Kahn Pedersen grows

On December 1st Cecilia Enmark joined Kahn Pedersen. Prior to joining Kahn Pedersen Cecilia Enmark has worked as a counsel at another law firm specialising in IT-law.

“We welcome Cecilia to our team and look forward to working with her to meet the ever increasing demand for our services”, says Kristian Pedersen, Partner and CEO, Kahn Pedersen.

Client Choice Awards – Johan Kahn and Kristian Pedersen

Johan Kahn has been awarded the 2021 Client Choice Award in the category IT & Internet and Kristian Pedersen has been awarded the 2021 Client Choice Award in the category Government Contracts.

Client Choice Award recognizes law firms and partners around the world that stand apart for the excellent client care they provide and the quality of their service. The criteria for this recognition focus on an ability to add real value to clients’ business above and beyond the other players in the market. Law firms and partners can only be nominated by corporate counsel. For more information, please visit the website Client Choice – Lexology.

Kahn Pedersen further strengthens the team

On 1 October 2021, Helena Brännvall joined Advokatfirman Kahn Pedersen. Helena has 15 years of experience of dispute resolution and providing advice on contract related matters. Prior to joining Kahn Pedersen, Helena was counsel at Advokatfirman Vinge. She has also worked as a corporate counsel in the industrial and real estate sectors.

”We are happy that Helena is joining our team. Helena’s expertise and experience will  make a valuable contribution and allow us to meet the increased demand on highly specialised legal advice within digital and public that we see among our clients within both the public and private sectors”, says Kristian Pedersen, Partner and CEO, Kahn Pedersen.

Kahn Pedersen söker seniora jurister med erfarenhet av digitaljuridik

Kahn Pedersen söker dig som har minst 3 års erfarenhet av att självständigt skriva, förhandla och granska avtal inom det digitaljuridiska området. Vi är intresserade av jurister med erfarenhet från advokatbyrå, myndighet eller bolag och som vill ingå i vårt topprankade team av högspecialiserade jurister.

Vi erbjuder en fri, flexibel och prestigelös arbetsplats där allt fokus ligger på resultat och vad vi som byrå kan åstadkomma gemensamt. Vi vågar påstå att vi också erbjuder en oöverträffad möjlighet att utvecklas som jurist med inriktning mot digitaljuridiken.

Om du har några frågor kring hur det är att arbeta hos oss är du varmt välkommen att kontakta och fråga någon av våra medarbetare, du hittar deras kontaktuppgifter på vår hemsida.

Din ansökan (CV, personligt brev, examensbevis samt relevanta betyg och intyg) tar vi gärna emot så snart som möjligt och senast den 11 oktober. Ansökningshandlingar skickas via e-mail till Vi hoppas att detta kan vara något för dig och ser fram emot att få träffa dig.

The European Data Protection Board (EDPB) adopts final version of recommendations regarding personal data transfers to third countries after Schrems II

The EDPB adopted on 18 June a final version of recommendations regarding transfer of personal data to countries outside the EEA (third countries) that do not provide sufficient protection for personal data and where “supplementary measures” may be required.[1] The background for the recommendations is the CJEU’s ruling in Schrems II (see here), which since its publication has caused uncertainty regarding transfer to third countries and, in particular, the usage of public cloud services that include such transfer.

The CJEU found in Schrems II that when personal data is transferred to a third country, the protection for the personal data must be essentially equivalent to the level of protection guaranteed within the EEA.

The recommendations were adopted to help personal data exporters to assess what supplementary measures (technical, contractual or organisational) that may be required in order to compensate for the potentially insufficient protection of personal data in the receiving country. Such assessment may also lead to the conclusion that the transfer cannot be performed, and that certain public cloud services therefore cannot be used in the intended manner.

For this assessment, the EDPB presents a list consisting of six steps:

  1. Map all the third country transfers (“know your transfers”).
  2. Verify the transfer tool in chapter V in the GDPR that your transfer rely on, for example standard contractual clauses, binding corporate rules etc.
  3. Assess whether anything in the law and/or practices in force in the third country may impinge on the effectiveness of the transfer tool for the current transfer.
  4. Identify and adopt supplementary measures that may be required in order to ensure a level of protection for the personal data that is essentially equivalent to the level of protection guaranteed within the EEA.
  5. Take any formal procedural steps that the adoption of your supplementary measure may require, depending on what transfer tool in Article 46 in the GDPR that your transfer is relying on.
  6. Re-evaluate, at appropriate intervals, the level of protection for your personal data and ensure that nothing that can affect the level of protection has occurred or will occur.

In the final version of the recommendations, the EDPB emphasizes the assessment of the level of protection in the third country to which the personal data is transferred (step 3 above) and requires an extensive and accurate investigation and assessment of the data protection conditions in the third country. However, the EDPB states that if it is uncertain whether the data importer is covered by “a problematic legislation” or not, you are allowed to take into consideration if the data importer or other operators in the same business have been subject for requests for access received from public authorities in the third country. That is one among several other factors that can be taken into consideration when assessing whether there is a reason to assume that a problematic legislation will be applicable on the transferred personal data.

The purpose of the supplementary measures is to compensate for the insufficiency in the third country’s level of protection and to ensure an essentially equivalent level of protection for personal data as the one guaranteed within the EEA. The assessment regarding the need of supplementary measures must be made based on the circumstances in every individual situation and taking into account i.a. the format (encrypted, pseudonymised) and nature of the personal data.

One of the recommendation’s appendices describe seven use cases. Five of them are examples of situations where specific complementary technical measures, such as correctly implemented encryption or pseudonymisation, may constitute sufficient security measures. The two remaining use cases are examples of situations where the EDPB makes the assessment that there are no sufficient technical security measures that can be used to meet the EU level of protection.


The final version of the recommendations gives in some regards a better guidance than the draft, but it is still missing the clear support regarding risk assessment that many operators have been requesting.

Further, EDPB sets high requirements on extensive investigations and complex assessments, in particular regarding the level of protection in the receiving countries, and on how efficient supplementary measures shall be adopted. It appears to be difficult to make these assessments without assistance from experts that have knowledge regarding the third country’s legislation and practice and the authorities requests of access to personal data stored at the data importer.

According to the EDPB, the data importer, i.e the receiver of personal data in a third country, for example a cloud service provider, shall assist the data exporter and provide basis for the assessments. However, EDPB state that not all sources can be used for the assessment. The sourses must be relevant, objective, reliable, verifiable and generally accessible. The EDPB attached to the recommendations a list of sources that can be used for the assessment, i.a. a report from the European Council and other international organisations, academic institutions and non-profit organisations, so-called NGO:s. To our knowledge, there are no reports that assess the level of protection for personal data in different third countries in the manner that the EDPB and Schrems II require.

Out of experience, we know that it is generally complicated to receive sufficient basis from the suppliers in order to make the assessment. That may depend on the suppliers’ lack of competence, or that they are reluctant to inform that the third country’s public authorities may request for access to the data in their services.

Based on the use cases that EDPB mentions in the recommendations, you can draw the conclusion that regarding SaaS services and other cloud services where the personal data must be available in the clear (i.e. without strong encryption or pseudonymisation), there are no supplementary measures that can compensate for insufficiencies in a third country’s level of protection for personal data. This conclusion seems, however, hard to unite with the EBPB’s earlier statement that i.a. the nature of the personal data can be taken into account when assessing security measures.

Please feel free to contact Johan Kahn or Daniel Lundqvist if you have any questions regarding the EDPB’s recommendations or transfer of personal data to third countries.

[1] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0, Adopted on 18 June 2021. The recommendations are an updated version of the draft that EDPB adopted in November 2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Adopted on 10 November 2020 version for public consultations)[1] which we commented here.

Legal Report on the use of Public Cloud Services for Swedish businesses

Kahn Pedersen today publishes an English summary of our previous report on the use of public cloud services for businesses in Sweden. This version includes updated sections regarding the Swedish Protective Security Act and the European Data Protection Board’s draft recommendation for supplementary measures in connection with cross border transfers of personal data to third countries. The report also includes an introduction to our unique tool for legal risk assessment and risk visualization for cloud services – the so-called Folke© Methodology. The report is available for download without charge here >>.

New article for the Swedish Purchasing Counsil

The Swedish Government recently published the draft A Stronger Protection for Sweden’s Security (only in Swedish) with proposals for a number of news and amendments to the Swedish Protective Security Act, which will affect all operators undertaking security-sensitive activities (operators).

The draft, which is supposed to enter into force as early as 1 December 2021, entail significant changes to the Protective Security Act. For example, the obligation to enter into a protective security agreement will include mere collaborations and cooperation, not only procurements. The Government also proposes that operators shall carry out special security assessment as well as suitability assessments before concluding protective security agreements, and that operators will have an obligation to continuously revise existing protective security agreements.

In addition to the obligations becoming more firm, it is proposed that the supervisory authorities be given increased powers, including the possibility of deciding on administrative fees of up to SEK 50 million.

In other words, it is important that all operators becomes familiar with the proposed changes and prepare their operations in advance, so that they are ready when the proposals are implemented in December this year.

Senior Specialist Viktor Robertson and Associate Albin Svensson have analysed the proposed changes and summarised their consequences for operators, which have been published in an article on the Swedish Purchasing Counsil’s website (only in Swedish).

Chambers ranks Kahn Pedersen as a leading firm in all practice areas

For the second consecutive year, Chambers & Partners ranks Kahn Pedersen’s practice groups Public and Digital in the very highest category “Band 1”. The individual lawyers with Kahn Pedersen are also considered as some of the most regarded in Sweden within their practice areas. For Public Procurement, Kristian Pedersen is ranked in Band 1. For Information Technology, Johan Kahn is ranked as one of two Swedish lawyers in Band 1. Erik Olsson is ranked in Band 2 for Public Procurement. Daniel Lundqvist is previously ranked in Band 2 for Fintech is ranked in Band 3 for Information Technology.

Not many law firms in the World would have all of their practice groups ranked in Band 1. Our high degree of specialization of course makes it easier than for a full-service firm that naturally could not have the same focus. That is why we have chosen to be the firm we are.” Says Kristian Pedersen, CEO

New Article in Svensk Juristtidning

Christian Hybbinette and Michael Nevinson have published an article in the Swedish legal journal Svensk Juristtidning. The article outlines the news in the latest editions of the standard agreements for the Nordic market, for the supply of machinery and standardized goods and other bulk items: NL 17, NLM 19 and NLS 19. In the article, the authors also give an account for the differences compared to the older version of each respective standard agreement.