I am a natural person who does not run a business and I am to be appointed as a DPO in a limited liability company (sp. z o.o.). My proposal to work under a mandate contract (umowa zlecenia) has been questioned by the HR department. They believe it should be a service agreement. Is that correct?

ANSWER

Article 37(6) GDPR expressly refers to a service contract. However, this provision concerns the so-called external DPO.

An external DPO is understood to be either:

• a natural person operating their own sole proprietorship; or
• an entity (company) providing DPO services on an outsourcing basis.

An internal DPO, on the other hand, is a natural person who works within the controller's organization. In such a case, the DPO may be engaged under:

• an employment contract; or
• another civil law contract, such as a mandate contract (umowa zlecenia).

This position is also reflected in legal commentaries on the GDPR. As stated in one such commentary:

"The appointment of a DPO requires the controller to decide on the form of engagement – whether the DPO will be an employee of the organization or an external person. When opting for an internal DPO, the controller may choose either employment under labor law or a civil law arrangement, including a mandate contract. When assigning the DPO function to an external person, a service agreement is concluded as part of an outsourcing arrangement. The decision should take into account the organization's data protection needs, HR policies, employment costs, legal liability considerations, and other relevant factors. It should be emphasized, however, that the primary criterion for selecting a DPO should be professionalism in carrying out the role."

— Sakowska-Baryła (ed.), 2018

Summary

There is therefore a possibility for a natural person to perform the function of Data Protection Officer (DPO) under a mandate contract (umowa zlecenia). The GDPR does not require an internal DPO to be engaged exclusively under a service agreement.