The Swedish Data Protection Authority has published its supervisory plan for 2019–2020. The activities vary with regard to different aspects of the privacy legal field. One such aspect is whether companies are aware of how responsibilities between Controller and Processer are regulated and clearly distinguished.
In addition, the Swedish DPA will look into processing of personal data using consent as the legal basis for the processing. The Swedish DPA has stated that it is important to develop case law on this subject to afford better protection for data subjects. The aspects of consent will focus on the following criteria: voluntariness, information, clarity and scope.
The Swedish DPA has also stated that it is important to develop case law regarding when the GDPR is applicable and when other national laws such as the Swedish Payment Service Act or the Swedish Credit Reference Services Act apply. This is important according to the Swedish DPA since the business regulated by these two Swedish national acts is of the kind that involves processing of personal data that merits a higher level of protection.
The Swedish DPA sees a need for supervising certain business sectors in particular. Sectors where sensitive personal data or children’s personal data are processed are especially relevant. Within the healthcare sector, the Swedish DPA will focus on fundamental structures for the processing of personal data such as responsibility, transparency and protection from unauthorized access and sharing. Furthermore, the DPA will also focus on the legal basis for processing personal data.
Concerning schools or educational institutions or companies, the DPA considers it especially important to protect the integrity of children. The Swedish DPA will therefore target this sector by focusing on the legal basis of the processing of children’s personal data and if structures exist to protect the data from unauthorized access or sharing, including camera surveillance and facial recognition technologies that may be used in the educational environment.
A general supervisory activity that is not limited to any specific business sector is the processing of personal data in an employer-employee relationship. The supervisory activities will mainly focus on the employer’s surveillance of its employees, but will also focus on fundamental privacy principles such as legal basis and transparency requirements.
The Swedish DPA has stated that the processing of an individual’s geographic location is a type of personal data processing that affects many people. It is therefore important to focus on how such processing is to be conducted in order to comply with privacy laws. The Swedish DPA’s supervisory activities will focus on fundamental principles such as lawfulness, fairness and transparency for processing of personal data made by mobile operating systems.
In the retail sector, incentive programs and membership clubs are common. According to the Swedish DPA, the amount of personal data that is processed within such programs or clubs are usually large and can thus be rather sensitive from an integrity perspective. The legal basis for the processing is thus to be reviewed, a particular interest of which is the legal basis for profiling.
Money transmission service providers process a large amount of customers’ shopping history and the processing concerns a large amount of people. For this sector, the Swedish DPA sees a need for clarifying certain legal privacy issues such as the purpose of the processing and routines for deleting personal data that is no longer needed for processing.
For the debt collection service sector, the DPA is aiming towards ensuring compliance with the Swedish Debt Collection Act (1974:182) (Swe. Inkassolag). The focus for the supervisory activities will be large debt collection service providers.
Companies in healthcare, financial services, retail and companies that use technical instruments such as surveillance, geographic localization and facial recognition should be prepared for the possibility of being subject to supervisory activities. Since the GDPR has been in force for almost a year now, it is likely that the DPA will presume that companies have had time to establish compliance systems following the GDPR framework and therefore will be stricter when fulfilling its supervisory obligations. Although being an actor within the sectors subjected to the supervision activities does not per se increase a company’s liability, it increases the risk of being subject to supervision and ultimately being subject to administrative fines.
All companies, especially those within the sectors mentioned above, should take action to ensure that they are able to demonstrate compliance with the fundamental privacy law principles such as lawfulness, fairness and transparency. This concerns, in particular, processing of personal data in the employer-employee relationship. Companies should establish written procedures for the processing of personal data, including the purpose and the legal basis of the processing, in order to be able to demonstrate their activities and the measures undertaken in the event of being subject to supervision activities. Companies should also document how they inform the data subjects of the processing of their personal data. If processing of personal data is based on consent, it is important for companies to be able to demonstrate that their procedures for requesting consent comply with GDPR principles. Furthermore, it will become even more important to be able to demonstrate knowledge of the distinction between the Controller’s and Processor’s responsibilities by clearly mapping with what companies and for what purposes data processor agreements have been entered into.
Companies should also focus on the implementation of systems, or be able to demonstrate the rationale behind those already in place, in order to prevent unauthorized access to and sharing of personal data.