How does the situation look with a company worker on a B2B contract? If they handle the personal data of the company's employees, should a data processing agreement be signed with them?

ANSWER

This issue was addressed by the President of the Personal Data Protection Office in the document of October 2018 — Personal data protection in the workplace. A guide for employers.

According to the guide: "Where the controller also uses civil-law forms of employment (including self-employment), and persons employed in this way in effect, when processing personal data, use the controller's means and organisational solutions (e.g. systems, premises), and moreover do so on the controller's instruction, authorisation should also be regarded as a condition permitting data processing. The controller, in accordance with the accountability principle, should be able to demonstrate that authorisation to process data was granted. In such situations, as a rule, there is therefore no entrustment of data processing."

In summary, it is necessary to assess whether persons with whom a B2B agreement has been concluded are subordinate to the controller, use its infrastructure and carry out the controller's instructions — if so, granting authorisation to process data will be justified. If however the cooperating person's independence is very great, the person independently decides on methods of performing tasks or, for example, may employ subcontractors, concluding a data processing agreement will be necessary.