GDPR Internal Authorizations

A good deal of time has passed since the beginning of the application of GDPR* in the European Union. Many people use a simplified term to ensure compliance with the RODO, saying they are obtaining “consents under GDPR” – incorrectly, as consent is only one of the grounds for processing and usually introduces the most confusion; experts on personal data protection, however, write about it quite regularly. Many people already remember about the records of processing activities, processing agreements and information obligations. It is worth recalling one more obligation – authorizations to access data within the controller’s or the data processor’s organization.

In accordance with Art. 29 of GDPR:

The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.

Polish jurisprudence (Litwiński 2018) emphasizes that access to personal data, and not only further processing, requires appropriate authorization. The act of authorization is less formalized than under the previous regulations, but for purposes of evidence it is recommended to prepare and archive this documentation. In practice, it is often pointed out that issuing authorizations for access to data should not be issued to the same extent to all employees of the organization, if their functions and responsibilities are different (authorizations should be adequate to these tasks, as defined in the RODO principle of data minimization). It is also stressed that the fact of the authorization and its scope should be known to the authorized person (within the archived documentation there should be a trace of the delivery of such authorization to the authorized person, for example their signature or return confirmation). The issuing of authorizations follows the principles of integrity and confidentiality and accountability.

Authorizations templates usually contain the following elements:

  1. Indication of the legal basis on which the authorization is issued (provision of the GDPR); precise indication of the controller / processor, date and place of issuing the authorization
  2. Identification of the addressee, including their position / scope of duties
  3. Identification of sets or types of data processed by the organization to which the authorization is granted, with an indication of whether it relates to paper or electronic processing (or both) and the scope of processing (accessing, entering, deleting, changing, disclosing data)
  4. Processing instruction (instructions may also have a more detailed character)
  5. Determining when or in connection with which event the authorization expires
  6. Signatures

(*) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119 4.5.2016, p. 1)