Must the Personal Data Protection Policy Be Signed, and in What Form Should It Be Adopted?

ANSWER

The GDPR does not in any of its articles provide for an obligation to sign a personal data protection policy. Only Article 24(1) GDPR indicates the need for the data controller to implement data protection policies. However, it does not specify what those policies should be or what they must contain. The GDPR leaves this to the discretion of data controllers, depending on their business profile.

Nevertheless, given that most data controllers have retained the security policies (which were in force under the 1997 Act on the Protection of Personal Data) and adapted them to the GDPR, it is considered appropriate for such a document to be signed by the data controller at the time of its implementation. In the case of a limited liability company (sp. z o.o.), the document should be signed on behalf of the company by persons authorised to represent the entity.

Therefore, if the company's sole authorised representative is the sole member of the management board, they should sign the policy on behalf of the company, indicating the date from which it comes into force. As regards the form in which such a policy should be implemented, in the case of a company this may be a board resolution (the most commonly encountered form) or alternatively a directive, depending on the manner in which the company takes decisions.