photo
20.05.2025

The problem is not the GDPR regulations, but their practical application

Non-governmental organisations, even relatively small ones, may process vast amounts of personal data, including data belonging to special categories that are subject to heightened legal protection. Therefore, in the work of NGOs, it is important to maintain a risk-based approach and continually expand knowledge regarding personal data protection. A useful tool for proper implementation of GDPR principles may be a code of conduct.

On May 13, 2025, a plenary session of the Public Benefit Activity Council was held at the Chancellery of the Prime Minister, during which a debate took place titled “GDPR in non-governmental organizations? Time for simplifications?” The event was attended by Monika Krasińska – Director of the  Law and New Technologies Department at the Personal Data Protection Office.

 

Fewer obligations for NGOs?

In the introduction to the discussion, its moderator Andrzej Rybus-Tołłoczko, a member of the Social Team of Experts to the President of the Personal Data Protection Office, outlined the basic GDPR obligations of public benefit organisations. He also addressed the problems associated with applying this legal act, including complex procedures and excessive documentation.

Each participant in the debate could respond to two questions:
Is it possible to simplify the GDPR-related obligations for non-governmental organizations?
What legal changes could be introduced in this regard?

 

The bright and dark sides of the GDPR

Director Monika Krasińska, addressing these issues, pointed out that the problem does not lie in the GDPR regulations themselves, but in the inability to apply them in practice. Third sector entities often overinterpret the law, and their actions tend to be overly formalistic.

Meanwhile, the GDPR defines basic principles of personal data protection, sets out the goals to be achieved, and introduces a risk-based approach, giving controllers greater freedom and flexibility in their actions.

However, the fact that a given entity is a public benefit organisation does not mean that the processing of personal data by it does not pose risks to individuals’ rights and freedoms, or that the risks faced by NGOs are lower than those faced by other data controllers.

Just like with entrepreneurs, such organisations should not be assessed solely based on their size, as they may process enormous amounts of data, including special categories of data referred to in Articles 9 and 10 of the GDPR, which require enhanced protection. Processing such data involves significant risks.

Risk assessment – the key to GDPR

Director Krasińska noted that the European Commission is currently working on simplifying documentation requirements under the GDPR.

A preliminary opinion on these proposals was expressed by the European Data Protection Board, of which the President of the Personal Data Protection Office is a member, and the European Data Protection Supervisor, in a joint letter sent to the European Commission on May 8, 2025. The letter emphasised that even very small companies may be involved in high-risk processing, which is why it is important to maintain a risk-based approach. Importantly, risk analysis and data protection impact assessments should be carried out not only by the controller, but also at the legislative stage. This makes it possible to demonstrate the necessity of processing personal data in a specific way, for specified purpose(s) and scope.

Meanwhile, with the implementation of the GDPR, national laws governing the functioning of the third sector (the Foundations Act, the Law on Associations, and the Act on Public Benefit Activity and Volunteer Work) were not reviewed in terms of their compliance with the GDPR. Therefore, it would be appropriate to conduct such an assessment and consider whether there is a need to amend them, including systemic changes.

 

Code of conduct as a compass

An important initiative supported by the Personal Data Protection Office is the development of a code of conduct for non-governmental organisations. As Director Krasińska stated, such a document is a set of rules approved by the President of the Personal Data Protection Office that indicate how to apply the GDPR and sectoral laws in specific situations. It also helps to eliminate the risk of misinterpreting legal provisions, inappropriate data processing, or introducing unnecessary data processing activities. This enables a high level of data protection while allowing organisations that adhere to the code to focus on their core activities.

 

Continuous education

However, one must not forget the importance of continuous knowledge development. Regular training is essential to ensure effective personal data protection. As Director Krasińska assured, the Personal Data Protection Office will continue its information and educational activities. She encouraged organisations to take advantage of them.