The data protection officer's overarching and most important task is to monitor the organisation's compliance with the General Data Protection Regulation. This means among other things
- collecting information about how the organisation processes personal data
- checking that the organisation complies with regulations and internal policy documents
- providing information and advice within the organisation.
The data protection officer must also
- give advice on impact assessments
- be the Swedish Data Protection Authority's contact person
- be the contact person for the data subjects and the organisation's personnel
- cooperate with the Swedish Data Protection Authority, for example during inspections.
The data protection officer is not responsible and may not be punished
The data protection officer has no personal responsibility for the organisation's compliance with the General Data Protection Regulation. This responsibility always lies with the data controller or the data processor. Nor may the data controller punish the data protection officer for having carried out his or her duties.
The data protection officer must always be involved if an organisation makes, or is considering making, an impact assessment concerning processing of personal data. An impact assessment is necessary if you intend to collect personal data and people's rights and freedoms are put at great risk.
Be a contact person and cooperate with the Swedish Data Protection Authority
The data protection officer is to be the contact person for
- those data subjects who wish to reach the data protection officer to find out what data relating to them has been registered
- personnel within the organisation who may wish to know if they are acting correctly when they process personal data
- The Swedish Data Protection Authority, who may wish to inspect the organisation's activities.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.