Legal and Compliance Monitoring Procedure

1. Purpose

This procedure establishes how Swedwise AB identifies, monitors, and maintains compliance with legal, regulatory, and other requirements applicable to its operations and management systems. The purpose is to:

• Identify all applicable legal and regulatory requirements
• Monitor changes in legal and regulatory requirements
• Assess compliance with applicable requirements
• Take action to maintain or achieve compliance
• Demonstrate compliance to customers, auditors, and authorities
• Fulfill ISO 9001, ISO 14001, and ISO 27001 requirements
• Manage compliance risks proactively
• Embed compliance awareness in organizational culture

2. Scope

This procedure applies to:

Compliance Areas:

• Quality Management: Customer contracts, consumer protection, service delivery standards
• Environmental Management: Environmental laws, waste management, energy efficiency, pollution prevention
• Information Security: Data protection (GDPR), cybersecurity laws, industry standards
• Occupational Health and Safety: Work environment, employee safety, workplace regulations
• Labor and Employment: Employment contracts, working hours, discrimination, employee rights
• Business Operations: Company law, accounting, taxation, anti-corruption, procurement rules
• Industry-Specific: IT services, SaaS, telecommunications, public sector procurement

Jurisdictions:

• Swedish national law (primary)
• EU regulations and directives (e.g., GDPR, environmental directives)
• Local municipality regulations (where Swedwise operates)
• Customer-specific contractual compliance requirements

Locations: All Swedwise offices and operations (Karlstad HQ, Stockholm, Uddevalla)

Out of Scope:

• Customer-specific technical compliance (handled within service delivery)
• Third-party supplier compliance (covered by supplier management, but informed by this procedure)

3. Definitions

Term	Definition
Legal Requirement	Mandatory obligation imposed by law, regulation, or statute (Swedish law, EU regulation, local ordinance).
Regulatory Requirement	Requirement from regulatory or governmental authority (e.g., Swedish Work Environment Authority, Datainspektionen/IMY).
Compliance Obligation	Broader term including legal, regulatory, contractual, and voluntary commitments (standards, codes of conduct).
Compliance Register	Centralized list of all compliance obligations applicable to Swedwise.
Compliance Assessment	Evaluation of conformity with compliance obligations.
Non-Compliance	Failure to meet a compliance obligation (legal breach, regulatory violation).
IMY (Integritetsskyddsmyndigheten)	Swedish Authority for Privacy Protection (GDPR enforcement in Sweden).
Naturvårdsverket	Swedish Environmental Protection Agency.
Arbetsmiljöverket	Swedish Work Environment Authority (occupational health and safety).
Compliance Owner	Person responsible for monitoring compliance in a specific area (e.g., GDPR Compliance Owner = CISO).
Legal Horizon Scanning	Process of monitoring for new or changed legal requirements.

4. Compliance Monitoring Principles

Proactive Identification:

• Systematically identify applicable requirements
• Monitor for changes continuously
• Stay ahead of regulatory developments

Risk-Based Prioritization:

• Focus on high-risk and high-impact compliance areas
• Allocate resources based on compliance risk

Clear Accountability:

• Assign ownership for each compliance area
• Define responsibilities clearly

Regular Assessment:

• Periodically assess compliance status
• Identify gaps and take corrective action

Awareness and Training:

• Ensure staff understand compliance requirements relevant to their roles
• Provide training on key compliance topics (GDPR, environmental, safety)

Documentation and Evidence:

• Maintain records demonstrating compliance
• Prepare for audits and inspections

5. Roles and Responsibilities

Role	Responsibilities
IMS Owner	- Maintain this procedure and overall compliance framework - Maintain Compliance Obligation Register - Coordinate compliance assessments - Monitor legal horizon for changes - Report compliance status to management - Escalate compliance risks - Coordinate with legal counsel
Compliance Owners (by area)	- Monitor compliance in their area (see Section 6.2) - Identify applicable requirements - Assess compliance regularly - Report compliance status to IMS Owner - Implement corrective actions for non-compliance - Provide training and awareness in their area
CISO	- Compliance Owner for information security and data protection (GDPR, cybersecurity) - Monitor security-related legal requirements - Ensure GDPR compliance (Data Protection Officer role if required)
Environmental Lead	- Compliance Owner for environmental regulations - Monitor environmental legal requirements - Ensure environmental compliance (waste, energy, pollution)
Quality Lead	- Compliance Owner for quality and customer-related regulations - Monitor quality and consumer protection requirements
HR Manager	- Compliance Owner for labor and employment law - Monitor occupational health and safety requirements - Ensure employee rights and workplace compliance
Finance/CFO	- Compliance Owner for financial, accounting, and taxation regulations - Monitor company law and corporate governance requirements
Legal Counsel (external or internal if hired)	- Provide legal advice and interpretation - Review contracts and compliance obligations - Advise on complex or uncertain compliance matters - Represent Swedwise with authorities if needed
Management Team	- Approve compliance policies and investments - Allocate resources for compliance activities - Review compliance status quarterly - Make strategic compliance decisions - Set tone for compliance culture
All Staff	- Comply with applicable laws, regulations, and policies - Complete compliance training - Report suspected non-compliance or legal concerns - Follow procedures and controls

6. Compliance Obligation Identification

6.1 Identify Applicable Compliance Obligations

The IMS Owner, with support from Compliance Owners, identifies compliance obligations applicable to Swedwise:

Process:

1. Review Legal Sources:
   • Swedish national law and regulations
   • EU regulations and directives
   • Local municipality ordinances (Karlstad, Stockholm, Solna/Uddevalla)
   • Industry standards and codes of conduct
2. Review Organizational Context:
   • Swedwise's activities, services, locations
   • Customer requirements and contracts
   • Stakeholder expectations (investors, partners, public)
3. Categorize Obligations (by compliance area):
   • Quality management (ISO 9001-related)
   • Environmental management (ISO 14001-related)
   • Information security and data protection (ISO 27001-related, GDPR)
   • Occupational health and safety
   • Labor and employment
   • Financial and corporate governance
   • Industry-specific (IT services, SaaS)
4. Determine Applicability:
   • Does this apply to Swedwise? (scope, size, industry)
   • What specific requirements must we meet?
   • What is the compliance deadline or frequency?
5. Assign Compliance Owner (responsible for monitoring that area)

Sources for Identification:

• Swedish Government Websites:
  • Riksdagen (Swedish Parliament) - laws and statutes
  • Government agencies (Arbetsmiljöverket, Naturvårdsverket, IMY, etc.)
• EU Official Journal: For EU regulations and directives
• Industry Associations: Svenskt Näringsliv, IT&Telekomföretagen
• Legal Databases: Subscription services (Lex, Karnov, Norstedts Juridik)
• Customer Contracts: Contractual compliance obligations
• ISO Standards: ISO 9001, 14001, 27001 requirements
• Legal Counsel: Professional legal advice
• Competitors and Peers: Benchmarking compliance practices

Frequency: Initial identification (during IMS setup), then ongoing monitoring (see Section 7)

Responsibility: IMS Owner (coordinate), Compliance Owners (identify in their areas)

6.2 Key Compliance Areas for Swedwise

Based on Swedwise's operations (IT consultancy, SaaS services, ~35 employees, Swedish company):

Compliance Area	Key Requirements	Compliance Owner	Priority
Data Protection (GDPR)	- Lawful processing of personal data - Data subject rights - Data breach notification - Privacy by design - Data processing agreements - Records of processing activities	CISO	High
Environmental	- Waste management (e-waste, hazardous waste) - Energy efficiency and reporting (if >250 employees: not applicable) - Travel and emissions (voluntary sustainability commitment) - Pollution prevention	Environmental Lead	Medium
Occupational Health & Safety	- Safe working environment (Arbetsmiljölagen) - Risk assessments (systematic work environment management) - Incident reporting - Ergonomics and workstation setup - Rehabilitation and sick leave management	HR Manager	High
Labor & Employment	- Employment contracts and terms - Working hours and overtime (EU Working Time Directive) - Non-discrimination and equality - Parental leave and benefits - Collective agreements (if applicable)	HR Manager	High
Information Security	- NIS Directive (if classified as essential service provider - likely not) - Confidentiality agreements - Cybersecurity best practices - Customer data security (contractual)	CISO	High
Quality & Consumer Protection	- Service delivery per contract - Consumer rights (if B2C services - limited) - Intellectual property protection	Quality Lead	Medium
Financial & Corporate	- Annual financial reporting (Årsredovisningslagen) - Taxation (VAT, corporate tax, payroll tax) - Accounting standards (K3) - Company registration (Bolagsverket) - Anti-money laundering (if applicable)	Finance/CFO	High
Public Procurement	- LOU (Lagen om offentlig upphandling) compliance for public sector customers - Self-declaration requirements - References and certifications - Ethical and environmental criteria in tenders	Management Team	Medium
IT Services & SaaS	- SaaS service level agreements (contractual) - Cloud service regulations (GDPR, data residency) - Intellectual property (software licensing, OpenText agreements)	Service Owner, CISO	High
Anti-Corruption & Ethics	- Anti-bribery laws - Conflict of interest - Ethical business practices - Code of conduct	Management Team	Medium

Note: This is a representative list. The full Compliance Obligation Register will be more comprehensive and updated regularly.

7. Legal Horizon Scanning and Monitoring

7.1 Monitor for Legal and Regulatory Changes

Objective: Stay informed of new or changed compliance requirements.

Process:

1. Regular Monitoring (Ongoing):

IMS Owner:

• Subscribe to legal and regulatory update services:
  • Government agency newsletters (Arbetsmiljöverket, Naturvårdsverket, IMY)
  • Industry association updates (IT&Telekomföretagen)
  • Legal news services
• Monitor EU legislative developments (if affecting Sweden)
• Review ISO standard updates (ISO 9001, 14001, 27001 revisions)

Compliance Owners:

• Monitor changes in their specific areas:
  • CISO: Data protection, cybersecurity laws
  • Environmental Lead: Environmental regulations
  • HR: Labor and employment law changes
  • Finance: Tax and accounting regulation changes

Frequency: Continuous monitoring (weekly review of sources)

2. Quarterly Legal Review:

• IMS Owner compiles legal and regulatory changes identified
• Compliance Owners review changes in their areas
• Assess impact on Swedwise: Does this apply? What must change?
• Update Compliance Obligation Register

3. External Legal Counsel Review (as needed):

• Engage legal counsel for complex or significant legal changes
• Request interpretation and impact assessment
• Obtain advice on compliance actions required

Frequency: Quarterly review, or ad-hoc for significant changes

Responsibility: IMS Owner (coordinate), Compliance Owners (monitor their areas)

7.2 Assess Impact of Legal Changes

When new or changed legal requirement identified:

Steps:

1. Determine Applicability: Does this apply to Swedwise?
   • Scope (company size, industry, activities)
   • Jurisdiction (Sweden, EU, local)
   • Effective date (when must we comply?)
2. Assess Current Compliance: Are we already compliant? What gaps?
3. Identify Actions Required:
   • Policy or procedure updates
   • System or process changes
   • Training or awareness
   • Documentation or records
   • Resources or budget
4. Determine Priority and Timeline:
   • Priority based on:
     • Legal deadline (compliance required by when?)
     • Enforcement risk (penalties, sanctions)
     • Impact on operations or customers
   • Set internal deadline (before legal deadline; allow buffer)
5. Assign Responsibility: Compliance Owner ensures implementation
6. Update Compliance Register: Add new requirement or update existing

Communication:

• Notify management of significant legal changes (especially if costly or complex)
• Communicate to affected staff (procedures, training)

Responsibility: Compliance Owner (for their area), IMS Owner (overall coordination)

8. Compliance Obligation Register

8.1 Register Contents

The Compliance Obligation Register is a centralized list of all compliance obligations applicable to Swedwise.

Information Captured (for each obligation):

Field	Description
Obligation ID	Unique identifier (e.g., COMP-GDPR-001, COMP-ENV-002)
Compliance Area	Category (GDPR, Environmental, H&S, Labor, Financial, etc.)
Requirement Description	Summary of what is required
Legal Source	Law, regulation, standard, or contract reference (e.g., GDPR Article 32, Arbetsmiljölagen 3 kap)
Applicability	Why it applies to Swedwise (activity, size, jurisdiction)
Compliance Owner	Person responsible for monitoring compliance
Frequency	How often compliance is required (ongoing, annual, monthly, one-time)
Evidence of Compliance	Records or documentation demonstrating compliance
Last Assessment Date	Date of most recent compliance assessment
Compliance Status	Compliant / Non-Compliant / Partial / Not Assessed
Actions Required	If non-compliant: actions to achieve compliance
Due Date	Deadline for compliance or next assessment
Notes	Additional context or comments

Example Entry:

Field	Value
Obligation ID	COMP-GDPR-001
Compliance Area	Data Protection (GDPR)
Requirement	Notify data breaches to IMY within 72 hours if risk to individuals
Legal Source	GDPR Article 33
Applicability	Swedwise processes personal data of employees and customers
Compliance Owner	CISO
Frequency	As needed (when breach occurs)
Evidence	Data breach notification procedure (SW-ISMS-PRO-001), breach register
Last Assessment	2025-01-15
Status	Compliant
Actions Required	None (procedure in place; breach register maintained)
Due Date	N/A (ongoing)
Notes	Include in annual GDPR compliance review

8.2 Maintain Compliance Register

Responsibility: IMS Owner (overall maintenance), Compliance Owners (update their areas)

Update Frequency:

• Ongoing: When new obligations identified or changes occur
• Quarterly: Review and update based on legal horizon scanning
• Annually: Comprehensive review of entire register (during IMS review)

Tool/Format: [TBD - Spreadsheet (Excel, Google Sheets), database, or compliance management software]

Location: [TBD - Document repository, SharePoint, or dedicated compliance tool]

Access: IMS Owner, Compliance Owners (read/write), Management (read)

9. Compliance Assessment

9.1 Compliance Assessment Process

Objective: Verify that Swedwise is meeting its compliance obligations.

Frequency:

Compliance Area	Assessment Frequency	Method
GDPR / Data Protection	Annually + after significant changes	Audit, document review, interviews
Environmental	Annually	Site inspection, waste records review, energy data
Occupational Health & Safety	Annually + after incidents	Workplace inspection, incident review, employee interviews
Labor & Employment	Annually	HR records review, contract review, policy review
Financial & Corporate	Annually (with annual report)	Financial audit, accounting review
Information Security	Annually (as part of ISMS audits)	Security audit, control testing
Quality Management	Annually (as part of QMS audits)	Service delivery review, customer feedback, SLA compliance
Ad-Hoc	As needed	Triggered by legal change, incident, customer request, or authority inspection

Process Steps:

Step 1: Plan Assessment

• Compliance Owner plans assessment for their area
• Define scope (which obligations to assess)
• Determine method (document review, interview, inspection, testing)
• Schedule assessment activities

Step 2: Conduct Assessment

• Review relevant documents, records, and evidence
• Interview staff responsible for compliance activities
• Inspect facilities or systems (if applicable)
• Test controls or processes (if applicable)
• Compare actual practices against requirements

Step 3: Document Findings

• Record compliance status for each obligation:
  • Compliant: Requirement is met; evidence available
  • Non-Compliant: Requirement not met; breach identified
  • Partial: Partially meeting requirement; improvement needed
  • Not Assessed: Unable to assess (e.g., insufficient evidence)
• Document evidence reviewed
• Identify gaps or weaknesses
• Assess compliance risks (likelihood and impact of non-compliance)

Step 4: Report Results

• Compliance Owner reports findings to IMS Owner
• Update Compliance Obligation Register (status, assessment date)
• Highlight non-compliance or high-risk areas

Step 5: Corrective Action (if non-compliant)

• Initiate Corrective Action Request (CAR) per SW-IMS-PRO-005
• Develop plan to achieve compliance
• Assign responsibilities and deadlines
• Track to completion
• Re-assess to verify compliance achieved

Responsibility: Compliance Owners (conduct assessments in their areas), IMS Owner (coordinate and consolidate)

9.2 Compliance Assessment Reporting

Compliance Assessment Report (annual per area):

• Scope: Compliance area and obligations assessed
• Assessment Date and Method
• Findings:
  • Summary of compliance status (% compliant, non-compliant, partial)
  • Specific non-compliance items with details
  • Good practices or strengths identified
• Risks: Compliance risks identified (high/medium/low)
• Actions Required: Corrective actions, improvements, or further assessments
• Conclusion: Overall assessment of compliance in this area

Distribution: IMS Owner, Management Team, relevant Compliance Owner

Consolidated Compliance Report (annual, for management review):

• IMS Owner consolidates all compliance area reports
• Overall compliance status across all areas
• Trends (improving, stable, declining)
• High-priority compliance risks and actions
• Resource needs for compliance activities
• Presented in IMS Management Review (SW-IMS-PRO-004)

Responsibility: Compliance Owners (area reports), IMS Owner (consolidated report)

10. Compliance with Specific Regulations

10.1 GDPR (General Data Protection Regulation)

Compliance Owner: CISO

Key Requirements:

1. Lawfulness of Processing: Process personal data only with legal basis (consent, contract, legitimate interest, legal obligation)
2. Data Subject Rights: Enable individuals to access, correct, delete, port, or object to processing their data
3. Data Breach Notification: Notify IMY within 72 hours of becoming aware of breach (if risk to individuals)
4. Data Protection Impact Assessments (DPIA): For high-risk processing activities
5. Records of Processing Activities: Maintain register of all personal data processing
6. Data Protection by Design and Default: Build privacy into systems and processes
7. Data Processing Agreements: With third-party processors (e.g., Entiros AB, Microsoft)
8. Data Protection Officer (DPO): Appoint if required (public authority or large-scale processing of sensitive data - assess if applicable for Swedwise)

Compliance Actions:

• Maintain Records of Processing Activities (ROPA) - document all personal data processing
• Maintain Data Breach Register and follow incident management procedure (SW-ISMS-PRO-001)
• Conduct DPIAs for high-risk processing (e.g., SaaS customer data processing)
• Implement Data Subject Rights procedures (access requests, deletion requests)
• Review and update Privacy Policy and Privacy Notices (for customers and employees)
• Ensure Data Processing Agreements (DPAs) with all vendors processing personal data
• Annual GDPR compliance audit

Evidence:

• ROPA (Records of Processing Activities)
• Data Breach Register
• DPIAs (Data Protection Impact Assessments)
• Data Processing Agreements (with vendors)
• Privacy policies and notices
• Data subject request logs and responses
• GDPR training records

Assessment Frequency: Annually + after significant system or process changes

10.2 Environmental Regulations

Compliance Owner: Environmental Lead

Key Requirements (for Swedwise's operations):

1. Waste Management: Proper disposal of office waste, hazardous waste (batteries, electronics, toner, chemicals)
2. E-Waste: Comply with WEEE Directive (electronic waste recycling)
3. Energy Efficiency: Monitor and reduce energy consumption (voluntary, no legal threshold for Swedwise size)
4. Emissions Reporting: Not legally required (Swedwise below reporting thresholds), but track for sustainability
5. Pollution Prevention: Prevent releases of hazardous substances (oils, chemicals, refrigerants)
6. Environmental Incidents: Report significant environmental incidents to municipality or Naturvårdsverket

Compliance Actions:

• Contracts with certified waste disposal providers (e-waste, hazardous waste)
• Waste disposal records and manifests
• Office environmental practices (recycling, energy saving)
• Emergency preparedness for environmental spills (SW-EMS-PRO-001)
• Annual environmental compliance assessment

Evidence:

• Waste disposal contracts and manifests
• E-waste recycling certificates
• Environmental incident register (if any)
• Energy consumption data (from building management or utility bills)

Assessment Frequency: Annually

10.3 Occupational Health and Safety (Arbetsmiljölagen)

Compliance Owner: HR Manager

Key Requirements (Swedish Work Environment Act):

1. Systematic Work Environment Management: Identify risks, implement controls, monitor effectiveness
2. Risk Assessments: Conduct workplace risk assessments regularly
3. Employee Participation: Involve employees in work environment matters; appoint safety representative if >5 employees (Swedwise: yes)
4. Incident Reporting: Report serious workplace injuries to Arbetsmiljöverket
5. Ergonomics: Ensure ergonomic workstations (screens, chairs, desks)
6. Workplace Harassment and Discrimination: Prevent harassment, discrimination, victimization
7. Rehabilitation: Support sick or injured employees returning to work
8. Health and Safety Training: Provide training on workplace hazards and safe practices

Compliance Actions:

• Appoint Safety Representative (skyddsombud)
• Conduct workplace risk assessments annually or when changes (SW-IMS-PRO-002 can be used)
• Maintain incident and injury register
• Provide ergonomic workstations (assess and improve)
• Harassment and discrimination policy and training
• Health and safety training for all staff (onboarding and periodic refreshers)
• Rehabilitation plans for employees on long-term sick leave

Evidence:

• Safety representative appointment
• Workplace risk assessments
• Incident and injury register
• Ergonomic assessments
• Training records (health and safety)
• Policies (harassment, discrimination, work environment)

Assessment Frequency: Annually + after workplace incidents

10.4 Labor and Employment Law

Compliance Owner: HR Manager

Key Requirements:

1. Employment Contracts: Written contracts for all employees (required in Sweden)
2. Working Hours: Comply with EU Working Time Directive and Swedish law (max 48 hours/week average, rest periods, annual leave)
3. Parental Leave: Provide statutory parental leave and benefits
4. Non-Discrimination: Comply with Discrimination Act (Diskrimineringslagen) - no discrimination based on protected characteristics
5. Collective Agreements: If applicable (if Swedwise has collective agreement with union)
6. Termination Rules: Comply with employment protection rules (Lagen om anställningsskydd - LAS)
7. Payroll Taxes and Social Security: Proper deduction and payment of taxes and social contributions

Compliance Actions:

• Maintain employee files with contracts and records
• Monitor working hours (overtime tracking, ensure rest periods)
• HR policies and procedures (recruitment, leave, termination)
• Non-discrimination and equal opportunity practices
• Payroll system and tax compliance (managed by finance/payroll provider)
• Annual employment law compliance review

Evidence:

• Employment contracts (all employees)
• Working hours records (if tracking overtime)
• Leave records (vacation, sick leave, parental leave)
• Payroll records and tax filings
• Non-discrimination and equal opportunity policies
• Training records (diversity, harassment prevention)

Assessment Frequency: Annually

10.5 Financial and Corporate Governance

Compliance Owner: Finance/CFO

Key Requirements:

1. Annual Financial Reporting: Submit annual report (årsredovisning) to Bolagsverket
2. Accounting Standards: Comply with K3 accounting rules (for Swedish companies)
3. Auditor Requirement: Auditor required if company exceeds 2 of 3 thresholds (Swedwise: likely required)
4. Taxation: Corporate tax, VAT, payroll tax compliance
5. Company Registration: Maintain current registration with Bolagsverket (company details, board, auditor)
6. Board and Shareholder Meetings: Comply with Swedish Companies Act (Aktiebolagslagen) requirements

Compliance Actions:

• Annual financial statements prepared and audited
• Annual report submitted to Bolagsverket (within 7 months of fiscal year-end)
• Tax returns filed (corporate tax, VAT, employer declarations)
• Board meeting minutes and shareholder meeting minutes maintained
• Company registration kept current

Evidence:

• Annual reports and audited financial statements
• Bolagsverket filings and confirmations
• Tax filings and payment records
• Board and shareholder meeting minutes
• Company registration certificate

Assessment Frequency: Annually (with annual financial audit)

11. Compliance Training and Awareness

11.1 General Compliance Training

All Staff (onboarding + annual refresher):

• Overview of key compliance areas and why they matter
• Swedwise policies relevant to compliance (Code of Conduct, Data Protection, Environmental, Health and Safety)
• How to report compliance concerns or suspected violations
• Consequences of non-compliance (legal, reputational, personal)

Delivery Method: E-learning, in-person training, or combination

Duration: 30-60 minutes

Responsibility: IMS Owner (coordinate), HR (deliver or arrange)

11.2 Role-Specific Compliance Training

Target audiences:

Audience	Training Topics	Frequency
All Staff	- GDPR awareness - Information security basics - Environmental practices (recycling, energy saving) - Workplace safety and ergonomics - Anti-harassment and discrimination	Onboarding + annual refresher
Managers	- Employment law and people management - Discrimination and harassment prevention - Incident reporting (workplace injuries, environmental incidents)	Annual
Customer Success, Sales	- GDPR (customer data handling) - Contractual compliance - Ethical sales practices	Annual
IT Operations, Developers	- GDPR (technical controls, data protection by design) - Information security controls - Secure coding practices	Annual + as needed
Finance, HR	- Financial regulations and accounting standards - Payroll and tax compliance - Employment law	Annual + regulatory update training
Management Team	- Overall compliance landscape - Compliance risks and obligations - Legal responsibilities of directors	Annual

Responsibility: Compliance Owners (deliver or arrange training in their areas), IMS Owner (coordinate)

11.3 Compliance Awareness Campaign

Purpose: Keep compliance top-of-mind; build culture of compliance

Activities (examples):

• Quarterly compliance tips (email newsletter or Teams posts):
  • GDPR tips (how to handle personal data requests)
  • Environmental tips (how to dispose of e-waste)
  • Safety reminders (ergonomics, reporting hazards)
• Compliance posters in offices (GDPR rights, emergency contacts, recycling)
• Management messaging: CEO and management reinforce importance of compliance
• Compliance Q&A sessions: Periodic lunch-and-learn or Q&A on compliance topics

Responsibility: IMS Owner (coordinate), Compliance Owners (contribute content)

12. Reporting Compliance Concerns

12.1 Reporting Mechanisms

Encourage staff to report:

• Suspected legal or regulatory violations
• Compliance concerns or questions
• Unethical behavior or conflicts of interest
• Environmental or safety hazards

Reporting Channels:

• Manager or Supervisor: First point of contact
• Compliance Owners: Direct contact to CISO, Environmental Lead, HR, etc.
• IMS Owner: Central point for compliance concerns
• Management Team: For serious or sensitive matters
• Anonymous Reporting (if available): Whistleblower hotline or online form (consider implementing if not yet available)

Non-Retaliation:

• Swedwise prohibits retaliation against individuals who report compliance concerns in good faith
• Retaliation is itself a violation and will be addressed

Investigation:

• IMS Owner or relevant Compliance Owner investigates reported concerns
• Engage legal counsel if complex or serious
• Document investigation and findings
• Take corrective action if violation confirmed (disciplinary action, process changes, notifications)

Responsibility: IMS Owner (coordinate investigations), Management Team (serious matters)

12.2 Handling Non-Compliance

If non-compliance identified (internal assessment, audit, employee report, external inspection):

Immediate Actions:

1. Contain: Stop the non-compliant activity if ongoing
2. Assess Impact: Who or what is affected? What is the risk?
3. Notify: Inform management and relevant authorities if legally required
4. Document: Record details of non-compliance

Corrective Action:

1. Initiate CAR: Use Nonconformity and Corrective Action Procedure (SW-IMS-PRO-005)
2. Root Cause Analysis: Understand why non-compliance occurred
3. Implement Corrective Action: Achieve compliance and prevent recurrence
4. Verify Effectiveness: Confirm compliance restored

Reporting to Authorities (if required):

• Determine reporting requirements (law-specific; consult legal counsel)
• Examples:
  • GDPR data breach: Report to IMY within 72 hours (if risk to individuals)
  • Serious workplace injury: Report to Arbetsmiljöverket
  • Environmental incident: Report to municipality or Naturvårdsverket (if significant)
• Compliance Owner responsible for their area; coordinate with IMS Owner and legal counsel

Disciplinary Action (if non-compliance due to employee misconduct):

• HR handles disciplinary process
• Proportionate response (warning, suspension, termination based on severity)

Responsibility: Compliance Owner (for their area), IMS Owner (coordinate), Management (approve significant actions)

13. Inputs and Outputs

Inputs:

• Legal and regulatory sources (laws, regulations, standards)
• ISO 9001, 14001, 27001 requirements
• Customer contracts and requirements
• Risk assessments (SW-IMS-PRO-002)
• Incident reports and near-misses
• Audit findings (internal and external)
• Staff reports and concerns

Outputs:

• Compliance Obligation Register
• Compliance assessment reports (by area)
• Consolidated compliance report (for management review)
• Corrective action requests (if non-compliance identified)
• Compliance training materials and records
• Notifications to authorities (if required)
• Input to risk assessment and management review
• Evidence of compliance (for audits and certifications)

14. Records

Record	Retention Period	Location	Owner
Compliance Obligation Register	Current + 7 years superseded	[TBD - Document repository]	IMS Owner
Compliance Assessment Reports	7 years	[TBD - Document repository]	Compliance Owners
Legal Horizon Scanning Logs	5 years	[TBD - Document repository]	IMS Owner
Compliance Training Records	7 years	[TBD - Training system]	IMS Owner
Corrective Action Requests (compliance-related)	7 years	[TBD - CAR system]	IMS Owner
Authority Notifications and Correspondence	10 years	[TBD - Document repository]	Compliance Owner
Compliance Investigation Reports	7 years	[TBD - Confidential folder]	IMS Owner
Evidence of Compliance (varies by area)	Per legal requirements (typically 5-10 years)	[TBD - Document repository]	Compliance Owner

15. Related Documents

Policies:

• SW-IMS-POL-001: Integrated Management System Policy
• SW-QMS-POL-001: Quality Management Policy
• SW-EMS-POL-001: Environmental Management Policy
• SW-ISMS-POL-001: Information Security Policy
• [TBD - SW-HR-POL-001: Code of Conduct and Ethics Policy]
• [TBD - SW-ISMS-POL-003: Data Protection and Privacy Policy]

Procedures:

• SW-IMS-PRO-001: Document Control Procedure
• SW-IMS-PRO-002: Risk Assessment Procedure
• SW-IMS-PRO-003: Internal Audit Procedure
• SW-IMS-PRO-004: Management Review Procedure
• SW-IMS-PRO-005: Nonconformity and Corrective Action Procedure
• SW-ISMS-PRO-001: Incident Management Procedure (GDPR breach notification)
• SW-EMS-PRO-001: Emergency Preparedness and Response Procedure

External:

• ISO 9001:2015 - Clause 4.2 (Understanding needs and expectations), 9.1.2 (Compliance evaluation)
• ISO 14001:2015 - Clause 6.1.3 (Compliance obligations), 9.1.2 (Evaluation of compliance)
• ISO 27001:2022 - Clause 4.2 (Understanding needs and expectations), 9.1.2 (Compliance evaluation)
• GDPR (EU Regulation 2016/679)
• Swedish Work Environment Act (Arbetsmiljölagen)
• Swedish Environmental Code (Miljöbalken)
• Swedish Companies Act (Aktiebolagslagen)

16. Continuous Improvement

This procedure is reviewed and improved based on:

• Changes in legal and regulatory requirements
• Compliance assessment findings
• Non-compliance incidents and lessons learned
• Audit findings (internal and external audits)
• Feedback from Compliance Owners on process effectiveness
• Best practices in compliance management

Review Frequency: Annually, or when significant legal changes occur

Improvement suggestions should be submitted to the IMS Owner.

---

Appendix A: Compliance Obligation Register Template

Obligation ID	Compliance Area	Requirement Description	Legal Source	Applicability	Compliance Owner	Frequency	Evidence	Last Assessment	Status	Actions Required	Due Date	Notes
COMP-GDPR-001	Data Protection	Notify data breaches to IMY within 72 hours	GDPR Art. 33	Process personal data	CISO	As needed	Breach procedure, breach register	2025-01-15	Compliant	None	N/A	Include in annual GDPR audit
COMP-ENV-001	Environmental	Proper e-waste disposal	WEEE Directive, Swedish EPA	Electronic equipment	Environmental Lead	Ongoing	Disposal contracts, certificates	2025-01-10	Compliant	None	N/A	Annual review of disposal provider
COMP-HS-001	Health & Safety	Appoint safety representative	Arbetsmiljölagen 6 kap	>5 employees	HR Manager	One-time (maintain)	Appointment letter	2025-01-05	Compliant	None	N/A	Review annually
[Add more rows as applicable]

---

Appendix B: Compliance Assessment Checklist (Sample)

GDPR Compliance Assessment Checklist

Assessment Date: [Date]
Assessed By: [Name]

Instructions: Review each item and mark status. Document evidence and any issues identified.

#	Requirement	Status	Evidence	Notes/Issues
1. Lawfulness of Processing
1.1	Legal basis identified for each processing activity	☐ Compliant ☐ Non-Compliant ☐ Partial	Records of Processing Activities (ROPA)
1.2	Consent obtained where required (and documented)	☐ Compliant ☐ Non-Compliant ☐ N/A	Consent records
2. Data Subject Rights
2.1	Procedure for handling access requests	☐ Compliant ☐ Non-Compliant	Procedure document
2.2	Procedure for handling deletion requests (right to erasure)	☐ Compliant ☐ Non-Compliant	Procedure document
2.3	Log of data subject requests and responses	☐ Compliant ☐ Non-Compliant ☐ N/A	Request log
3. Data Breach Management
3.1	Data breach notification procedure in place	☐ Compliant ☐ Non-Compliant	SW-ISMS-PRO-001
3.2	Data breach register maintained	☐ Compliant ☐ Non-Compliant	Breach register
3.3	Staff trained on breach reporting	☐ Compliant ☐ Non-Compliant	Training records
4. Data Protection Impact Assessments (DPIAs)
4.1	DPIAs conducted for high-risk processing	☐ Compliant ☐ Non-Compliant ☐ N/A	DPIA documents
5. Records of Processing Activities (ROPA)
5.1	ROPA maintained and up-to-date	☐ Compliant ☐ Non-Compliant	ROPA document
5.2	All processing activities documented	☐ Compliant ☐ Non-Compliant	ROPA document
6. Third-Party Processors
6.1	Data Processing Agreements (DPAs) with all processors	☐ Compliant ☐ Non-Compliant	DPA contracts
6.2	Vendor assessments for GDPR compliance	☐ Compliant ☐ Non-Compliant	Assessment records
7. Privacy Policies and Notices
7.1	Privacy policy published and accessible	☐ Compliant ☐ Non-Compliant	Website, intranet
7.2	Privacy notices provided to data subjects (customers, employees)	☐ Compliant ☐ Non-Compliant	Privacy notices
8. Data Protection by Design and Default
8.1	Privacy considered in system design	☐ Compliant ☐ Non-Compliant	Design docs, procedures
8.2	Default settings are privacy-friendly	☐ Compliant ☐ Non-Compliant	System config
9. Training and Awareness
9.1	GDPR training provided to all staff	☐ Compliant ☐ Non-Compliant	Training records
10. Data Protection Officer (DPO)
10.1	DPO appointed if required (assess applicability)	☐ Compliant ☐ Not Required	DPO appointment (if applicable)

Overall Assessment:

• Total Items: [#]
• Compliant: [#]
• Non-Compliant: [#]
• Partial: [#]
• Not Applicable: [#]

Summary: [Brief summary of GDPR compliance status]

Actions Required: [List any corrective actions needed]

Assessor Signature: _____________________ Date: ___________

---

Document Control

Version	Date	Author	Changes
1.0	[TBD]	[Author]	Initial release

---

Approval

Role	Name	Signature	Date
IMS Owner
Management Team Representative