Privacy Notice
Privacy, explained. Here’s what we collect, why, and how you stay in control.
Table of contents
1. Introduction
This Privacy Notice explains how LEAD Advokatbyrå Aktiebolag (“LEAD”, “we”, “our” or “us”) processes personal data in the course of our law firm activities.
We process personal data in accordance with:
- the EU General Data Protection Regulation (EU) 2016/679, (“GDPR”),
- the Swedish Data Protection Act and other applicable Swedish legislation, and
- the rules and guidelines of the Swedish Bar Association, including requirements on client confidentiality and archiving.
We want you to understand how and why we process personal data and what rights you have in relation to that processing.
This Privacy Notice applies to the processing of personal data relating to, among others:
- clients and their representatives,
- potential clients and their representatives,
- counterparties and other persons involved in client matters,
- suppliers, consultants and other business partners,
- visitors to our website and users of our digital channels,
- recipients of newsletters and other marketing communications,
- participants in seminars, events and webinars,
- job applicants and references.
If you have any questions, you are always welcome to contact us (see section 3 below).
2. Key terms
- Personal data means any information that can be linked, directly or indirectly, to a living individual (for example, name, contact details, ID number, email, IP address).
- Processing means any operation performed on personal data (for example, collection, registration, storage, use, disclosure or deletion).
- Controller means the organisation that determines why and how personal data is processed.
- Processor means an organisation that processes personal data on behalf of a controller.
3. Data controller and contact details
Controller
LEAD Advokatbyrå Aktiebolag
Reg. No. 559551-9215
LEAD is the controller for the processing of personal data described in this Privacy Notice, unless explicitly stated otherwise in a specific situation.
Privacy contact
If you have questions about how we process personal data or wish to exercise your rights, you can contact us via:
- Email: privacy@leadlegal.se
When you contact us, please do not include more personal data than necessary for us to handle your request.
4. When we collect personal data, and what we process
We process personal data in many situations, for exampl,e when you:
- engage us, or are involved in a matter in which we are instructed,
- represent a client, counterparty, authority or other organisation in a matter,
- visit our website or interact with us via email or other digital channels,
- sign up for newsletters, events or webinars,
- are a supplier, consultant or other business contact,
- apply for a position or internship with us,
- are mentioned in documentation we receive or prepare in our work.
Categories of Personal Data Processed
| Category | Examples |
| Identification and contact details | e.g. name, address, email address, telephone number, personal identity number/date of birth, title, employer, role, signatures. |
| Client and matter-related information | e.g. information about assignments, correspondence, documents, case history, contracts, pleadings, evidence, notes and other material produced in the matter. |
| KYC/AML information | e.g. copies of identity documents, beneficial owner information, information about political exposure, nationality, ownership and control structures, sanctions-screening information. |
| Financial information | e.g. invoicing details, bank account information, payment references, tax information. |
| Recruitment information | e.g. CV, cover letter, grades and certificates, interview notes, test results, references, information from professional social media accounts you use in the process. |
| Marketing and event information | e.g. your preferences regarding marketing, language selection, registration and participation in events, food preferences (when you choose to provide them), photos or recordings from events. |
| Technical data and website usage data | e.g. IP address, device information, log information and information from cookies and similar technologies used on our website. |
Depending on the specific matter or situation, we may also process special categories of personal data (e.g. data concerning health, trade union membership or ethnicity) or data relating to criminal convictions and offences, when this is necessary and permitted by law for a client matter or to fulfil statutory obligations (such as under anti-money laundering legislation).
5. For what purposes and on what legal bases we process personal data
Below we describe the main purposes for which we process personal data and the legal bases we rely on.
Data Processing Purposes and Legal Bases
Purpose and Associated Activities | Typical Categories of Data | Legal Basis |
5.1 To accept, perform and administer client engagements We process personal data in order to: evaluate and accept new engagements, plan, perform and follow up legal services, communicate with clients and others involved in the matter, keep internal records (time recording, file management, documentation), invoice and handle payments, and archive and store matter documentation. | Identification and contact details, client and matter-related information, financial information, correspondence and documentation created or obtained in the matter. | Performance of a contract with you as a client (Article 6.1(b) GDPR), where you are the client as a natural person. Legitimate interest (Article 6.1(f) GDPR) where the client is a legal person or where we process personal data of other individuals involved in a matter (e.g. representatives, counterparties, witnesses, experts). Our legitimate interest consists of performing and administering our legal services and protecting our clients’ interests. To the extent processing is necessary to fulfil obligations under Swedish law or the rules of the Swedish Bar Association, the legal basis is legal obligation (Article 6.1(c) GDPR). Where the matter requires processing of special categories of data or data relating to criminal convictions and offences, we do so only when: it is necessary for the establishment, exercise or defence of legal claims (Article 9.2(f) GDPR and corresponding provisions for criminal-offence data in Swedish law), and/or it is necessary to comply with specific legal obligations (such as the Anti-Money Laundering Act). |
5.2 Know-your-customer (KYC), anti-money laundering and sanctions screening Before we accept certain engagements and while we act for clients, we are required by law to carry out checks relating to: client identity and beneficial owners, political exposure (PEP), and sanctions and other AML-related controls. | Identification and contact details, information from ID documents, information on ownership and control, information about political exposure, nationality, information from sanctions and AML checks, and related documentation. | Legal obligation (Article 6.1(c) GDPR), primarily under applicable anti-money laundering and sanctions legislation and the Swedish Bar Association’s rules. Where these checks involve special categories of data or data relating to criminal convictions and offences, the processing is based on the same legal obligations and the national provisions that permit such processing for anti-money laundering and sanctions purposes. |
5.3 Conflicts of interest checks and risk management We process personal data to check for conflicts of interest and to manage risk in line with professional and regulatory requirements. | Identification and contact details, matter descriptions, information about roles and relationships relevant to conflicts of interest. | Legitimate interest (Article 6.1(f) GDPR) in complying with professional and ethical obligations and avoiding conflicts of interest. To the extent specific obligations follow from law or Bar rules, legal obligation (Article 6.1(c) GDPR). |
5.4 Managing relationships with suppliers, consultants and other business partners We process personal data to: evaluate and onboard suppliers and consultants, manage contracts, deliveries and correspondence, administer invoicing and payments, and manage access to our premises or systems when needed. | Identification and contact details, role and employer, financial and invoicing information, correspondence and contract-related documentation, and access logs where relevant. | Performance of a contract (Article 6.1(b) GDPR) where we contract with you personally as a natural person. Legitimate interest (Article 6.1(f) GDPR) where we contract with a legal person and process data of its representatives. Our legitimate interest consists of managing our business relationships and ensuring proper performance of contracts. Legal obligation (Article 6.1(c) GDPR) for processing necessary under accounting, tax or other mandatory rules. |
5.5 Marketing, newsletters, events and webinars We process personal data to: send newsletters, legal updates and information about our services, invite you to, organise and follow up on events, seminars and webinars, manage registration and attendance, adapt our communications and maintain our contact lists, and document and, in some cases, publish material from events (for example on our website or social media). | Identification and contact details, role and employer, language and communication preferences, registration and participation information, food preferences (if provided), and in some cases photos, audio or video recordings. | Legitimate interest (Article 6.1(f) GDPR) in marketing and developing our services and maintaining professional contacts. For certain types of electronic marketing where consent is required under applicable marketing rules, we rely on consent (Article 6.1(a) GDPR). Where we process information about food preferences that may reveal health-related information, we do so based on explicit consent (Article 9.2(a) GDPR) that you may withdraw at any time. You can always opt out of marketing by following the unsubscribe instructions in each message or by contacting us. |
5.6 Website, cookies and digital services When you visit our website or interact with our digital services, we process personal data to: enable the basic functionality of the website, maintain IT security, analyse and improve the use and performance of the website, and remember your choices (e.g. language settings). | IP address, device and browser information, log data and information from cookies or similar technologies. | For technically necessary cookies and corresponding processing, our legitimate interest (Article 6.1(f) GDPR) in providing a secure and functional website. For other cookies (such as analytics or marketing cookies), we rely on your consent (Article 6.1(a) GDPR) obtained through our cookie banner. More detailed information can be found in our separate Cookie Policy [link / reference]. |
5.7 Recruitment and HR We process personal data to: manage applications for employment, internships and other programmes, assess candidates, arrange interviews, tests and other recruitment steps, contact references, comply with legal requirements relating to recruitment and discrimination, and handle any claims in relation to recruitment. | Identification and contact details, information in CVs and cover letters, grades and certificates, work experience, references, interview notes, test results, and other information you or your references choose to provide. | Legitimate interest (Article 6.1(f) GDPR) in conducting recruitment processes and evaluating candidates. Legal obligation (Article 6.1(c) GDPR) where we must comply with labour law or equality/discrimination law. Consent (Article 6.1(a) GDPR) when we ask to keep your data for future opportunities beyond the current process. You may withdraw any consent you have given at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
5.8 Compliance with legal obligations and protection of our rights We process personal data when necessary to: comply with legal obligations under, for example, accounting, tax, company, anti-money laundering and other mandatory rules, respond to requests from authorities and courts where we are required to do so, establish, exercise or defend legal claims, including in relation to our own business (e.g. fee disputes, liability matters, employment disputes). | Any of the categories mentioned above, depending on the specific obligation or claim. | Legal obligation (Article 6.1(c) GDPR). Legitimate interest (Article 6.1(f) GDPR) in establishing, exercising and defending legal claims. |
5.9 Business transfers and structural changes In the event of a merger, acquisition, reorganisation or similar transaction affecting LEAD, personal data may need to be processed in connection with the planning and implementation of the transaction. | (No categories of data explicitly listed in this section) | Legitimate interest (Article 6.1(f) GDPR) in facilitating and completing such transactions, subject to confidentiality and appropriate safeguards. |
5.10 Use of AI-based tools and cloud services
We may use AI-based tools and other cloud services to support our work, for example to search and review documents, assist with drafting and maintain our systems. The processing is normally based on our legitimate interest in providing efficient and high-quality legal services and managing our business, and where relevant on the performance of our contract with you. When we use external providers, we ensure appropriate confidentiality obligations, data protection terms and, where applicable, lawful safeguards for transfers outside the EU/EEA. We do not allow such providers to train general models on identifiable client or matter data.
6. From where do we obtain personal data
We collect personal data:
- directly from you, for example, when you:
- engage us or contact us,
- attend meetings or events,
- correspond with us by email or other channels,
- apply for a role,
- visit our website;
- from the client that we represent and other parties in a matter, including:
- counterparties and their advisors,
- authorities and courts,
- other counsel and experts,
- banks and other financial institutions;
- from your employer or colleagues, when they list you as a contact person or representative;
- from publicly available or external sources, such as:
- public registers and databases,
- company registers and beneficial ownership registers,
- sanctions lists and other AML-related information services,
- public websites and professional social networks.
We only collect information that is relevant and necessary for the purposes described in this Privacy Notice.
7. Obligation to provide personal data
In some situations, providing certain personal data is necessary:
- to enter into or perform a contract with you or the organisation you represent,
- to comply with statutory KYC/AML obligations or other legal requirements,
- to enable us to represent you or a client in a matter.
If the required data is not provided, we may not be able to:
- accept or continue an engagement,
- fulfill our contractual obligations,
- comply with legal obligations that apply to us.
Where providing personal data is voluntary (for example, for marketing or events), we will make that clear and explain any consequences of not providing the data (usually that you cannot receive the communication or participate in the specific event).
8. With whom we share personal data
We only share personal data when this is necessary and lawful. Depending on the situation, we may share personal data with:
- Courts, authorities and counterparties, including:
- courts and arbitral tribunals,
- supervisory and law-enforcement authorities,
- other public bodies,
- counterparties and their advisors;
- Other professional advisers and experts, such as:
- other law firms (for example, as local counsel),
- auditors, consultants, experts, translators;
- IT and other service providers, such as:
- providers of practice-management, document-management and communication systems,
- hosting and cloud service providers,
- providers of tools for document review and e-discovery,
- providers of event and webinar platforms;
- Banks and payment service providers, in connection with payments;
- Co-organisers of events and training, such as venues, caterers and collaboration partners who need certain information (e.g. participant lists, food preferences);
- Potential buyers or partners in connection with business transfers or reorganisations, subject to confidentiality.
When we use service providers that process personal data on our behalf, we enter into data processing agreements to ensure that personal data is processed in accordance with our instructions and with adequate security.
9. Transfers outside the EU/EEA
As a general rule, we and our processors process personal data within the EU/EEA.
If personal data is transferred to or accessed from a country outside the EU/EEA (a “third country”), we will ensure that such transfer is lawful, for example by:
- ensuring that the European Commission has decided that the country provides an adequate level of protection, or
- entering into the European Commission’s standard contractual clauses (SCCs) with the recipient, combined with supplementary safeguards where necessary, or
- relying on another lawful derogation, such as where the transfer is necessary for the establishment, exercise or defence of legal claims.
You may contact us for further information about transfers outside the EU/EEA and, where applicable, to obtain a copy of the relevant safeguards.
10. How long do we keep personal data
We keep personal data only for as long as necessary for the purposes for which it was collected, or for as long as we are required to do so by law or professional rules.
Retention periods vary depending on the type of processing.
Data Processing Purposes and Legal Bases
| Type of Data | Retention Period / Criteria |
| Client and matter-related data | In line with the rules of the Swedish Bar Association, client files and related personal data are normally retained for at least 10 years from the date the matter is concluded, or longer if required by the nature of the matter. |
| KYC/AML data | Data processed solely for anti-money laundering purposes is typically retained for 5 years from the end of the business relationship or one-off transaction, and may be retained for up to 10 years when allowed or required under AML rules. |
| Accounting and tax data | Data that forms part of our accounting records is retained for 7 years in accordance with the Swedish Accounting Act. |
| Marketing and contact lists | Personal data used for marketing and maintaining contact lists is processed for as long as we maintain an active relationship with you or until you object or unsubscribe. Information about your opt-out may be kept for a limited period (for example up to 3 years) to ensure that we respect your choice. |
| Event data | Registration data is generally retained for a limited period after the event. Data needed for accounting purposes (e.g. attendance lists used as supporting documentation) is retained for 7 years. Photos and recordings from events used for marketing are kept for as long as they remain relevant, unless you object or withdraw consent (where consent is the legal basis). |
| Recruitment data | Data relating to a specific recruitment process is normally retained during the process and for up to 6 months after it has concluded, unless a longer period is necessary for the handling of potential discrimination or other legal claims. Where you have consented to us keeping your data for future opportunities, we keep it for a longer specified period (for example up to 3 years) or until you withdraw your consent. |
| Legal claims | Personal data necessary for the establishment, exercise or defence of legal claims may be retained for as long as such claims can be brought or are ongoing, taking into account statutory limitation periods. |
When personal data is no longer needed, and there is no legal or professional requirement to retain it, we will delete or anonymise it in a secure manner.
11. Automated decision-making
We do not use personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
12. Your rights
Under the GDPR, you have a number of rights in relation to our processing of your personal data. However, some rights may be limited by our legal obligations, professional secrecy (advokatsekretess) and the Swedish Bar Association’s rules, which may require us to keep certain information confidential or archived. Professional secrecy and these rules mean, for example, that we may not be able to provide access to or erase personal data contained in client files where this would breach client confidentiality, harm our clients’ interests, conflict with statutory archiving or AML obligations, or adversely affect the establishment, exercise or defence of legal claims. In such cases, we limit access and use of the data as far as possible and inform you about any restrictions to the extent we are allowed to do so.
Subject to these limitations, your main rights are:
- Right of access: You can request confirmation of whether we process personal data about you and receive a copy of such data, together with further information about our processing.
- Right to rectification: You can request that we correct or complete personal data that is inaccurate or incomplete.
- Right to erasure (“right to be forgotten”): In certain cases, you can request that we erase your personal data, for example, when the data is no longer necessary for the purposes for which it was collected or when processing is based on consent that you withdraw. We cannot erase data when we are legally required to retain it or when it is necessary for the establishment, exercise or defence of legal claims.
- Right to restriction of processing: In certain cases, you can request that we temporarily restrict our processing of your personal data, for example, while we assess a request for rectification or objection.
- Right to object: You can object to processing that we carry out based on our legitimate interests. We must then show compelling legitimate grounds to continue the processing, unless the processing is necessary for legal claims. You always have an absolute right to object tothe processing of your personal data for direct marketing.
- Right to data portability: When we process your personal data on the basis of consent or a contract and by automated means, you can request to receive the data in a structured, commonly used and machine-readable format and to have the data transmitted to another controller where technically feasible.
- Right to withdraw consent: When our processing is based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us using the contact details in section 3.
We may need to verify your identity to protect your privacy and that of others. We will handle your request as soon as reasonably possible and in any case within the time limits set out in the GDPR.
13. Right to lodge a complaint
If you are dissatisfied with how we process your personal data, you are welcome to contact us in the first instance so that we can try to resolve the issue.
You also have the right to lodge a complaint with the competent supervisory authority. In Sweden, this is: Integritetsskyddsmyndigheten (IMY). Website: www.imy.se
Contact details and current information can be found on IMY’s website.
If you reside or work in another EEA country, you may instead contact the supervisory authority there.
14. How we protect personal data
We take appropriate technical and organisational security measures to protect personal data against, for example, loss, misuse, unauthorised access, alteration and destruction.
These measures include:
- access control and role-based authorisation,
- secure communication channels and encryption where appropriate,
- routines for backup, incident management and continuity,
- internal policies and training for employees regarding information security and data protection.
Only persons who need access to personal data to perform their tasks have such access.
If a security incident occurs that is likely to result in a high risk to your rights and freedoms, we will inform you in accordance with applicable legal requirements.
15. Changes to this Privacy Notice
We may update this Privacy Notice from time to time, for example when our processing changes or when applicable law or guidance is updated.
The latest version will always be available on our website. If we make significant changes, we may also inform you in a more direct way (for example via email), when appropriate.
v.1.0 Last updated: 2025-11-18