Marta Wiśniewska

Attorney at law (Poland)
Senior Associate
Phone: +48 22 244 00 22

The General Data Protection Regulation (GDPR) does not require directly data controllers to issue written authorisations for data processing. The GDPR uses only terms "under the authority of" or "on instructions from" a data controller without prescribing the form of such an authorisation.

Authorisation according to the GDPR

However, the regulations discussed in this article stress the accountability principle, i.e. the data controller's ability to prove that a person (e.g. an employee) processes data under the controller's authority.

The old obligation to have written authorisations died when the GDPR entered into force, so many enterprises stopped issuing them when implementing new data protection measures.

The scope of an individual's "authority" to process data (especially to access them) often results directly from that person's access rights to IT systems and is frequently described in general in-house regulations binding on that person (e.g. the job description which describes in detail the right to process data depending on the official responsibilities).

From a practical perspective, an electronic system of authorisations offers better control over the authorisations and their easier adaptability e.g. when the responsibilities change as a result of an individual's change of job position within an organisation).

Polish Sectoral Act

The Act of 21 February 2019 amending certain acts to ensure the application of the GDPR (so-called "Sectoral Act") came into force on 4 May 2019. It is meant to adjust Polish laws to the GDPR requirements.

However, in that statute Polish lawmakers have imposed more obligations related to data processing authorisations on data controllers than the GDPR does.
The Sectoral Act requires explicitly that individuals who process data must in specific circumstances have written authorisations to the data processing issued by the data controller. This applies especially to:

  • processing a special category of data of job candidates;
  • processing a special category of data of employees;
  • processing data concerning health of people who apply for benefits from a Company Social Benefits Fund.

Additionally, those who are allowed to process the above categories of personal data must be bound to keep them confidential.

Procedure verification and confidentiality obligation

Interpretation of the new Polish laws leads us to a conclusion that data controllers have to issue written authorisations to process data only in the situations explicitly prescribed in the Sectoral Act. Otherwise, data controllers have no statutory obligation to issue the authorisations in writing. Nevertheless, in the case of an inspection, they will need to demonstrate that individuals who process personal data act under the controller's authority.

Enterprises which have abandoned written authorisations in the course of adapting their organisations to the GDPR requirements should review their existing procedures in view of the new regulations and adjust in-house regulations and practices to the new laws. Especially, they should issue written authorisations in the instances listed in the Sectoral Act.

Enterprises which have practiced individual written authorisations thus far should stick to this solution. It lets them fulfil the new obligations imposed by the Sectoral Act and account for the general "authorisation" to process data in compliance with the GDPR.

Whatever their chosen authorisation system, all enterprises, should check if the individuals who process the categories of personal data specified in the Sectoral Act are effectively bound by the confidentiality obligation.

If you are interested in a GDPR audit, please contact Rödl & Partner experts in Cracow, Gdansk, Gliwice, Poznan, Warsaw or Wroclaw.

Marta Wiśniewska