Euroopan tietosuojaneuvosto

First Swedish GDPR audit completed

Tuesday, 23 October, 2018

The Swedish Data Protection Authority has examined whether more than 350 companies and authorities have appointed a data protection officer. The audit shows, among other things, shortcomings in nearly a quarter of the unions selected for control.

According to the General Data Protection Regulation, GDPR, all authorities and also certain companies are obliged to designate a data protection officer. This person shall check that its own organization complies with data protection regulations, and inform and advise internally.

"It is a very important role when it comes to raising awareness and compliance with GDPR, which is why we prioritized this as our first GDPR review," says Inspector General Lena Lindgren Schelin.

The Swedish Data Protection Authority has conducted a broad review of more than 350 authorities and companies and has examined whether they appointed a data protection officer and, if they also have reported this to the Swedish Data Protection Authority, which they must do.

The audit shows that the majority of the organizations have notified and appointed a data protection officer in time. However, some sectors stand out in a negative way. Of the 51 unions included in the supervision, nearly 25 percent had deficiencies.

"The review was conducted shortly after GDPR came into effect on May 25th. Therefore we have not gone further than issuing reprimands. But, if in the future we continue to see shortcomings when it comes to appointing a data protection officer, fines will be on the table”, says Lena Lindgren Schelin.

Read the summary of the supervision in pdf-format

For further information, please contact the Swedish supervisory authority at