The Swedish Data Protection Authority (Sw. Datainspektionen “DPA”) initiated an audit at the end of May 2018. The audit aimed at whether data protection officers (“DPO”) had been appointed and if the DPO’s contact information had been notified to the DPA before May 25 2018 in accordance with article 37 of the General Data Protection Regulation (“GDPR”). In total 400 organisations in the public and private sector, represented by authorities, banks, insurance companies, public transport companies, telecommunications operators, trade unions and private health care providers, were reviewed.
The audit resulted in 66 supervisory cases, of which the DPA decided to issue reprimands to 57 organisations and to issue injunctions in two more severe cases.
The audit poses for two compelling observations. First, the DPA’s assessment of the private actors’ and the six represented industries’ core activities in accordance with article 37.1(b) and/or article 37.1(c) in the GDPR. Secondly it is interesting to note that the DPA chose to give reprimands and injunctions, instead of administrative sanctions.
The private actors’ core activities
According to article 37.1(a) GDPR, an authority or public body is required to designate a DPO. Actors in the private sector are, as a main rule, exempt from this requirement, but if the core activities of the controller or the processor consist of processing operations which require either regular and systematic monitoring of data subjects on a large scale (article 37.1(b) GDPR), processing of sensitive personal data, or processing of personal data relating to criminal convictions on a large scale (article 37.1(c) GDPR) they also have to appoint a DPO. Furthermore, there is an obligation to inform the DPO’s contact details to the DPA under the same article (article 37.7 GDPR).
The DPA has stated the following in relation to article 37 GDPR and the private actors:
- For telecommunications operators and a number of public transport companies the DPA has found that the processing of personal data carried out is of such nature that these operators and companies are, according to article 37.1(b) GDPR, obliged to designate a DPO.
- For private healthcare providers and trade unions, the DPA has found that they are obliged to designate a DPO, due to the processing of sensitive data on a large scale in accordance with article 37.1(c) GDPR. How the DPA reached this conclusion is not clearly stated in the audit, however, it is most likely due to the fact that the organisations process personal data regarding health and trade union membership, which is considered sensitive personal data according to article 9 of the GDPR.
- For banks and insurance companies, the DPA has found that the processing of personal data is of such nature that they, according to article 37.1(b) GDPR and article 37.1(c) GDPR, are obliged to designate a DPO.
Reprimands and injunctions
In the supervisory cases where the organisations appointed a DPO and reported this to the DPA after 25 May 2018, the DPA decided to issue reprimands. In the two cases where the supervised organisations did not designate a DPO or reported contact information to the DPA even after the DPA initiated the audit, the supervisory objects were given an injunction. A reprimand is a warning while an injunction is an order from a court or as in this case an authority which means that the person or the organisation to which the order applies shall either perform or terminate a measure. The DPA has motivated this decision to give reprimands and injunctions, instead of imposing administrative sanctions, due to the fact that the audit was made shortly after the GDPR came into force. However, to impose an administrative sanction cannot be excluded in cases of further deficiencies, according to the director general of the DPA.
Conclusions
The audit gives an indication both of the compliance in total and how well the public authorities as a group and the respective industry follow the requirements to designate a DPO. This is the first audit from the DPA in accordance with the GDPR. Due to the short time since the GDPR came into force and the absence of case-law and guidance in this area, it is important that the supervisory authorities in the European Union work continuously with this to clarify the provisions of the regulation.
The requirement to appoint a DPO regarding public authorities is clearly stated in the GDPR. Unfortunately the same cannot be said as regards the private sector. This audit is, therefore, a more than welcome contribution to clarifying when the provisions regarding the designation of a DPO applies and helps the private actors to decide whether a DPO is required or not.
The upcoming audits from the Swedish Data Protection Authority
The DPA will commence several major audits during this autumn. The purposes of these audits are i.a., to provide guidance on the new data protection rules, including the GDPR. One of the audits focuses on consent as the legal basis for collecting and processing personal data. Another audit will clarify the distinction between the data controller and the data processor. In a third supervisory audit, the review of DPOs continue.
There are several issues related to the distinction between the data controller and the data processor that are interesting and, most of all, necessary to look further into. We, therefore, look forward to the results of these audits and hope that the DPA can provide some guidance for the organisations struggling to determine whether they are to be considered as a data controller or a data processor.
The DPA has not yet notified the public when the auditory supervision will be concluded.
The authors are Thomas Nygren and Alexandra von Perner.