Commissioned processing under Polish data protection law

In accordance with the provisions of the Personal Data Protection Act, the controller may delegate the data processing to another entity (data processor). In order to do so, a written contract between both of the parties will be necessary. The agreement should specify the scope and the purpose of data processing and the processor must only process the data as determined. Prior to processing, he/she has an obligation to provide security measures protecting the data filing system as described in the Chapter 5 of the Personal Data Protection Act and to fulfil the requirements specified in the Regulation 2004.

The liability for compliance with the data protection laws remains with the controller, however, the contracting party (processor) will hold liability if the data are processed in a way that is incompatible with the contract. The processors that are not established within the territory of Poland are obliged to appoint their EU representative (art. 31a PDPA). Furthermore, they may be subject to inspections performed by the Inspector General. Such inspections aim at checking the compliance of processing with the data protection laws and are described in art. 14-19 PDPA.