Must separate data processing authorisations be issued to commission members, and must the information obligation under Arts. 13 and 14 GDPR be fulfilled with respect to them?

ANSWER

At present no provisions impose an obligation to grant commission members a separate authorisation to process data, although this may appear in the implementing Act (such "special" authorisations are provided for, for example, in the Labour Code and the Act on Company Social Benefit Funds). With regard to fulfilling the information obligation towards:

• commission members: they may be our employees, B2B contractors, or external individuals (e.g., when we engage a specialised entity to handle reports) – we fulfil the information obligation towards these individuals on general terms; we are the controllers of their personal data (even when they are formally employees of the aforementioned specialised entity, in my assessment we are a separate controller of their data insofar as they perform report-handling services for us, processing their data for our own purposes);
• the person making the report: we of course fulfil the information obligation upon collecting the data (unless the report is anonymous, in which case we have no such possibility);
• the person who is the subject of the report: we fulfil the information obligation, but note that, pursuant to recital (84) of the Directive, "Member States should ensure the effectiveness of this Directive, including, where appropriate, by restricting – by means of legislative measures – the exercise of certain data protection rights of persons who are the subject of a report, in accordance with Art. 23(1)(e) and (i) and Art. 23(2) of Regulation (EU) 2016/679, to the extent and for as long as this is necessary to prevent and address attempts to obstruct reporting, to obstruct, hinder or slow down follow-up actions, and in particular investigative proceedings, or attempts to identify reporting persons". I believe we may assume that the Polish Act will provide for situations where we should not fulfil the information obligation towards the person who is the subject of the violation, so as not to obstruct the investigative process.

Pursuant to Art. 14(5)(b) GDPR, the indirect information obligation need not be fulfilled where it may render impossible or seriously impair the achievement of the processing purposes. This may occur, for example, where disclosure of such information to the person under investigation would seriously jeopardise the needs of the investigation, for instance where there is a risk of destruction of evidence. The CNIL (the French supervisory authority) recommends that in such cases information be provided as soon as the risk has been avoided. In this context, the EDPS recommends documenting the reasons for any restrictions on fulfilling the information obligation (for the purposes of any actions by the supervisory authority). These reasons should confirm that there was a high risk that providing the information referred to in Art. 14 GDPR would have impeded the procedure or violated the rights and freedoms of other persons. It is also important that information about the sources of personal data, within the scope of the obligation under Art. 14 GDPR, should not reveal the personal data of the whistleblower or third parties. The CNIL indicates in this regard that after a report has been made, if disciplinary or legal proceedings are initiated against the relevant individual, that person may obtain such information under the rules of ordinary law (in particular the right of defence).