Personal data administrator - what does he do?


The protection of personal data is an increasingly important aspect that attaches importance not only to the legislator, but also to entrepreneurs. One of the basic concepts referred to in the regulations is the term personal data administrator. Who is he and what does he do? We explain below.

Personal data administrator - statutory definition

Pursuant to Art. 4 point 7 of the GDPR, the term controller of personal data means a body, organizational unit, entity or person deciding on the purposes and means of personal data processing.


In the case of people running a business, the entrepreneur himself acts as ADO, i.e. the administrator of personal data.

Personal data administrator (ADO) - tasks

The basic tasks of an entrepreneur as a data controller include:

  • application of technical and organizational measures ensuring the protection of personal data processing appropriate to the threats and categories of data protected,


PDA is to ensure, in particular, the protection of data against their:

  • disclosure to unauthorized persons,

  • removal by an unauthorized person,

  • processing in violation of the Act and with the amendment,

  • loss,

  • damage or

  • destruction.

  • keeping documentation describing the method of data processing and measures ensuring the protection of personal data;

In addition, one of the most important tasks that can be performed by the personal data administrator is the appointment of a Personal Data Protection Inspector (DPO) - if the provisions oblige him to do so. The DPO must appoint

Public entities, entities processing sensitive data on a large scale and entities whose main activity is the large-scale monitoring of persons are required to appoint a DPO. Other entities may also appoint a DPO, but it is not obligatory for them. However, if, despite the lack of such an obligation, they appoint a DPO, they should act in accordance with the requirements for him (with regard to tasks, the role of the inspector).

Working Group 29, i.e. a team of experts appointed to issue guidelines in the field of GDPR, recommends that if a given entity is not obliged to appoint a DPO, it should prepare documentation justifying it.

The other obligations of the Personal Data Administrator include:

  • ensuring control over what personal data, when and by whom were entered into the personal data file and to whom these data are transferred;

  • keeping records of persons authorized to process personal data, which should contain such information as:

    • name and surname of the authorized person,

    • the date of granting and termination as well as the scope of authorization to process personal data,

    • identifier, if the data is processed in the IT system.