TMT | IP Publications

The Swedish Data Protection Authority’s first audit under the GDPR

The Swedish Data Protection Authority (Sw. Datainspektionen DPA) ini­ti­at­ed an au­dit at the end of May 2018. The au­dit aimed at whether da­ta pro­tec­tion of­fi­cers (“DPO”) had been ap­point­ed and if the DPO’s con­tact in­for­ma­tion had been no­ti­fied to the DPA be­fore May 25 2018 in ac­cor­dance with ar­ti­cle 37 of the General Data Protection Regulation (“GDPR”). In to­tal 400 or­gan­i­sa­tions in the pub­lic and pri­vate sec­tor, rep­re­sent­ed by au­thor­i­ties, banks, in­sur­ance com­pa­nies, pub­lic trans­port com­pa­nies, telecom­mu­ni­ca­tions op­er­a­tors, trade unions and pri­vate health care providers, were re­viewed.

The au­dit re­sult­ed in 66 su­per­vi­so­ry cas­es, of which the DPA de­cid­ed to is­sue rep­ri­mands to 57 or­gan­i­sa­tions and to is­sue in­junc­tions in two more se­vere cas­es.

The au­dit pos­es for two com­pelling ob­ser­va­tions. First,  the DPA’s as­sess­ment of the pri­vate ac­tors’ and the six rep­re­sent­ed in­dus­tries’ core ac­tiv­i­ties in ac­cor­dance with ar­ti­cle 37.1(b) and/or ar­ti­cle 37.1(c) in the GDPR. Secondly it is in­ter­est­ing to note that the DPA chose to give rep­ri­mands and in­junc­tions, in­stead of ad­min­is­tra­tive sanc­tions.

The pri­vate ac­tors’ core ac­tiv­i­ties

According to ar­ti­cle 37.1(a) GDPR, an au­thor­i­ty or pub­lic body is re­quired to des­ig­nate a DPO. Actors in the pri­vate sec­tor are, as a main rule, ex­empt from this re­quire­ment, but if the core ac­tiv­i­ties of the con­troller or the proces­sor con­sist of pro­cess­ing op­er­a­tions which re­quire ei­ther reg­u­lar and sys­tem­at­ic mon­i­tor­ing of da­ta sub­jects on a large scale (ar­ti­cle 37.1(b) GDPR), pro­cess­ing of sen­si­tive per­son­al da­ta, or pro­cess­ing of per­son­al da­ta re­lat­ing to crim­i­nal con­vic­tions on a large scale (ar­ti­cle 37.1(c) GDPR) they al­so have to ap­point a DPO. Furthermore, there is an oblig­a­tion to in­form the DPO’s con­tact de­tails to the DPA un­der the same ar­ti­cle (ar­ti­cle 37.7 GDPR).

The DPA has stat­ed the fol­low­ing in re­la­tion to ar­ti­cle 37 GDPR and the pri­vate ac­tors:

  • For telecom­mu­ni­ca­tions op­er­a­tors and a num­ber of pub­lic trans­port com­pa­nies the DPA has found that the pro­cess­ing of per­son­al da­ta car­ried out is of such na­ture that these op­er­a­tors and com­pa­nies are, ac­cord­ing to ar­ti­cle 37.1(b) GDPR, oblig­ed to des­ig­nate a DPO.
  • For pri­vate health­care providers and trade unions, the DPA has found that they are oblig­ed to des­ig­nate a DPO, due to the pro­cess­ing of sen­si­tive da­ta on a large scale in ac­cor­dance with ar­ti­cle 37.1(c) GDPR. How the DPA reached this con­clu­sion is not clear­ly stat­ed in the au­dit, how­ev­er, it is most like­ly due to the fact that the or­gan­i­sa­tions process per­son­al da­ta re­gard­ing health and trade union mem­ber­ship, which is con­sid­ered sen­si­tive per­son­al da­ta ac­cord­ing to ar­ti­cle 9 of the GDPR.
  • For banks and in­sur­ance com­pa­nies, the DPA has found that the pro­cess­ing of per­son­al da­ta is of such na­ture that they, ac­cord­ing to ar­ti­cle 37.1(b) GDPR and ar­ti­cle 37.1(c) GDPR, are oblig­ed to des­ig­nate a DPO.

Reprimands and in­junc­tions

In the su­per­vi­so­ry cas­es where the or­gan­i­sa­tions ap­point­ed a DPO and re­port­ed this to the DPA af­ter 25 May 2018, the DPA de­cid­ed to is­sue rep­ri­mands. In the two cas­es where the su­per­vised or­gan­i­sa­tions did not des­ig­nate a DPO or re­port­ed con­tact in­for­ma­tion to the DPA even af­ter the DPA ini­ti­at­ed the au­dit, the su­per­vi­so­ry ob­jects were giv­en an in­junc­tion. A rep­ri­mand is a warn­ing while an in­junc­tion is an or­der from a court or as in this case an au­thor­i­ty which means that the per­son or the or­gan­i­sa­tion to which the or­der ap­plies shall ei­ther per­form or ter­mi­nate a mea­sure. The DPA has mo­ti­vat­ed this de­ci­sion to give rep­ri­mands and in­junc­tions, in­stead of im­pos­ing ad­min­is­tra­tive sanc­tions, due to the fact that the au­dit was made short­ly af­ter the GDPR came in­to force. However, to im­pose an ad­min­is­tra­tive sanc­tion can­not be ex­clud­ed in cas­es of fur­ther de­fi­cien­cies, ac­cord­ing to the di­rec­tor gen­er­al of the DPA.

Conclusions

The au­dit gives an in­di­ca­tion both of the com­pli­ance in to­tal and how well the pub­lic au­thor­i­ties as a group and the re­spec­tive in­dus­try fol­low the re­quire­ments to des­ig­nate a DPO. This is the first au­dit from the DPA in ac­cor­dance with the GDPR. Due to the short time since the GDPR came in­to force and the ab­sence of case-law and guid­ance in this area, it is im­por­tant that the su­per­vi­so­ry au­thor­i­ties in the European Union work con­tin­u­ous­ly with this to clar­i­fy the pro­vi­sions of the reg­u­la­tion.

The re­quire­ment to ap­point a DPO re­gard­ing pub­lic au­thor­i­ties is clear­ly stat­ed in the GDPR. Unfortunately the same can­not be said as re­gards the pri­vate sec­tor. This au­dit is, there­fore, a more than wel­come con­tri­bu­tion to clar­i­fy­ing when the pro­vi­sions re­gard­ing the des­ig­na­tion of a DPO ap­plies and helps the pri­vate ac­tors to de­cide whether a DPO is re­quired or not.

The up­com­ing au­dits from the Swedish Data Protection Authority

The DPA will com­mence sev­er­al ma­jor au­dits dur­ing this au­tumn. The pur­pos­es of these au­dits are i.a., to pro­vide guid­ance on the new da­ta pro­tec­tion rules, in­clud­ing the GDPR. One of the au­dits fo­cus­es on con­sent as the le­gal ba­sis for col­lect­ing and pro­cess­ing per­son­al da­ta. Another au­dit will clar­i­fy the dis­tinc­tion be­tween the da­ta con­troller and the da­ta proces­sor. In a third su­per­vi­so­ry au­dit, the re­view of DPOs con­tin­ue.

There are sev­er­al is­sues re­lat­ed to the dis­tinc­tion be­tween the da­ta con­troller and the da­ta proces­sor that are in­ter­est­ing and, most of all, nec­es­sary to look fur­ther in­to. We, there­fore, look for­ward to the re­sults of these au­dits and hope that the DPA can pro­vide some guid­ance for the or­gan­i­sa­tions strug­gling to de­ter­mine whether they are to be con­sid­ered as a da­ta con­troller or a da­ta proces­sor.

The DPA has not yet no­ti­fied the pub­lic when the au­di­to­ry su­per­vi­sion will be con­clud­ed.

The au­thors are Thomas Nygren and Alexandra von Perner.