How should self-employed individuals and those working under mandate contracts (“umowa zlecenie”) be classified under data protection law? Is it necessary to enter into a data processing agreement (DPA) with them, or is it sufficient to simply authorize them to process data?

From the perspective of the GDPR, the legal form of employment (or cooperation) is of secondary importance. The key factor is whether the individual—whether self-employed or working under a mandate contract—performs data processing activities under the control and full responsibility of the engaging party. For example, this would be the case if the person works exclusively on-site, uses the employer’s equipment, and follows their instructions. In such a scenario, the individual should be treated like an employee and merely authorized to process personal data.

However, if the person operates independently—for instance, using their own equipment and also providing services to other entities—then a data processing agreement should be concluded, just as would be required with any other processor.