ASI and ZASI vs. additional obligations under GDPR

When the Alternative Investment Company (“ASI”) and its the Alternative Investment Company manager (“ZASI”) start their operations, it is necessary to develop and implement appropriate regulations in the field of personal data protection in order to ensure the compliance of data processing with GDPR.

Since ASI and ZASI are interdependent, the procedures and documents regarding the personal data protection should be consistent with each other. Note, however, that two data controllers are still needed in this case.

In the situations in which many actors are involved in the processing of data and interact with each other, the legislator stipulated joint controllers for personal data. Article 26 section 1 of GDPR states that where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

However, the controllers cannot jointly determine the purposes arbitrarily. GDPR imposes additional obligations on the joint controllers. It requires them to define, by common agreement and in a transparent manner, the scope of their responsibilities under GDPR, including in particular the exercise of the rights of the data subject and the controllers’ obligations in this respect.

Therefore, if the data subject requests the data controller, i.e. ASI, to exercise one of their rights: the right of access (Article 15 GDPR), the right to rectification (Article 16 GDPR), the right to be forgotten, i.e., the right to erasure (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to data portability (Article 20 GDPR), the right to object (Article 21 GDPR), or, for example, the right not to be subject to automated individual decision-making, including profiling, which produces legal effects on the person concerned or significantly affects them (Article 22 GDPR), nothing prevents ZASI to assume responsibility in this respect (such a procedure is even advisable due to the mutual relations between the entities).

Nevertheless, the rules of conduct and competences of joint controllers should be definitely defined in a proper manner as the clear division of responsibilities is essential for the performance of the tasks by the supervisory authority, i.e. the President of the Personal Data Protection Office. This is mainly due to the elementary principle of data processing which each controller should follow, i.e. the principle of accountability referred to in Article 5 section 2 of GDPR, regarding compliance with basic standards and obligations imposed on the controller under applicable law.

Note that the legislator introduced severe sanctions for infringements of personal data protection rules. The penalties imposed by the supervisory authority in this respect can amount up to EUR 20 million or up to 4% of the company’s annual worldwide turnover. Also, note that the list of severe penalties imposed – of the order of many millions – has been increasing recently. Therefore, it is a good idea to ensure that the procedures implemented by the data controller are in line with the applicable requirements, in particular GDPR.

Mariusz Maksis, attorney-at-law