Should there be a data processing agreement with an external DPO performing tasks for the bank?
If we decide to contract an external entity to provide Data Protection Officer services at the bank, should we also enter into a data processing agreement with that entity?
If the controller is a bank, the first thing to keep in mind is that the proper performance of the DPO's tasks involves ensuring that the DPO has access to data covered by bank secrecy. According to the GDPR, the controller must ensure that the DPO is properly and promptly involved in all data protection matters. It must also support the DPO in the performance of his or her tasks referred to in Article 39 by providing him or her with the resources necessary to perform those tasks and with access to personal data and processing operations (Article 38(1) and (2) of the GDPR).
So, in order to properly perform the tasks of the DPO, it is necessary to have access to information regarding the processing of personal data, to the personal data itself, as well as to the processing operations. Therefore, it is worth considering whether the best solution would be to designate a bank employee to perform the function of the DPO. If this would be a person performing tasks on the basis of a service contract, then Article 6a(1)(2) of the Act Banking Law should apply to such a contract, which will allow the DPO to become familiar with information covered by bank secrecy. This is because, as indicated by Article 104(2)(2)(a) of the Act Banking Law, the obligation of banking secrecy referred to in Article 104(1) of the Act Banking Law does not apply to cases in which the bank, in accordance with Article 6a(1) and Articles 6b-6d, has entrusted the performance, on a permanent or periodic basis, of activities related to banking activities. At the same time, entities and persons employed therein, to whom information covered by banking secrecy has been given or disclosed, in accordance with, inter alia, the provision of Article 104(2)(2)(a) of the Act Banking Law, may use such information only for the purpose of concluding and performing the agreements referred to, inter alia, in paragraph 2(2)(a) of the Act Banking Law (Article 104(5) of the Act Banking Law). In addition, pursuant to Article 38(5) of the GDPR, the DPO is required to maintain secrecy or confidentiality as to the performance of his or her tasks in accordance with Union or Member State law.
The performance of the DPO's tasks by a person who is not controller's employee should be on the basis of a service contract that is not a data processing agreement. Article 37(6) of the GDPR explicitly indicates that the DPO can perform his or her tasks on the basis of a service contract, i.e. he or she does not have to be an employee of the controller (bank). It is therefore permissible to outsource this function, with the subject of the contract with the officer not being the controller’s tasks, but the tasks indicated in Article 39(1) of the GDPR. We have written more extensively on this subject on our website under Data Protection Inspector/Designation and status of the DPO, in response to the question „Should a data processing agreement be entered into with an external DPO?”