Confidentiality & Privacy
MomsFokus AB’s Privacy and Confidentiality Statement explains how we process, protect and store personal data in our VAT advisory and compliance services, including AML/KYC, marketing and website activities, in accordance with GDPR.
Privacy & Confidentiality Statement
Processing of Personal Data in MomsFokus AB’s Operations
Effective date: 23 October 2025
1. Introduction and Scope
For a VAT advisory and compliance boutique such as MomsFokus AB (“MomsFokus”, “we”, “us”), it is essential that client-related information — including personal data — is treated securely and confidentially, and that applicable regulations are complied with. The same applies to information we handle regarding employees, consultants, and suppliers.
This statement describes MomsFokus’ processing of personal data in our client engagements in an open and transparent manner so that individuals understand how and why their personal data is handled and what rights they have in relation to us. It also covers personal data collected via our external website and in marketing activities.
Information for employees is provided in our internal employee privacy information. For recruitment activities, information is provided to candidates in our recruitment privacy notice available with our job advertisements.
Key definitions
Personal data means any information relating to an identified or identifiable natural person.
Processing means any operation performed on personal data (collecting, recording, structuring, storing, adapting, retrieving, consulting, using, disclosing, erasing, etc.).
Controller means the entity that determines the purposes and means of the processing.
Processor means the entity that processes personal data on behalf of the controller.
2. MomsFokus AB as Controller and Processor
MomsFokus AB (org. no. 559347-2870) is the controller for the processing described in this statement when carried out for our own purposes (for example client relationship management, billing, compliance, marketing, website).
In specific client engagements, we may act as:
- Controller – where we determine purposes and means (for example our own engagement documentation, quality and risk management, AML/KYC records, advisory deliverables we produce and store for our file, or services provided directly to individuals).
- Processor – where we process a client’s personal data strictly on their documented instructions (for example VAT return filings using client data). In such cases, we enter into a data processing agreement with the client.
We maintain internal guidance to determine our role per engagement, and this is documented in the engagement letter and/or data processing terms.
Contact (for all privacy matters):
Email: kontakt@momsfokus.se
Phone: +46 (0) 765 99 64 54
Website: www.momsfokus.se
MomsFokus has not appointed a Data Protection Officer under GDPR. The above contact details apply for all privacy-related enquiries.
3. Processing of Personal Data in Advisory and Compliance Engagements
3.1 Service Areas
We provide VAT advisory, VAT compliance and reporting (VAT returns, OSS, EC Sales List, Intrastat), VAT registrations, tax controversy and appeals, transactional support (VAT due diligence, risk reviews, structuring), and client relationship management and marketing.
3.2 Categories of Personal Data
Depending on engagement type, we may process:
- Identity and contact data (name, role, title, employer, email, phone, address)
- Engagement data (correspondence, instructions, working materials, evidence)
- Compliance and KYC data (identification, ownership, PEP/sanctions screening)
- Financial and billing data (invoices, payments, time entries)
- Case data (submissions and communications with authorities)
3.3 Sources of Data
Primarily from clients and their representatives, and otherwise from public registers (Bolagsverket), sanctions databases, counterparties, or authorities.
3.4 Purposes and Legal Bases
- Delivering and documenting engagements, communicating with clients and authorities.
Legal bases: contract (when with an individual client), legitimate interests (for B2B work), and legal obligation (record-keeping). - Regulatory duties including AML/KYC, sanctions checks, and accounting obligations.
Legal basis: legal obligation or public interest. - Risk management and defence of legal claims.
Legal basis: legitimate interests.
3.5 Recipients
MomsFokus staff, engaged consultants, sub-consultants and processors (for secure hosting, IT support, project management), and relevant authorities or courts where legally required.
3.6 Retention
Engagement documentation is normally retained for 10 years after completion. Accounting records are retained for 7 years. Relevant emails are kept with the engagement file.
4. AML/KYC and Risk Management Measures
4.1 Background
We are subject to the Swedish Anti-Money Laundering and Counter-Terrorist Financing Act (2017:630). We perform client due diligence and ongoing monitoring.
4.2 Purposes
To identify and verify clients and representatives, establish beneficial ownership, assess business relationships, perform sanctions and PEP screening, and report suspicious activities to Finanspolisen when required.
4.3 Categories of Data
Identification data, ownership structure, PEP/sanctions results, relationship and verification documentation.
4.4 Legal Basis and Sources
Legal obligation and public interest. Data is collected from clients, representatives, public registers, and third-party databases.
4.5 Retention and Recipients
Data is retained as required by AML law (generally five years after the end of the business relationship). It may be shared with competent authorities when legally required.
4.6 Conflicts of Interest and Sanctions Screening
We process data to perform conflict checks and sanctions screenings. Legal basis is legitimate interests and, where relevant, legal obligation. Retention aligns with AML and engagement documentation.
5. Administrative Measures and Engagement Documentation
5.1 Client Registers
We maintain records of client representatives and engagement metadata to administer assignments and perform risk checks.
- Legal bases: contract, legitimate interests, and legal obligation.
- Retention: contact data is kept up to 12 months after engagement end, or longer if needed.
5.2 Quality Oversight and Legal Defence
We may review files internally for quality control and retain them to defend legal claims.
- Legal basis: legitimate interests.
- Retention: normally within the 10-year file retention period.
6. Direct Marketing and Communications
6.1 Purpose
We conduct B2B marketing to existing and potential clients through newsletters, insights, event invitations, and service updates.
6.2 Legal Bases
Legitimate interests for professional contacts; consent when required for electronic marketing. You can object to direct marketing at any time.
6.3 Data Categories and Sources
Professional contact details, role, employer, sector, interests, and interaction data. Data may come from clients, events, or public sources such as LinkedIn.
6.4 Events
If you register for a seminar or webinar, we process your contact data for communication and follow-up. Special dietary data is processed only with consent.
Retention: participant lists are stored up to six months, or longer if needed for accounting.
6.5 Retention and Opt-Out
Marketing contact data is kept until you unsubscribe or it becomes irrelevant. Unsubscribe links are included in emails, or you may contact kontakt@momsfokus.se.
7. Website Interaction, Cookies and Analytics
7.1 Data Collected Online
If you register or log in using a third-party service (LinkedIn or Google), we receive the information you allow the provider to share.
Legal bases: legitimate interests (functionality, security) and consent (analytics and tracking).
7.2 Cookies
We use cookies and similar technologies to make the site function, measure performance, remember preferences, and deliver relevant marketing.
Consent is required for non-essential cookies. You can change settings anytime through the cookie banner or your browser.
7.3 Social Media and External Links
Social sharing tools (LinkedIn, X/Twitter) are governed by the third party’s own privacy policies. External links are not covered by this statement.
8. Transfers and Data Processors
8.1 Processors and Systems
We use Microsoft 365 (Exchange Online, SharePoint, OneDrive, Teams) and Spiro (CRM) as key platforms. Other processors may include IT support, e-signature, and mailing tools. All are bound by written data processing agreements.
8.2 International Transfers
We primarily process data within the EU/EEA. If data is transferred outside the EU/EEA, we use the EU Standard Contractual Clauses and assess additional safeguards where needed.
8.3 Transfers Required by Law
We may disclose data when required by authorities or courts or to comply with AML reporting obligations.
9. Security and Confidentiality
We implement technical and organisational measures to protect confidentiality, integrity, and availability. These include access controls, encryption, secure configurations, monitoring, vendor management, and staff confidentiality training. We regularly review and update these measures.
10. Data Subject Rights
You have the right to:
- Access your data and receive confirmation of processing.
- Request correction of inaccurate or incomplete data.
- Request deletion where no legal obligation requires retention.
- Request restriction of processing.
- Receive your data in a portable format.
- Object to processing based on legitimate interests, including direct marketing.
- Withdraw consent at any time without affecting earlier processing.
We may need to verify your identity before fulfilling a request. No fee is charged unless the request is unfounded or excessive.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
11. Contact Information
Controller: MomsFokus AB
Org. no.: 559347-2870
Email: kontakt@momsfokus.se
Phone: +46 (0) 765 99 64 5
Website: www.momsfokus.se
12. Updates to This Statement
We may update this statement periodically. The latest version will always be available on our website with the date of the latest revision.
Hittade du inte svaret?
Ställ dina frågor – ring oss direkt eller skicka ett mejl!
