Must employee authorisations to process personal data specify exactly which activities listed in the record of processing activities the given employee is authorised to carry out?
ANSWER
The GDPR does not prescribe any particular form for an instruction to process personal data, and consequently for employee authorisations to process personal data. Accordingly, in each case such an authorisation should be tailored to the realities and needs of the specific organisation. The most important thing is that it allows the actual scope of the authorisation to be unambiguously established. Below we provide an example template created in a manner ensuring maximum flexibility, not referring to the record of processing activities, but instead closely linked to the scope of duties and the contract of the specific employee.
AUTHORISATION TO PROCESS PERSONAL DATA
As of ......... I authorise Ms/Mr ......... (name and surname of the authorised person) to process personal data administered by or entrusted for processing to the Controller, in paper form and within the access granted to IT systems, in accordance with the scope of professional or contractual duties performed in the position held and in accordance with instructions issued by the Controller.
At the same time, together with the authorisation granted, I oblige Ms/Mr ......... to comply with personal data protection regulations and the Personal Data Protection Documentation in force in the Organisation.
This authorisation expires:
at the latest on the date of its revocation or on the date of termination or expiry of the employment contract, contract of mandate, contract for specific work, or any other civil-law contract binding Ms/Mr ......... to the Organisation.
_____________________________
(on behalf of the Controller)
EMPLOYEE DECLARATION
I, the undersigned, hereby declare that:
- I have been acquainted with and will comply with personal data protection regulations and the Personal Data Protection Documentation in force in the Organisation,
- I will keep confidential any personal data to which I have access in the course of performing my professional or contractual duties, including by not using them for purposes other than those related to professional or contractual activities, both during and after the period of employment or cooperation for a period of 10 years, and thereafter indefinitely,
- I will keep confidential all methods of securing personal data known to me.
I acknowledge that conduct contrary to the above undertakings may be considered by the Controller as a serious breach of employment duties within the meaning of Art. 52 § 1(1) of the Labour Code, a breach of criminal provisions concerning personal data protection, or a flagrant breach of contractual obligations in the case of a civil-law contract.
_____________________________
(signature of the authorised person)
As a side note to the above considerations, it is worth mentioning that even the question of the necessity of granting authorisations in written form is sometimes disputed in legal literature (disregarding the obvious obligation arising from Art. 22(1b) § 3 of the Labour Code or Art. 8(1b) of the Act on Company Social Benefit Funds, which explicitly require written authorisations in the situations specified therein).
