Should committee members be issued separate authorisations to process personal data for the purpose of handling the committee's cases/activities, and do we fulfil the information obligation (Articles 13 and 14 GDPR)?

ANSWER

At present, no provision requires issuing committee members with a separate authorisation to process data; however, such an obligation may appear in the act implementing the Directive (similar special authorisations are provided for, for example, in the Labour Code or the Act on the Company Social Benefits Fund). As regards fulfilment of the information obligation towards:

• committee members: these may be our employees/B2B contractors/external persons (e.g. where we engage a specialised entity to handle reports) – we fulfil the information obligation towards these persons on general terms; we are controllers of their personal data (even where they are formally employees of the specialised entity mentioned, in my view, to the extent that they perform services for us related to handling reports, we are a separate controller of their data, processing their data for our own purposes);
• the person making the report: we of course fulfil the information obligation when obtaining the data (unless the report is anonymous, in which case we do not have such a possibility);
• the person concerned by the report: we fulfil the information obligation, but note: under Recital (84) of the Directive, "Member States should ensure the effectiveness of this Directive, including, where appropriate, by restricting, by means of legal provisions, the exercise of certain rights of data protection of the person concerned by the report, in accordance with Article 23(1)(e) and (i) and Article 23(2) of Regulation (EU) 2016/679, to the extent and in so far as is necessary and proportionate to prevent and address attempts to hinder the making of reports, to hinder, obstruct or delay follow-up action, in particular investigations, or to identify the person making the report". I think we may assume that the Polish act will provide for situations in which we should not fulfil the information obligation towards the person concerned by the breach, so as not to hinder the explanatory proceedings.

Under Article 14(5)(b) GDPR, the indirect information obligation need not be fulfilled where doing so would make impossible or seriously impair the achievement of the purposes of processing. This may be the case, for example, where disclosing such information to a person subject to an investigation would seriously jeopardise the needs of the investigation, for instance where there is a risk of destruction of evidence. CNIL (the French supervisory authority) recommends that in such cases information be provided without undue delay once the risk has been avoided.

In this context, the EDPS recommends documenting the reasons for any restrictions related to fulfilment of the information obligation (for the purposes of possible supervisory authority action). These reasons should confirm that there was a high risk that providing the information referred to in Article 14 GDPR would hinder the procedure or infringe the rights and freedoms of other persons. It is also important that informing about the sources of personal data, within the obligation under Article 14 GDPR, should not disclose the personal data of the whistleblower or third parties. CNIL indicates in this regard that after a report is made, if disciplinary or court proceedings are initiated in relation to a given person, that person may obtain the relevant information in accordance with general law provisions (in particular the right of defence).