If you answer yes to any of these three questions you must have a data protection officer:
- Are you a public authority or an elected assembly, i.e. a public body?
- Do your core activities consist of regular and systematic monitoring of individuals on a large scale?
- Do your core activities consist of processing sensitive personal data or information about crimes on a large scale?
Public bodies in Sweden are public authorities and elected bodies: Parliament, municipal councils, county council assemblies and regional assemblies.
Who are not public bodies?
Private companies, associations and organisations are not public bodies. Nor are companies owned by municipalities or county councils. You may still need a data protection officer if you answer yes to question 2 or 3.
"Core activities" are the necessary central activities that an organisation carries out to achieve its goals.
- A shoe shop's core activity is selling shoes.
- In the case of a security services company, its core activity might be surveillance of public places.
- A hospital's goal is to provide health and medical care. To be able to do so a hospital must process health information. Processing of sensitive data is therefore a core activity for the hospital.
Regular and systematic monitoring
Regular and systematic monitoring is constant or recurrent monitoring that is carried out according to a system or plan.
- all forms of tracking and profiling on the Internet
- profiling for risk assessments
- position tracking in mobile apps
- loyalty programmes
- surveillance cameras
- connected devices, for example smart meters (the Internet of Things, IoT)
What can be considered "large scale" may be difficult to assess, but depends among other things on the number of data subjects, how much information is processed, the types of information that are processed, and for how long the information is processed.
Examples of organisations that process personal data on a large scale:
- Hospitals – patient data
- public transport – journey data relating to individual travellers
- Insurance companies or banks – information relating to customers' property and assets
Examples of activities where personal data is not processed on a large scale:
- an individual doctor processes patient data
- an individual lawyer processes personal data relating to convictions in criminal cases and criminal convictions and offences.
Who do not need to have a data protection officer?
The simplest answer is that anyone who answers no to the above questions does not need to have a data protection officer.
Some examples: This thus means that non-public bodies, such as companies and associations, do not need data protection officers if they for example
- hold little information relating to their customers or information that is not sensitive
- do not process personal data in their core activities
- hold only certain information relating to their employees, for example to be able to pay wages and salaries.
Sharing data protection officers
A data protection officer may be responsible for several different public authorities or several different companies within the same group.
This is naturally provided that the data protection officer has sufficient time and resources to be able to carry out his or her duties and that everyone who needs to come in contact with the data protection officer can do so easily.
Several people can act as data protection officers together
There is nothing to prevent anyone having a group of people who carry out the data protection officer's tasks provided all the members of the group satisfy the stipulated requirements. The group must also have a designated contact person.
The data processor may need a data protection officer even if the controller does not need one
All organisations must make their own assessment of whether they need a data protection officer. It may be the case that a data processor needs a data protection officer even if its client does not need a data protection officer.
Some examples: A small company has a data processor who has many similar clients. This means that the data processor processes large amounts of personal data and from many different clients. The data processor may then need to designate a data protection officer despite the small company not needing one.
The Swedish Data Protection Authority recommends
Even if you do not need to have a data protection officer it may be a good idea for an organisation to have one to create structure in the work with personal data. It may also create confidence on the part of the data subjects, your customers. It may also give some advantages as regards competition with other companies.
We recommend that organisations designate a data protection officer even if they are not obliged to if they
- carry out tasks in the public interest
- carry out tasks that involve exercise of official authority.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.