Object structure

click here to follow the link

Alternative title:

The legal situation of a data protection officer employed under an employment relationship — selected issues

Subject and Keywords:

GDPR   data protection officer   employee   employer   obligation to perform the commands of the employer   personal data administrator   protection of personal data   atypical employment relationship


Tyt. tomu: Założenie racjonalnego prawodawcy w polskim porządku prawnym. Księga Jubileuszowa z okazji siedemdziesięciopięciolecia Wydziału Prawa, Administracji i Ekonomii Uniwersytetu Wrocławskiego


In accordance with the provisions of Article 37(1) of the Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation — GDPR) the controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 GDPR and personal data relating to criminal convictions and offences referred to in Article 10 GDPR. In other cases, the designation of a data protection officer is the right of the personal data administrators or processors. In accordance with the provisions of Article 37(6) GDPR the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of aservice contract. Neither GDPR nor the Polish Law of 10th May 2018 on the Protection of Personal Data define the legal form for the employment of data protection officer. It must therefore be assumed that he may be employed under a contract of employment as an employee within the meaning of the provisions of the Polish Labour Code. The provisions of the GDPR specify specific tasks of the data protection officer and designate a special position in the organisational structure of the entity in which personal data are processed. The data protection officer reports directly to the highest management level of the controller or the processor (e.g. head of the organisational unit or to a natural person that is the administrator of personal data). The data protection officer, in the exercise of his tasks of law retains a wide autonomy and independence in the workplace and the employer is obliged to provide him with independence in connection with the performance of his tasks. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The main consequence of this is reducing the possibility of managing the work of the data protection officer by using the commands of the employer. It should be considered that the data protection officer is employed in an atypical employment relationship.

Place of publishing:



Wydawnictwo Uniwersytetu Wrocławskiego

Date issued:


Date copyrighted:


Resource Type:



ISSN 0239-6661   ISSN 0137-1134




pol   eng


Acta Universitatis Wratislaviensis, ISSN 0239-6661, No 3978. Przegląd Prawa i Administracji 2020, 120, cz. 2, s. 573-589

Is version of:

Czasopisma Naukowe w Sieci (CNS)

Access rights:

The use of this material is allowed only with accordance of applicable rules of fair use or other exceptions provided by law, and any broader use requires the permission of the authorized entity


Making materials available on the basis of the agreement with the owner of the property copyrights

Rights holder:

Copyright by Wydawnictwo Uniwersytetu Wrocławskiego Sp. z o.o.