Article 28 sec. 3 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) imposes on a personal data controller an obligation to conclude a data processing agreement with any data processor processing personal data on behalf of the controller. Article 28 sec. 9 of GDPR stipulates that such agreement “shall be in writing, including in electronic form”. The written form seems to be clear but in Poland there are some doubts regarding the electronic form.
Pursuant to Article 781 of the Polish Civil Code, “in order to observe the electronic form of an act in law it shall be sufficient to make a declaration of intent in electronic form and provide it with a qualified electronic signature”. However, many companies conclude data processing agreements only by accepting their wording in in the internet. According to the literal interpretation of GDPR it is not correct and in such situation a file with the agreement should be confirmed by a qualified electronic signature.
It seems that it was not the intention of the European Parliament and of the Council. Analyzing practice in other countries, data processing agreements are concluded without any problems via the internet without necessity to use a qualified electronic signature. I suspect that the problem in Poland is resultant from specific definition of the electronic form in the Polish law and use of not fortunate term “electronic form” in the Polish version of GDPR. In other countries an electronic form not necessarily means that an agreement has to be signed by a qualified electronic signature. Use of quite new document form in the Polish law, would be much better solution and would remove many doubts of data controllers.