Data Privacy
Your partner in GDPR and data protection
Our data protection team has expert knowledge and experience in data protection from both advisory and in-house legal roles. We have extensive experience in the practical application of data protection law and can provide you with all the support and advice you need to succeed in your work with GDPR.
Select the area you need help with!
We take on the role of external data protection officer and also offer seminars.
Legal advice and practical implementation of data protection programmes
Verification of GDPR implementation in audits and company acquisitions
Thematic training and company-specific training programmes
The Data Protection Specialists
Call, email, or book a free initial consultation. The choice is yours!
David Ericson
Data Protection Specialist
Mob: +46 727 44 05 64
david.ericson@legalworks.se
Tomas Jalling
Data Protection Specialist
Mob: +46 733 20 70 21
tomas.jalling@legalworks.se
Axel Tandberg
Data Protection Specialist
Mob: +46 702 23 30 10
axel.tandberg@legalworks.se
DPO for Hire – your external data protection officer!
Do you need help filling the role of external data protection officer? With DPO for Hire from LWA, you get a secure, proactive, and cost-effective solution. We take responsibility as your data protection officer (DPO) and help you comply with GDPR—while you can focus on your core business.
With DPO for Hire, you gain access to our expertise without having to hire anyone. Our consulting company, LWA Legal AB, is formally appointed as your data protection officer, and one of our data protection specialists becomes your dedicated resource and contact person. We always work closely with other specialists within LWA, giving you access to our entire collective legal expertise.
We have extensive experience in data protection law and have served as external data protection officers for companies in various stages of development and across different industries. Regardless of where you are in your GDPR journey, we tailor our services to your needs. We believe that every customer is unique and do not believe in generic solutions and approaches – business-oriented support requires an understanding of the customer's priorities and goals.
How it works
Fixed monthly price
We agree on an appropriate scope and apply a fixed price, giving you full cost control.
Flexible agreement
No binding subscriptions, you can terminate the agreement with one month's notice.
Compliance and security
We follow current guidelines for data protection officers and help you on your journey towards GDPR compliance.
Tailored advice
We tailor our support to your needs, whether it's ongoing advice, reviews, or incident management.
Let us take care of your data protection so that you can focus on your core business.
Contact us today to discuss how we can help you!
Advice & Implementation
We provide expert legal advice and guidance on GDPR and other data protection law whether it is a specific issue or a comprehensive approach to all data protection law. Our team has extensive experience in the practical management of data protection issues and can also help ensure your organisation implements the processes and procedures required to comply with external and internal regulations.
Audit and review
We support audits of your GDPR implementation and your data protection legal programme, either through active coaching or by performing audits ourselves according to an agreed scope and model. In the case of corporate acquisitions, we take care of the ‘due diligence’ aspects of GDPR and data protection issues.
In the case of company acquisitions, we take care of the part of the due diligence work that deals with GDPR and data protection issues.
Programmes
Our team includes experienced trainers and lecturers in GDPR and data protection law. Every spring and autumn, together with the Data Protection Forum, we organise the DP Academy, a qualitative and practical training course for data protection officers and others who need knowledge about the practical application of the GDPR.
Of course, we also offer customized training and education programs where we ensure that your employees receive the right training based on conditions and roles.
What our customers say
GDPR - frequently asked questions
FAQ
Strategy and organization
No, only certain types of businesses. The requirement applies, for example, to public authorities, companies that systematically monitor individuals or that handle sensitive personal data on a large scale. However, many companies choose to have a DPO anyway to ensure compliance and build trust.
It depends on your business and risk profile. If you have many different data sources, multiple systems and extensive processing of customer or HR data, a more structured project is often required. Smaller companies can sometimes get by with targeted measures, such as drafting a privacy notice and assistance agreements.
As a rule of thumb, at least once a year or whenever there are major changes - e.g. new product, new market or new IT systems.
Documentation and contracts
A clear description of what data you process, why, on what legal basis and for how long it is stored. You should also explain the individual's rights and how to exercise them.
Yes, when the supplier processes personal data on your behalf (e.g. IT operations, cloud services or marketing tools). Without an assistance agreement, you risk both penalties and liability for the supplier's shortcomings.
Make sure to share only necessary information, use secure data rooms and anonymize or de-identify where possible. A specific NDA for data protection may sometimes be needed.
Industry-specific issues
Yes, including CCTV, handling tenants' data and credit reports. Documentation and clear procedures are crucial.
This is where GDPR and financial regulation meet. Key issues include ensuring a legal basis for know-your-customer (KYC) and payment transactions, as well as properly managing third-party technology providers.
The GDPR applies in parallel with marketing legislation. Consent is often required for emails and cookies, but there are exceptions. You must always be able to demonstrate that you have a legal basis for the contact.
Handling of sensitive personal (health) data in systems, apps and research. Extra requirements for security, storage and international transfers.
Technology and product development
Data protection should be built in from the start - "privacy by design". This means you need to consider principles such as data minimization, asset management and transparency throughout the development process.
AI solutions must not be used in a way that violates the GDPR. Common issues include the legal basis for training models, automated decision-making and transparency. A DPIA is often required here.
Risks and incidents
Identify, investigate quickly, assess risk and decide on reporting to IMY and/or data subjects. It is important to have ready-made procedures and roles internally - there is no time to build them in 72 hours.
Fines of up to €20 million or 4% of global turnover, whichever is higher. In addition, claims for damages and loss of confidence can be costly.
A DPIA (data protection impact assessment) is a structured risk analysis of a treatment. It is required, for example, in the case of new technologies, systematic monitoring or large-scale sensitive data.
Internal governance and compliance
Link the issue to business benefit and risk: avoid fines, secure customer trust and create competitive advantage. Data protection is not just legal, but part of sustainable governance.
The board is ultimately responsible for ensuring that the company complies with legislation. Therefore, data protection should be reported regularly as part of the compliance agenda.
The EU requires specific safeguards (e.g. standard contractual clauses, SCC). It is also important to carry out a risk assessment of the recipient country.
Document your decisions, risk assessments and procedures. It's not enough to comply with the rules - you need to be able to show that you are doing so.
Thinking that the GDPR is a 'one-off', underestimating the importance of the supply chain, or lacking clear internal roles and procedures.