ABI, i.e. the Data Security Administrator - how to register it?


The information security administrator, abbreviated as ABI, is a natural person appointed by the administrator of personal data who - generally - deals with ensuring compliance with the provisions on the protection of personal data. What are the tasks of an information security administrator? Should it be reported in the GIODO register? Is it possible to appoint a deputy ABI? We explain below.

Information Security Administrator (ABI) Tasks

ABI performs two basic tasks in the company - it ensures compliance with the provisions related to the protection of personal data and keeps a register of data files processed by the data controller.

The minimum scope of ABI's duties was defined by the legislator. The provisions allow for the extension of ABI's powers by the data controller, provided that they do not violate the performance of the basic obligations provided for in the Act.


Only a natural person who:

  • has full legal capacity and enjoys full public rights;

  • has appropriate knowledge in the field of personal data protection;

  • she was not punished for an intentional crime.

Is ABI subject to notification to the GIODO register?

If the data controller decides to appoint an information security administrator (ISA), he is obliged to register him with the GIODO within 30 days of the appointment.

Importantly, the ISA, which was established before January 1, 2015 (ie before the amendments to the Act come into force), should be reported to GIODO by June 30, 2015. GIODO does not impose penalties for reporting the existing ISA after this date. Therefore, now an ABI can be registered at any time, but a legally established ABI should be registered within 30 days.

It should be remembered that the data controller is still not obliged to appoint an ABI.


The information security administrator may be appointed on the basis of an employment contract, mandate contract or contract for the provision of services.

How to report an ISA to the GIODO register?

Reporting ABI to GIODO, pursuant to Art. 46 sec. 2 of the Act on the Protection of Personal Data should include:

  • designation of the data controller and the address of its seat or place of residence, including the identification number of the register of entities of the national economy, if assigned to it;

  • data of the information security administrator:

    • first name and last name,

    • PESEL number or, if this number has not been assigned, the name and number of the document confirming identity,

    • correspondence address, if different from the data administrator's address;

  • date of establishing ABI;

  • declaration of the data controller that the information security administrator meets the conditions specified in art. 36a paragraph. 5 and 7 of the Act.

Art. 36a of the Personal Data Protection Act

paragraph 5The information security administrator may be a person who:

  • has full legal capacity and enjoys full public rights;

  • has appropriate knowledge in the field of personal data protection;

  • she was not punished for an intentional crime.

paragraph 7The information security administrator reports directly to the head of the organizational unit or the natural person who is the data administrator. 

GIODO developed the ADO and ABI search engines.

Deputy Information Security Administrator

In a situation where a company has several branches or wants to relieve the current information security administrator, it may appoint his deputy. Such steps are permitted under Art. 36a paragraph. 6 of the Personal Data Protection Act.

The deputy administrator of information security, like the ISA itself, must meet the requirements of Art. 36a paragraph. 5 of the Act.

Importantly, the Personal Data Protection Act does not require ABI's deputies to be registered with GIODO.