We use cookies on our website. By clicking "I accept", you consent to use cookies and to the processing of your personal data for analytical and marketing purposes in accordance with your browser settings. You can withdraw your consent at any time. Raczkowski sp.k. is the controller of personal data. Your data may also be processed by our Trusted Partners. By clicking "Manage cookies" you can see the list of our Trusted Partners and change your cookie settings. More information about your rights can be found in our Privacy Policy.

Author

Under certain conditions, a third-party data processor can carry out the information obligation for the data controller (employer)

2025.03.31

Employers often use third-party processors to perform various services (for example, to carry out recruitment, to receive whistleblower reports or to provide training). 

However, a data-processing entrustment agreement is not necessary in every case. 

Agreements entrusting the processing of personal data are only necessary when the data is processed by an external entity in the name of the data controller, who also specifies the purposes and gives instructions. Such an external entity is commonly referred to as a data processor. 

Under Articles 13 and 14 of the DPA, compliance with the information obligation towards data subjects is the data controller's responsibility. This takes the form of a document commonly referred to as an ‘information clause’.

However, there are times when the processor is the primary contact with the data subjects and, for organisational reasons, it would be better for the processor to actually implement the information obligation. 

In DPA (Data Protection Authority) Bulletin No 02/02/25, it was confirmed that “the processor may support the controller in the implementation of the information obligation.” 

In order for this to legally take place, the controller should:

  • give express instructions to the processor (this may be in the wording of the entrustment agreement);
  • provide instructions on the performance of this obligation (in what form – a link to the content of the clause on the controller's website, an attached pdf, etc.); 
  • maintain full control over the content and scope of the information obligation.

In practice:

  • the controller will provide the processor with the content of the information clause (e.g. in an annex to the processing outsourcing agreement) or, 
  • the processor will develop a template information clause and submit it to the controller for approval. 


The liability for a faulty implementation of the information obligation will always lie with the controller. This cannot be evaded in any way. The processor is not administratively liable, as the information clause is not its duty. 
Contractual penalty - it can be written into the contract, but when entering into the contract it will be very difficult to estimate the amount. 

Therefore, if the data controller has entrusted the performance of an administrative duty to a data processor, it must perform elementary acts of diligence to verify whether and how that duty is being performed, e.g. by checking the visibility and content of the clause in the system for receiving applications or candidate applications.


 

Find more in the PRO HR March 2025.

Inability to prohibit parallel employment with another employer is not absolute
2025.03.31
Blog
Employees will be able to check salary information
2025.03.31
Blog
Injunction against employer’s decision does not apply to notice of alteration…
2025.03.31
Blog
Under certain conditions, a third-party data processor can carry out the information…
2025.03.31
Blog
Royalties paid to a contractor under the age of 26 do not qualify for ‘youth…
2025.03.31
Blog
Broader pre-employment medical check-ups
2025.03.31
Blog