PRACTICAL ANSWER

An employee's personal data in the form of their first name and surname, business email address and business telephone number are so-called business data closely linked to their professional role. They are subject to limited protection under the GDPR. This limited protection means, among other things, that the data controller, i.e. the employer, may, for example, place those data on a website or in contracts with clients as contact details for the controller's company without the employee's consent. These are not a natural person's private personal data, such as their home address or date of birth, but business personal data closely linked to their professional role. It should therefore be noted that in business contacts between two data controllers, where employees' data are transferred to the other entity in connection with its activities, there is no processing on behalf of another controller within the meaning of Article 28 GDPR, but rather disclosure of personal data. No processing agreement is therefore concluded in this respect.

Nevertheless, the GDPR contains no exemption allowing the information obligation to be waived. Accordingly, it is considered that if one controller has disclosed its employee's personal data for contact purposes, the controller that has received those personal data is obliged to fulfil the information obligation under Article 14 GDPR.

Article 14(5)(a) and (b) GDPR, which set out situations in which a data controller may refrain from providing the content of the information obligation, do not, in the author's view, provide assurance that those provisions would not be challenged by the Polish DPA in the event of an inspection.