Management Board members should be informed about the processing of their personal data
On the website of UODO, there appeared an explanation of the office concerning the fulfilment of the information obligation towards persons representing legal entities, including their board members and proxies. While it answers the question of how to fulfil these obligations in an administrative procedure, the Authority’s recommendations should also apply to business-to-business (B2B) contacts.
The Office emphasised that the particulars of the members of the Board of Directors representing a legal person, the particulars of the representatives of legal persons, as well as the particulars of the employees who are the contact persons of the legal person, who are identifiable natural persons, are the personal data of the protected GDPR.
Therefore, the controller is obliged to fulfil the obligation to provide information to the data subject, unless there is one of the conditions for renouncing this obligation.
In the case of persons directly employed or cooperating with the administrator, the information obligation should be fulfilled at the beginning of this cooperation, e. g. on the conclusion of the employment contract.
The informational cooperation should take place at the beginning of this cooperation, e. g. on the conclusion of the employment contract.
The implementation of the information obligation towards persons acting on the side of the contractor will in practice require the provision of an information clause for these persons when concluding contracts and conducting business contacts.
Until now, it has been common practice to provide an information clause to the employees indicated by the contractor for contact as well as his proxies. In the case of members of the Management Board, especially if their personal data covered only the scope indicated in the KRS, this practice was less common.
Data obtained directly from a member of the management board
Where data are obtained directly from a member of the Management Board, e.g. in connection with his participation in the conclusion of the contract, the „standard” information obligation under art. GDPR (the so-called: „information clause”).
The obligation to provide information may only be waived if the person concerned already has information about the processing of personal data. This may happen in case of permanent cooperation with a given entity. In this case, the information clause is only needed once – it does not need to be repeated for subsequent contracts (unless, of course, there are changes for the processing of personal data).
Data obtained from other sources
In the case of data obtained not directly from a person, but for example from his or her employer or from publicly available registers, the information clause requires additional disclosure of the source of the personal data, including an indication if it comes from publicly available sources.
However, the administrator has more possibilities to take advantage of the exemption from the information obligation. It does not need to be implemented even when the provision of information would prove impossible or would require a disproportionate effort.
In its additional explanations of this issue, the Authority pointed out that, in the case of board members, an exemption may be granted if ‘due to the specific nature of their functions and role in the organisation, board members know how the company in which they perform their function and the company’s counterparties process such board members’ data.
In the case of obtaining personal data from other sources, the time limit for providing the information clause is also longer – it should take place at the first contact with such a person, but not later than one month after the start of processing the data.
How is the information obligation easiest to fulfil?
Implementation of the information obligation in a standard form, i. e. a separate document or point in the contract, may prove impractical in this case. Sometimes the information clause can be longer than the contract itself.
However, the President of UODO allows the information obligation to be fulfilled in a simplified form, e.g. using the information in the e-mail footer. Such information can be transmitted in layers – i.e. contain only basic information about the data controller with a reference to the full information clause available e.g. online.
Layered implementation of the information obligation is a good way of reducing the volume of classification in the documentation, while retaining the ability to access the full processing of personal data.
In the case of data not obtained directly from persons, it may also be facilitated by attaching information clauses to contracts together with the contractor’s obligation to provide it to its employees, proxies and board members.