Sweden - Establishing an Office Sweden - Establishing an Office
The most popular and simplest company structure is the limited liability company. This works well for many foreign firms – especially SMEs starting up in the Swedish market. For further details on requirements and options regarding the establishment of a local company presence, contact Business Sweden - or any of the many reputable legal firms resident in Sweden. See partial list below:
Baker & McKenzie Advokatbyra AB
Delphi & Co Advokatfirma
Kilpatrick Townsend & Stockton Advokatbyra
White & Case Advokat AB
Sweden has no rules that discriminate against foreign investors and shareholders may reside in any country. As mentioned above, most foreign investors have historically favored the limited liability company, which is the only corporate form with no personal liability in Sweden. There are two different forms of limited liability companies: public and private. The difference between the two is that only the public limited liability company can turn to the public for capital. A subsidiary of a foreign company established in Sweden in accordance with Swedish law is considered a Swedish company in all respects and generally no legislative distinction is made between companies whose shares are wholly or principally owned by foreigners and those owned by Swedes.
The Swedish Companies Act (Aktiebolagslagen) governs the founding of a company. However, a foreign investor need not bother with this procedure, as it is much easier to acquire a pre-registered off-the-shelf company and adapt its articles of association to the needs and intents of the investor. The share capital must be at least SEK 50,000 in a private limited liability company and SEK 500,000 in a public limited liability company.
A foreign company interested in establishing a business in Sweden may also conduct its operations through a Swedish branch (filial). Both a branch and a limited liability company must be registered with the Swedish Companies Registration Office and the Swedish Tax Agency.
Data Privacy and Protection
However, there are significant differences in definitions of key terminology. The GDPR creates a number of new requirements for organizations that process EU individuals’ personal data. Companies have an obligation to demonstrate their compliance, in part through a number of documentation obligations. Data subjects have a number of rights which include access, correct, and erasure of their personal data.
The GDPR has extra-territorial reach, which means that it might be applicable to U.S. entities even if they do not have physical presence in Europe. In that case, such organizations need to have a representative based in Europe, or in certain cases need to appoint a Data Protection Officer.
Fines in case of non-compliance can reach up to 4 percent of the annual worldwide revenue or 20 million euros – whichever is higher. Companies of all sizes and sectors should consider GDPR as part of their overall compliance effort with assistance of legal counsel.
The European Commission and Data Protection Authorities are releasing official guidelines to help companies with their compliance process (see resources below).
Note: the EU is currently updating its e-privacy legislation governing confidentiality of communications. This legislative instrument once enacted will add a number of requirements in addition to the GDPR. We encourage U.S. exporters to monitor this situation as it evolves through the EU legislative process.
For more information:
Full GDPR text
Official Press Release
European Commission guidance:
http://ec.europa.eu/justice/smedataprotect/index_en.htm
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
Transferring Customer Data to Countries outside the EU
The GDPR provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders.The GDPR (Chapter 5 - Article 44 onwards) sets out obligations on data controllers (those in charge of deciding what personal data is collected and how/why it is processed), on data processors (those who act on behalf of the controller), and gives rights to data subjects (the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data, and were complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors, or to third parties (e.g. subcontractors). EU legislators put restrictions on transfers of personal data outside of the EU, specifying that such data could only be exported if “adequate protection” is provided.
The European Commission (EC) is responsible for assessing whether a country outside the EU has a legal framework that provides sufficient protection for it to issue an “adequacy finding” to that country. The U.S. has never sought to be found adequate by the EC. This means that U.S. companies can only receive personal data from the EU if they:
- Join the EU-U.S. Privacy Shield program, or
- Provide appropriate safeguards (e.g. contractual clauses, binding corporate rules), or,
- Refer to one of the GDPR’s derogations.
Data Transfers Outside of EU
Important note:
The legal environment for data transfers to the United States continues to evolve. Companies that transfer EU citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a particular transaction.
About the EU-U.S. Privacy Shield
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
For more information on the EU-U.S. Privacy Shield
For more information about other mechanisms of transfer, please refer to: Transferring Personal Data from EU to U.S.
Cyber-security
The European Network and Information Systems (NIS) Security Directive sets a minimum baseline of requirements to ensure better protection of critical infrastructures in Europe. The legislation targets three groups of stakeholders: 1) it sets basic principles for Member States for common minimum capacity building and strategic cooperation; 2) it directs operators of essential services (OES) and digital service providers (DSP) to ensure they apply basic common security requirements.
DSPs are broadly defined to include online/e-commerce marketplace (including app stores); online search engine (with the exclusion of search function limited to a specific website); and Cloud computing services. NIS systems are considered the e-communications network, connected devices, and digital data.
A DSP and an OES are expected to ensure “the ability of NIS to resist any action that could compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those systems.” Member states must identify OES and establish security and notification requirements for OES and for DSP. The level of security expected from OES should be higher than the level expected from DSP, because of the degree of risk posed to their infrastructure. Among obligations for both OES and DSP are, to take technical and organizational measures to NIS risk management; to prevent and minimize the impact of NIS security incidents; to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide. This Directive has been adopted by the EU in July 2016. Member States have until May 2018 to transpose the Directive into their national legal framework.