What about companies providing occupational health and safety (OHS) training? There are differing views on whether a data processing agreement should be concluded with such an entity.

ANSWER

On mandatory occupational health and safety (OHS) training, the President of the Personal Data Protection Office has adopted a position: https://archiwum.uodo.gov.pl/pl/225/1736

According to the Polish DPA position, determining whether a data processing agreement should be concluded with an entity conducting OHS training requires case-by-case analysis.

The Polish DPA drew attention to the fact that an external company conducting mandatory OHS training may act in the data processing process as the organiser of training, whose obligations were set out in the Regulation of the Minister of Economy and Labour of 27 July 2004 on training in the field of occupational safety and health. The Polish DPA therefore concluded that an external company conducting mandatory OHS training and thereby fulfilling obligations set out in the regulation is an independent data controller — there is no need to conclude a data processing agreement with that company.

A different assessment may however apply where the employer opts for training that raises employees' qualifications. In that case it is necessary to assess who takes decisions on key matters related to the training: whether the employer merely directs employees to the training, or also decides on its course, the training takes place at the employer's premises, and the employer's materials are used during the training.

A data processing agreement should also be concluded with OHS companies where they perform other duties on behalf of the employer, i.e. where they maintain OHS documentation for the employer, post-accident reports, or records of accidents at work.