Abstract

This article examines the Polish Personal Data Protection Office’s decisions issued in cases where breaches of data protection occurred within controllers’ cooperation with processors. The authors identify a number of issues that these decisions have brought to light, including the wording of a data processing agreement, assistance in fulfilment of a controller’s duties, audits and inspections, supervision of changes in IT systems, and the data protection breach response. For each of these issues the authors attempt to unravel the Office’s expectations as regards the allocation of responsibilities between the controller and the processor, remarking that sometimes the expected allocation disturbs the balance between the contracting parties.