personal data, GDPR, entrepreneurs

Provision of personal data to public institutions 

Krzysztof Grabowski, Data Protection Officer
personal data, GDPR, entrepreneurs
A large number of entrepreneurs receive requests for access to personal data from public institutions. What data should be provided in such a situation and how can they be made available?

Requests for access to personal data which entrepreneurs receive from public institutions, such as the Social Insurance Institution (ZUS) or institutions offering social assistance, most often concern:

  • employees
  • contractors
  • suppliers
  • debtors
  • clients

All such requests should be treated with as much caution as requests from other companies or natural persons. The request for access to data should also be also examined in detail in order to assess its potential execution.

Request for personal data - what does it consist of?

Typical elements of a data request are:

  • internal marking of a request 
  • name of the parties to the application
  • legal basis for the data collection
  • purpose or intended use of processing the data provided
  • designation or name of the file from which data are to be collected
  • extent of the requested information from the file

Legal basis for obtaining personal data

We know from experience that most mistakes are made when determining the legal basis for obtaining personal data. It should always be verified for its accuracy and timeliness. First of all, Article 6 (c) of GDPR should be indicated, and then a provision ensuring the compatibility of the processing of the data necessary to fulfil the legal obligation. The choice of an appropriate regulation depends on the category of institution requesting access to personal data. The most frequently used provisions include:

  • Family Benefits Act
  • The Act on the Alimony Recipients' Assistance
  • Police Act
  • Code of Criminal Procedure Act
  • Act on Employment Promotion and Labour Market Institutions

It is important to provide only as much data as the situation requires.

Errors in the request for personal data

What to do if there are any errors in the received request for personal data access? First of all, it is necessary to call on the applicant to correct the errors, e.g. the legal basis, the scope of the data or the purpose for which the data are provided.

How should personal data be provided to a public institution?

If the request for personal data does not specify the method of transmission, it should be chosen so as to ensure, in the first place, adequate protection of the data filing system according to the internal procedures for personal data processing.

Example: If you receive a request for personal data in an unencrypted message, it will be a good practice to send it back in an encrypted way with a password to the file through another communication channel.

Contact our expert

Personal data protection