Can an employee be considered to have completed the necessary data protection training after being familiarized with the content of the Personal Data Protection Policy?

ANSWER

A document such as a Personal Data Protection Policy is an internal document that every data controller should have. This document cannot be made available to all employees for review, but only to those who assist the data controller in fulfilling the obligations imposed on it, including under the GDPR. In principle, such a document should contain information about what data is processed, on what terms, and what security measures the data controller applies; not all of this information may be disclosed to the general workforce. All the more so, providing the Personal Data Protection Policy for reading cannot be regarded as a form of staff training.

Employee training should, depending on the positions they hold, be tailored to the scope of duties performed by those employees and to whether they process personal data in the course of their work. A different scope of training should be defined for office staff, another for the IT department, another still for the accounting department, HR department, or cleaning staff. Each department carries out a different scope of personal data processing and has different tasks and competencies. I consider it wrong to assume that familiarization with the content of the Personal Data Protection Policy can replace appropriate training, and I advise against using such an approach.