Subject and Keywords:
GDPR ; data protection officer ; employee ; employer ; obligation to perform the commands of the employer ; personal data administrator ; protection of personal data ; atypical employment relationship
In accordance with the provisions of Article 37(1) of the Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation — GDPR) the controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 GDPR and personal data relating to criminal convictions and offences referred to in Article 10 GDPR. In other cases, the designation of a data protection officer is the right of the personal data administrators or processors. In accordance with the provisions of Article 37(6) GDPR the data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of aservice contract. Neither GDPR nor the Polish Law of 10th May 2018 on the Protection of Personal Data define the legal form for the employment of data protection officer. It must therefore be assumed that he may be employed under a contract of employment as an employee within the meaning of the provisions of the Polish Labour Code. The provisions of the GDPR specify specific tasks of the data protection officer and designate a special position in the organisational structure of the entity in which personal data are processed. The data protection officer reports directly to the highest management level of the controller or the processor (e.g. head of the organisational unit or to a natural person that is the administrator of personal data). The data protection officer, in the exercise of his tasks of law retains a wide autonomy and independence in the workplace and the employer is obliged to provide him with independence in connection with the performance of his tasks. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The main consequence of this is reducing the possibility of managing the work of the data protection officer by using the commands of the employer. It should be considered that the data protection officer is employed in an atypical employment relationship.