Advanced

Antikorruptionsförebyggande tredjepartsbesiktning och GDPR

Cangemark, Hilda LU (2019) JURM02 20191
Department of Law
Faculty of Law
Abstract
Third party due diligence is an investigation of prospective or existing business partners in order to ensure a low risk of corruption. In certain countries such an investigation is required by law. Factors to consider in the risk assessment are for example whether a potential or existing business partner has been convicted of any corruption related crime or is associated with political circles. Swedish companies are questioning whether third party due diligence at all can be conducted due to GDPR, since the procedure involves the collection and processing of personal data. In Sweden, the provisions on negligent financing of bribery in The Swedish Penal Code and The Act on Transparency in the Financing of Political Parties involves a... (More)
Third party due diligence is an investigation of prospective or existing business partners in order to ensure a low risk of corruption. In certain countries such an investigation is required by law. Factors to consider in the risk assessment are for example whether a potential or existing business partner has been convicted of any corruption related crime or is associated with political circles. Swedish companies are questioning whether third party due diligence at all can be conducted due to GDPR, since the procedure involves the collection and processing of personal data. In Sweden, the provisions on negligent financing of bribery in The Swedish Penal Code and The Act on Transparency in the Financing of Political Parties involves a certain degree of duty to investigate or report. According to GDPR, criminal and sensitive personal data may be processed if required by a legal obligation, i.e. through EU law, national law or collective agreements. There is much to suggest that negligent financing of bribery can be considered a legal obligation that would allow third party due diligence. Regarding information on donors to political parties, the Data Protection Act appears to limit the scope of the provision of important public interest in art. 9.2 GDPR to a considerable extent only to authorities or otherwise if required by a company in the fulfillment of rights and obligations in, among other things, labor law.

The Swedish Data Protection Authority has been given considerable authority to draw up regulations, which according to both GDPR and Swedish preparatory work can be interpreted as an obligation for the authority to keep up to date on the development of the regulations and its consequences. It is therefore appropriate that the dilemma is resolved like the Irish solution, i.e. through a regulation from the Swedish Data Protection Authority, that would allow the processing of relevant personal data for the conduct of a third party due diligence. In a long-term perspective the government should, by law or extension of The Swedish Institute against Corruption mandate, establish regulations that in similarity with U.S., France and the U.K. require specific measures for the prevention of corruption in trade and industry. (Less)
Abstract (Swedish)
Tredjepartsbesiktning innebär att blivande eller befintliga affärspartners undersöks i syfte att säkerställa att verksamhetsutövarens verksamhetsled utgör en låg risk för korruption, vilket i vissa länder krävs genom lag. Faktorer som i regel anses som varningsflaggor i riskbedömningen inför en affärstransaktion är till exempel om en affärspartner har dömts för något brott av korruptiv karaktär eller har någon anknytning till politiska kretsar. Svenska näringslivsaktörer ställer sig frågande till om tredjepartsbesiktning över huvud taget låter sig genomföras med anledning av GDPR, eftersom förfarandet innebär inhämtning och behandling av personuppgifter. I Sverige innebär bestämmelserna om vårdslös finansiering av mutbrott i 10 kap. 5 e §... (More)
Tredjepartsbesiktning innebär att blivande eller befintliga affärspartners undersöks i syfte att säkerställa att verksamhetsutövarens verksamhetsled utgör en låg risk för korruption, vilket i vissa länder krävs genom lag. Faktorer som i regel anses som varningsflaggor i riskbedömningen inför en affärstransaktion är till exempel om en affärspartner har dömts för något brott av korruptiv karaktär eller har någon anknytning till politiska kretsar. Svenska näringslivsaktörer ställer sig frågande till om tredjepartsbesiktning över huvud taget låter sig genomföras med anledning av GDPR, eftersom förfarandet innebär inhämtning och behandling av personuppgifter. I Sverige innebär bestämmelserna om vårdslös finansiering av mutbrott i 10 kap. 5 e § BrB och lag (2018:90) om insyn i finansiering av partier en viss grad av undersökningsplikt. Enligt GDPR får brottsuppgifter och känsliga personuppgifter behandlas om det krävs av en rättslig förpliktelse, dvs. genom unionsrätt, nationell rätt eller kollektivavtal. Det finns mycket som talar för att vårdslös finansiering av mutbrott kan anses utgöra en rättslig förpliktelse som skulle tillåta tredjepartsbesiktning. Vad gäller uppgifter om bidragsgivare till politiska partier tycks lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning inskränka tillämpningsområdet för bestämmelsen om viktigt allmänt intresse som återfinns i art. 9.2 i GDPR avsevärt till att endast omfatta myndigheter eller annars om det krävs av en verksamhetsutövare i sin fullgörelse inom bland annat arbetsrätten.

Datainspektionen har fått stor befogenhet att upprätta föreskrifter, vilken genom både GDPR och svenska förarbeten kan tolkas som en skyldighet för myndigheten att hålla sig uppdaterad om regleringens utveckling och dess konsekvenser. Det ligger därför nära till hands att dilemmat löses genom en föreskrift från Datainspektionen som tillåter behandling av relevanta personuppgifter för genomförandet av tredjepartsbesiktning i likhet med den irländska lösningen. Ur ett långsiktigt perspektiv bör regeringen genom lag eller utvidgning av Institutet Mot Mutors uppdrag upprätta bestämmelser som i likhet med USA, Frankrike och Storbritannien på ett tydligt sätt kräver specifika åtgärder för att förebygga korruption i sin verksamhet. (Less)
Please use this url to cite or link to this publication:
author
Cangemark, Hilda LU
supervisor
organization
alternative title
Third party due diligence and GDPR
course
JURM02 20191
year
type
H3 - Professional qualifications (4 Years - )
subject
keywords
civilrätt, förmögenhetsrätt, EU-rätt, rättsvetenskap, associationsrätt, korruption, corruption, tredjepartsbesiktning, third party due diligence, due diligence, GDPR, compliance
language
Swedish
id
8991467
date added to LUP
2019-09-12 14:17:38
date last changed
2019-09-12 14:17:38
@misc{8991467,
  abstract     = {Third party due diligence is an investigation of prospective or existing business partners in order to ensure a low risk of corruption. In certain countries such an investigation is required by law. Factors to consider in the risk assessment are for example whether a potential or existing business partner has been convicted of any corruption related crime or is associated with political circles. Swedish companies are questioning whether third party due diligence at all can be conducted due to GDPR, since the procedure involves the collection and processing of personal data. In Sweden, the provisions on negligent financing of bribery in The Swedish Penal Code and The Act on Transparency in the Financing of Political Parties involves a certain degree of duty to investigate or report. According to GDPR, criminal and sensitive personal data may be processed if required by a legal obligation, i.e. through EU law, national law or collective agreements. There is much to suggest that negligent financing of bribery can be considered a legal obligation that would allow third party due diligence. Regarding information on donors to political parties, the Data Protection Act appears to limit the scope of the provision of important public interest in art. 9.2 GDPR to a considerable extent only to authorities or otherwise if required by a company in the fulfillment of rights and obligations in, among other things, labor law.

The Swedish Data Protection Authority has been given considerable authority to draw up regulations, which according to both GDPR and Swedish preparatory work can be interpreted as an obligation for the authority to keep up to date on the development of the regulations and its consequences. It is therefore appropriate that the dilemma is resolved like the Irish solution, i.e. through a regulation from the Swedish Data Protection Authority, that would allow the processing of relevant personal data for the conduct of a third party due diligence. In a long-term perspective the government should, by law or extension of The Swedish Institute against Corruption mandate, establish regulations that in similarity with U.S., France and the U.K. require specific measures for the prevention of corruption in trade and industry.},
  author       = {Cangemark, Hilda},
  keyword      = {civilrätt,förmögenhetsrätt,EU-rätt,rättsvetenskap,associationsrätt,korruption,corruption,tredjepartsbesiktning,third party due diligence,due diligence,GDPR,compliance},
  language     = {swe},
  note         = {Student Paper},
  title        = {Antikorruptionsförebyggande tredjepartsbesiktning och GDPR},
  year         = {2019},
}