TMT | IP Publikationer

The Swedish Data Protection Authority’s first audit under the GDPR

The Swedish Data Protection Authority (Sw. Datainspektionen DPA) ini­ti­a­ted an au­dit at the end of May 2018. The au­dit ai­med at whet­her da­ta pro­tec­tion of­fi­cers (“DPO”) had be­en ap­poin­ted and if the DPO’s con­tact in­for­ma­tion had be­en no­ti­fi­ed to the DPA be­fo­re May 25 2018 in ac­cor­dan­ce with ar­tic­le 37 of the General Data Protection Regulation (“GDPR”). In to­tal 400 or­ga­ni­sa­tions in the pub­lic and pri­va­te sector, re­pre­sen­ted by aut­ho­ri­ti­es, banks, in­su­ran­ce com­pa­ni­es, pub­lic trans­port com­pa­ni­es, te­le­com­mu­ni­ca­tions ope­ra­tors, tra­de uni­ons and pri­va­te he­alth ca­re pro­vi­ders, we­re re­vi­ewed.

The au­dit re­sul­ted in 66 su­per­vi­so­ry ca­ses, of which the DPA de­ci­ded to is­sue re­pri­mands to 57 or­ga­ni­sa­tions and to is­sue in­jun­c­tions in two mo­re se­ve­re ca­ses.

The au­dit po­ses for two com­pel­ling ob­ser­va­tions. First,  the DPA’s as­sess­ment of the pri­va­te ac­tors’ and the six re­pre­sen­ted in­du­stri­es’ co­re ac­ti­vi­ti­es in ac­cor­dan­ce with ar­tic­le 37.1(b) and/or ar­tic­le 37.1(c) in the GDPR. Secondly it is in­te­re­s­ting to no­te that the DPA cho­se to gi­ve re­pri­mands and in­jun­c­tions, ins­te­ad of ad­mi­nist­ra­ti­ve san­c­tions.

The pri­va­te ac­tors’ co­re ac­ti­vi­ti­es

According to ar­tic­le 37.1(a) GDPR, an aut­ho­ri­ty or pub­lic bo­dy is requi­red to de­sig­na­te a DPO. Actors in the pri­va­te sector are, as a main ru­le, ex­empt from this requi­re­ment, but if the co­re ac­ti­vi­ti­es of the con­trol­ler or the pro­ces­sor con­si­st of pro­ces­sing ope­ra­tions which requi­re eit­her re­gu­lar and sys­te­ma­tic mo­ni­to­ring of da­ta sub­jects on a lar­ge sca­le (ar­tic­le 37.1(b) GDPR), pro­ces­sing of sen­si­ti­ve per­so­nal da­ta, or pro­ces­sing of per­so­nal da­ta re­la­ting to cri­mi­nal con­vic­tions on a lar­ge sca­le (ar­tic­le 37.1(c) GDPR) they al­so ha­ve to ap­point a DPO. Furthermore, the­re is an ob­li­ga­tion to in­form the DPO’s con­tact de­tails to the DPA un­der the sa­me ar­tic­le (ar­tic­le 37.7 GDPR).

The DPA has sta­ted the following in re­la­tion to ar­tic­le 37 GDPR and the pri­va­te ac­tors:

  • For te­le­com­mu­ni­ca­tions ope­ra­tors and a num­ber of pub­lic trans­port com­pa­ni­es the DPA has found that the pro­ces­sing of per­so­nal da­ta car­ri­ed out is of such na­tu­re that the­se ope­ra­tors and com­pa­ni­es are, ac­cor­ding to ar­tic­le 37.1(b) GDPR, ob­li­ged to de­sig­na­te a DPO.
  • For pri­va­te he­alt­h­ca­re pro­vi­ders and tra­de uni­ons, the DPA has found that they are ob­li­ged to de­sig­na­te a DPO, due to the pro­ces­sing of sen­si­ti­ve da­ta on a lar­ge sca­le in ac­cor­dan­ce with ar­tic­le 37.1(c) GDPR. How the DPA re­ached this con­clu­sion is not clear­ly sta­ted in the au­dit, ho­wever, it is most li­kely due to the fact that the or­ga­ni­sa­tions pro­cess per­so­nal da­ta re­gar­ding he­alth and tra­de uni­on mem­bers­hip, which is con­si­de­red sen­si­ti­ve per­so­nal da­ta ac­cor­ding to ar­tic­le 9 of the GDPR.
  • For banks and in­su­ran­ce com­pa­ni­es, the DPA has found that the pro­ces­sing of per­so­nal da­ta is of such na­tu­re that they, ac­cor­ding to ar­tic­le 37.1(b) GDPR and ar­tic­le 37.1(c) GDPR, are ob­li­ged to de­sig­na­te a DPO.

Reprimands and in­jun­c­tions

In the su­per­vi­so­ry ca­ses whe­re the or­ga­ni­sa­tions ap­poin­ted a DPO and re­por­ted this to the DPA af­ter 25 May 2018, the DPA de­ci­ded to is­sue re­pri­mands. In the two ca­ses whe­re the su­per­vi­sed or­ga­ni­sa­tions did not de­sig­na­te a DPO or re­por­ted con­tact in­for­ma­tion to the DPA even af­ter the DPA ini­ti­a­ted the au­dit, the su­per­vi­so­ry ob­jects we­re gi­ven an in­jun­c­tion. A re­pri­mand is a war­ning whi­le an in­jun­c­tion is an or­der from a court or as in this ca­se an aut­ho­ri­ty which me­ans that the per­son or the or­ga­ni­sa­tion to which the or­der ap­pli­es shall eit­her per­form or ter­mi­na­te a me­a­su­re. The DPA has mo­ti­va­ted this de­ci­sion to gi­ve re­pri­mands and in­jun­c­tions, ins­te­ad of im­po­sing ad­mi­nist­ra­ti­ve san­c­tions, due to the fact that the au­dit was ma­de short­ly af­ter the GDPR ca­me in­to for­ce. However, to im­po­se an ad­mi­nist­ra­ti­ve san­c­tion can­not be ex­clu­ded in ca­ses of furt­her de­fi­ci­en­ci­es, ac­cor­ding to the director ge­ne­ral of the DPA.

Conclusions

The au­dit gi­ves an in­di­ca­tion both of the com­pli­an­ce in to­tal and how well the pub­lic aut­ho­ri­ti­es as a group and the re­specti­ve in­du­stry follow the requi­re­ments to de­sig­na­te a DPO. This is the first au­dit from the DPA in ac­cor­dan­ce with the GDPR. Due to the short ti­me sin­ce the GDPR ca­me in­to for­ce and the ab­sence of ca­se-law and gui­dan­ce in this area, it is im­por­tant that the su­per­vi­so­ry aut­ho­ri­ti­es in the European Union work con­ti­nu­ously with this to cla­ri­fy the pro­vi­sions of the re­gu­la­tion.

The requi­re­ment to ap­point a DPO re­gar­ding pub­lic aut­ho­ri­ti­es is clear­ly sta­ted in the GDPR. Unfortunately the sa­me can­not be sa­id as re­gards the pri­va­te sector. This au­dit is, the­re­fo­re, a mo­re than wel­come con­tri­bu­tion to cla­ri­fy­ing when the pro­vi­sions re­gar­ding the de­sig­na­tion of a DPO ap­pli­es and hel­ps the pri­va­te ac­tors to de­ci­de whet­her a DPO is requi­red or not.

The upcoming au­dits from the Swedish Data Protection Authority

The DPA will com­mence se­ve­ral ma­jor au­dits du­ring this autumn. The pur­po­ses of the­se au­dits are i.a., to pro­vi­de gui­dan­ce on the new da­ta pro­tec­tion ru­les, in­clu­ding the GDPR. One of the au­dits focu­ses on con­sent as the le­gal ba­sis for col­lecting and pro­ces­sing per­so­nal da­ta. Another au­dit will cla­ri­fy the distin­c­tion between the da­ta con­trol­ler and the da­ta pro­ces­sor. In a third su­per­vi­so­ry au­dit, the re­vi­ew of DPOs con­ti­nue.

There are se­ve­ral is­sues re­la­ted to the distin­c­tion between the da­ta con­trol­ler and the da­ta pro­ces­sor that are in­te­re­s­ting and, most of all, ne­ces­sa­ry to look furt­her in­to. We, the­re­fo­re, look for­ward to the re­sults of the­se au­dits and ho­pe that the DPA can pro­vi­de so­me gui­dan­ce for the or­ga­ni­sa­tions strugg­ling to de­ter­mi­ne whet­her they are to be con­si­de­red as a da­ta con­trol­ler or a da­ta pro­ces­sor.

The DPA has not yet no­ti­fi­ed the pub­lic when the au­di­to­ry su­per­vi­sion will be con­clu­ded.

Författare är Thomas Nygren och Alexandra von Perner.