This data processing agreement governs how Musso Detektivbyrå processes personal data on behalf of the client in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Swedish data protection law. Last updated: June 2026.
The processor handles personal data solely for the purpose of carrying out the investigation or security assignment agreed between the parties. Processing takes place in accordance with the controller's documented instructions, unless required by Union or Swedish law.
Depending on the assignment, processing may include identity details, contact details, movement patterns, photographic documentation, financial information and, where applicable, special categories of personal data. Data subjects may include the individual under investigation, the client, and third parties appearing in the documentation. Special categories are processed only where necessary to establish, exercise or defend legal claims.
The processor shall treat data confidentially, ensure that personnel with access are bound by confidentiality, and assist the controller with appropriate technical and organisational measures. Upon request, the processor shall make available the information needed to demonstrate compliance with the GDPR and allow for, and contribute to, audits.
The processor implements appropriate technical and organisational security measures under Article 32 GDPR, including access control, encryption of stored and transmitted information where appropriate, secure storage of physical documentation, and routines for regularly assessing the effectiveness of the measures.
The processor may engage sub-processors only with the controller's general or specific written authorisation. Any sub-processor is bound by the same data protection obligations through a contract, and the processor remains fully liable to the controller for the sub-processor's performance.
The processor shall assist the controller with appropriate measures so that the controller can fulfil its obligation to respond to requests from data subjects exercising their rights, including the rights of access, rectification, erasure, restriction and objection under Chapter III GDPR.
In the event of a confirmed personal data breach, the processor shall notify the controller without undue delay and no later than 48 hours after becoming aware of it, providing the information needed for the controller's possible notification to the Swedish Authority for Privacy Protection (IMY).
The agreement applies for as long as the processor handles personal data on the controller's behalf. On completion of the assignment, the processor shall, at the controller's choice, delete or return all personal data and delete existing copies, unless storage is required by Union or Swedish law.
This agreement is governed by Swedish law. Any dispute arising from it shall be settled by the Swedish general courts, with Stockholm District Court as the court of first instance.
This is a standardised contract document that is adapted to each individual assignment. A signed copy is prepared when the service agreement is concluded. For questions, contact us at info@sni.nu.