assess whether we can assist you, provide service and document the communication.

7.9 To carry out recruitment
We process personal data concerning job applicants, internship applicants and referees in order to administer recruitment processes, evaluate candidates, conduct interviews, tests and reference checks, and make recruitment decisions.

7.10 To handle whistleblowing matters
When we provide or assist with a whistleblowing function, we act as controller for our own processing of personal data in connection with the assignment. We process personal data in order to receive, investigate, document, follow up and close whistleblowing matters in accordance with applicable regulations.

7.11 To ensure technical functionality, information security and business protection
We process personal data in order to maintain the security of our IT systems, for logging, troubleshooting, backups, incident management, access control and protection against misuse.

7.12 To comply with legal obligations and handle legal claims
We process personal data where required in order to comply with obligations under law, decisions by authorities or binding professional rules, and where necessary to establish, exercise or defend legal claims on our own behalf or on behalf of a client.

The more detailed connection between purposes, data categories and legal basis is set out in Appendix 1.

8. Legal bases for processing

Our processing of personal data is always supported by at least one legal basis under Article 6.1 of the GDPR.

8.1 Contract or steps prior to entering into a contract (Art. 6.1(b))
Where you are a client who is a natural person, a potential client, or otherwise yourself a party to the relationship with us, we may process your personal data in order to perform a contract with you or to take steps at your request prior to entering into a contract.

8.2 Legal obligation (Art. 6.1(c))
We process personal data where necessary to comply with legal obligations to which we are subject, for example under anti-money laundering legislation, bookkeeping rules, sanctions regulations, data protection legislation or other binding rules applicable to our business.

8.3 Legitimate interest (Art. 6.1(f))
We also process personal data on the basis of Article 6.1(f) of the GDPR where the processing is necessary for purposes relating to our legitimate interests or those of a third party, provided that the data subject’s interests or fundamental rights and freedoms do not override those interests.

Typical legitimate interests in our business include, for example the interest in:

  • carrying out necessary conflict checks and other initial checks,
  • administering, documenting and following up client and business relationships,
  • communicating with clients, business contacts and other relevant external persons,
  • planning, carrying out and following up events,
  • maintaining security, quality and functionality in our business,
  • handling and defending legal claims,
  • and, where relevant, our client’s legitimate interest in our being able to perform the assignment effectively and appropriately.

8.4 Consent
As a general rule, we do not rely on consent as a legal basis. This is because our relationship with clients, opposing parties and business contacts typically gives rise to such an imbalance of power or contextual dependency that consent cannot be regarded as freely given within the meaning of the GDPR, and because in the vast majority of cases there is a more appropriate legal basis.

If, exceptionally, consent is used as a legal basis, for example in connection with marketing to persons with whom we have no existing relationship, we will provide clear information about this and ensure that the consent meets the GDPR requirements of being freely given, specific, informed and unambiguous. You will then always have the right to withdraw your consent, without this affecting the lawfulness of processing carried out before the withdrawal.

The more detailed connection between purposes, data categories and legal basis is set out in Appendix 1.

9. Specific information on sensitive personal data and data concerning criminal offences

In certain assignments or contexts, we may need to process special categories of personal data under Article 9 of the GDPR, for example data concerning health, trade union membership, religious beliefs, political opinions or other sensitive data.

Where such processing takes place, we always have support in a legal basis under Article 6 of the GDPR. In addition, a specific exemption under Article 9.2 of the GDPR is required.

In our business, such processing typically takes place on the basis of Article 9.2(f) of the GDPR, namely that the processing is necessary for the establishment, exercise or defence of legal claims.
There may also, in the individual case, be support in another applicable basis under Article 9.2 of the GDPR, depending on the nature of the assignment. In cases where we process dietary preferences or other health-related data in connection with events, this is done on the basis of the data subject’s explicit consent under Article 9.2(a) of the GDPR, and the data is used solely to plan and carry out the event in question.

We may also, in certain cases, process personal data relating to criminal offences under Article 10 of the GDPR. Such processing takes place only where there is support in applicable Union law or national law. For persons other than authorities, such support in Sweden follows, among other things, from Section 5 of the Ordinance (2018:219) containing supplementary provisions to the EU General Data Protection Regulation, for example where the processing is necessary in order to comply with a legal obligation under law or ordinance, or where legal claims are to be established, exercised or defended.

Such processing may occur, for example, within the scope of disputes, litigation, criminal-law related assignments, employment law matters, internal investigations, whistleblowing matters, compliance matters or other advice where the data is necessary in the individual case.

10. Profiling and automated decision-making

We do not use profiling or automated decision-making that has legal effects or similarly significantly affects data subjects. Processing of personal data in our systems and tools takes place under human control and responsibility.

11. More detailed information on certain processing situations

11.1 Clients who are natural persons
If you are a client who is a natural person, we may process identity data, contact details, financial data, verification data, communication data and matter data. Where relevant to the assignment, sensitive personal data or data concerning criminal offences may also be processed.

The purposes are to assess whether we can accept the assignment, carry out checks, perform and administer the assignment, safeguard your interests, and comply with legal and administrative obligations.

11.2 Representatives, authorised signatories, beneficial owners and contact persons of clients
If you represent a client or appear in the client’s organisation, we primarily process identity data, contact details, role and organisation data, verification data and communication data.

The purposes are to accept and administer assignments, carry out conflict checks and client due diligence measures, communicate within the assignment, fulfil instructions and handle invoicing and other administration.

11.3 Opposing parties and persons at opposing parties
If you are an opposing party or a representative, employee or contact person of an opposing party, we may process identity data, contact details, role data, communication data and other matter data necessary in order to carry out conflict checks, analyse the legal position, handle the assignment and safeguard the client’s interests.

11.4 Other persons who appear in assignments
We may process personal data concerning, for example, opposing counsel, witnesses, experts, judges, arbitrators, mediators, guarantors, security providers, employees, board members, consultants and other persons whose data appears in documentation or evidence.

The processing concerns the data necessary to perform the assignment, conduct proceedings, provide advice or otherwise safeguard the client’s interests.

11.5 Potential clients and others who contact us
If you contact us regarding a possible assignment or with a question, we normally process identity data, contact details and communication data, as well as the other data you provide in your enquiry.

The purpose is to assess whether we can assist you, handle the communication, carry out necessary checks and document the contact.

11.6 Newsletters, mailings and other marketing communications
If you subscribe to our newsletter or otherwise receive information from us, we normally process your name, email address, employer, title and information about your interests or previous contacts with us.

The processing is carried out in order to send relevant information about our business, our services and our events, and to follow up on and improve our mailings.

11.7 Events and seminars
If you register for an event, we normally process your name, contact details, title, employer, participation status and data relevant to planning and implementation. Where we collect information concerning dietary preferences or accessibility requirements, this is done on the basis of your explicit consent, and the data is used solely for the event in question. We may take photographs at physical events; if so, participants will be informed of this in connection with the event.

If we arrange events together with a collaboration partner, personal data may be shared with the collaboration partner to the extent necessary to plan, carry out or follow up the event.

11.8 Recruitment
If you apply for employment or an internship with us, we process the data you provide in your application and the data otherwise necessary to handle the recruitment process, for example CVs, grades, covering letters, interview notes, test results and references. We may also obtain data from referees specified by you, previous employers, social networking services and publicly available sources where relevant to the recruitment.

If you are a referee, we process the data needed to contact you, document your feedback and assess the candidate’s suitability.

11.9 Whistleblowing matters
When we provide or assist with a whistleblowing function, Moll Wendén is the controller for its own processing of personal data within the scope of the assignment. We process personal data concerning the whistleblower, the person or persons to whom the information relates, and other persons appearing in the matter.

This may include identity data, contact details, role data, work-related information, communication data and data concerning the circumstances reported.

The processing is carried out in accordance with applicable whistleblowing legislation and with particular regard to confidentiality, integrity and the protection interests of the persons concerned.

11.10 Suppliers and collaboration partners
If you are a contact person at a supplier or collaboration partner, we normally process your name, contact details, employer, title, contract-related data and communication data.

The purpose is to administer the relationship, enter into and follow up agreements, communicate and fulfil our obligations.

12. How do we share personal data?

We do not disclose personal data to third parties to any greater extent than is necessary and compatible with applicable law, the Code and our duty of confidentiality.

Depending on the context, personal data may be shared with the following categories of recipients:

  • clients and client representatives,
  • opposing parties, opposing counsel and other actors in a matter,
  • courts, authorities, arbitral tribunals, banks and other external actors where necessary within the scope of an assignment or required by law,
  • the Financial Intelligence Unit or another competent recipient where we are obliged to provide information under anti-money laundering regulations,
  • auditors, insurers, insurance intermediaries, debt collection agencies, external advisers and other professional recipients where necessary to safeguard our or the client’s legal interests,
  • providers of IT, communication, operations, document management and other support services that process personal data on our behalf as processors,
  • collaboration partners at joint events or activities, to the extent that sharing is necessary for the event.

Where external service providers process personal data on our behalf as processors, we ensure, through data processing agreements and other measures, that they process the data only in accordance with our instructions and with sufficient security measures.

13. Transfers of personal data outside the EU/EEA

We strive to process personal data within the EU/EEA. In some cases, however, it may be necessary to transfer personal data to countries outside the EU/EEA, for example where an assignment has an international connection, requires contact with foreign counsel, involves international transactions or disputes, or where a service provider carries out relevant processing in a third country.

If we transfer personal data outside the EU/EEA, this is done on the basis of an applicable transfer mechanism under the GDPR. The primary mechanism we apply is the European Commission’s standard contractual clauses (SCCs). Where necessary, we assess, for each supplier or transfer, whether supplementary technical, organisational or contractual safeguards are required having regard to the circumstances in the country concerned. Where applicable, we may also rely on adequacy decisions or, where the circumstances so require, on derogations under Article 49 of the GDPR.

14. How long do we retain personal data?

We retain personal data for as long as is necessary for the purpose for which it was collected and thereafter only for as long as there is legal support or a need for continued retention.

For assignment-related documents and matter documentation, the starting point is that material is archived for at least ten years from completion of the assignment, or longer if the nature of the assignment so requires. This follows from the Code.

In addition, the following mainly applies:

  • data processed for anti-money laundering purposes is retained for the period and in the manner required by applicable legislation,
  • accounting records and other accounting-related documentation are retained in accordance with accounting law requirements, normally for seven years,
  • data concerning newsletter subscribers and recipients of mailings is retained until the data subject • objects, unsubscribes, or the relationship is otherwise no longer active and continued retention lacks support,
  • data concerning event participants is retained for as long as necessary for planning, implementation, follow-up, documentation and relevant future invitations, unless the data subject objects or the circumstances otherwise require,
  • data in recruitment matters is retained during the recruitment process and thereafter normally for up to two years in order to handle any claims, unless otherwise provided by law or the applicant has consented to longer retention,
  • data in whistleblowing matters is retained in accordance with the specific rules and assessments applicable to such matters,
  • data in matters relating to legal claims against or on behalf of the firm is retained for as long as necessary having regard to limitation rules and the need to establish, exercise or defend claims, normally for at least ten years,
  • technical logs, backups and incident-related documentation are retained in accordance with our security procedures and to the extent required for information security, troubleshooting, traceability and legal claims.

The more detailed retention periods for different processing operations are set out in Appendix 1.

15. Your rights

Depending on the circumstances, you may have rights under data protection legislation in relation to the personal data we process concerning you.

15.1 Right to information and access
You may have the right to obtain information as to whether we process personal data concerning you and, if so, to access that data and receive a copy of the personal data undergoing processing. You may also have the right to certain supplementary information about the processing.

15.2 Right to rectification
You may have the right to request that inaccurate, incomplete or misleading personal data be rectified or supplemented.

15.3 Right to erasure
In certain cases, you may have the right to request erasure of your personal data, for example where the data is no longer necessary for the purpose for which it was collected and there is no other legal basis for continued processing.

However, this right is limited where we must retain the data in order to comply with legal obligations, fulfil archiving obligations under the Code, handle legal claims, or otherwise where continued processing is permitted or necessary.

15.4 Right to restriction of processing
In certain cases, you may have the right to request that the processing of your personal data be restricted, for example while we verify whether data is accurate or while an objection is being assessed.

15.5 Right to object
Where our processing is based on legitimate interest, you may, on grounds relating to your particular situation, have the right to object to the processing. You always have the right to object to processing for direct marketing purposes. If you object to direct marketing, we will cease such processing.

15.6 Right to data portability
Where the processing is based on a contract with you or consent, and the processing is carried out by automated means, you may in certain cases have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format and have it transmitted to another controller.

15.7 Right to withdraw consent
Where our processing is based on consent, you always have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

15.8 Time limits
We respond to requests to exercise rights without undue delay and normally no later than within one month of receipt of the request. If the request is complex or if we have received a large number of requests, the response period may in certain cases be extended by a maximum of a further two months.

15.9 Limitations on rights
The rights arising under data protection legislation are not absolute. In our business, they may be limited by law, other statutory instruments, the Code, professional secrecy, client confidentiality, archiving obligations and the protection of the rights and freedoms of others.

This applies in particular in assignments where a disclosure or confirmation could in itself reveal confidential information. Articles 13–15 of the GDPR do not apply to data that we are not permitted to disclose under law or other statutory instruments.

16. Personal data breaches and security

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, dissemination and other unlawful processing.
Our security measures include, among other things, access control, logging, backups, incident management, training, contractual arrangements with suppliers and other safeguards adapted to the risks of the business.

If a personal data breach occurs, we handle it in accordance with applicable procedures and legal requirements. Where a breach is notifiable, it will be notified to the Swedish Authority for Privacy Protection without undue delay and, where required, no later than within 72 hours of our becoming aware of the breach.

If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the data subjects concerned will be informed without undue delay to the extent required by law.

17. Cookies, website and digital channels

When you use our website or other digital channels, we may process technical data and usage-related information, such as IP address, logs, cookie information and information about how our pages are used.

Such processing is carried out in order for the website to function, to improve the user experience, analyse usage, maintain security and, where relevant, communicate with you or respond to your enquiries.

For further information on how we use cookies and similar technologies, please refer to our Cookie Policy, which is available on our website.

18. Changes to the Policy

We may update this Privacy Policy. The latest version is always available on our website. If the changes are material, we will provide information about this in an appropriate manner, for example on our website or by direct communication where deemed appropriate.

19. Contact details

If you have any questions about this Privacy Policy, our processing of personal data, or if you wish to exercise any of your rights, you are welcome to contact us.

Controller:
Moll Wendén Law AB
Company registration number 556648-7939
Postal address:
Stortorget 8
211 34 Malmö
Sweden

Telephone:
040-665 65 00

Email:
info@mollwenden.se

Moll Wendén has not currently appointed a data protection officer. We continuously monitor whether the circumstances of our business change in a way that would give rise to an obligation to appoint one.

20. Complaints to the supervisory authority

If you consider that our processing of your personal data contravenes applicable data protection legislation, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), which is the supervisory authority in Sweden.

More information about how to lodge a complaint and about your rights is available on IMY’s website, www.imy.se.

– – –
Appendix – Moll Wendén Law AB – Detailed overview of our processing of personal data (pdf)

 

 

To make the functions and information on our website accessible to you, we use cookies. A cookie is a text file that is stored on your device. We only use cookies that are necessary for the website to function properly and these cannot be turned off. For further information, please visit: Cookie policy

Moll Wendén Law AB
Stortorget 8 SE-211 34 Malmö Sweden
+46 40 665 65 00 / info@mollwenden.se

Corporate identity number 556648-7939
VAT number SE556648793901


Subscribe to our newsletter

Subscribe

All rights reserved Moll Wendén Law AB