I. Introduction
The beneficiary register constitutes one of the foundational administrative instruments within the Polish family foundation (fundacja rodzinna) framework. As an internal evidentiary document, it serves dual functions: facilitating the proper administration of distributions to beneficiaries while simultaneously enabling compliance with public law obligations, particularly those arising under tax legislation.
This analysis examines the legal architecture governing beneficiary registers, with particular attention to the interplay between statutory requirements and data protection obligations under the General Data Protection Regulation (GDPR). The discussion proceeds in six parts, addressing successively the register’s legal significance, mandatory elements, data processing bases, discretionary data collection, formal requirements, and ongoing administrative obligations.
II. Legal Significance and Declaratory Nature
The beneficiary register operates in a purely declaratory capacity—a distinction of considerable practical importance. Entry onto the register does not constitute the beneficiary’s status; rather, it merely confirms rights that exist independently by operation of the foundation’s charter (statut). Conversely, removal from the register does not, ipso facto, extinguish entitlements that derive from charter provisions.
This declaratory character positions the register as an auxiliary informational tool rather than a constitutive legal instrument. The foundation’s charter remains the primary source of beneficiary rights, with the register serving an evidentiary and administrative function subordinate to the charter’s substantive provisions.
III. Mandatory Elements of the Register
A. Statutory Requirements
The governing legislation prescribes minimum data categories that must appear on every beneficiary’s register entry. These mandatory elements may be classified into three functional categories.
B. Identification Data
For natural persons, the register must contain the individual’s full legal name. Identification proceeds through the PESEL number (Poland’s universal electronic population registration system) or, alternatively, the NIP (tax identification number). Beneficiaries lacking Polish tax identifiers—a circumstance arising most frequently with non-resident individuals—must be identified through passport or other identity document details, including document number and series, issuing country, and parental forenames.
Where the beneficiary is a non-governmental organization rather than a natural person, the register must reflect the entity’s official designation and appropriate institutional identifiers.
C. Contact Information
The statute mandates inclusion of either a residential address or an address for service of process. As a matter of prudent administration, foundations would be well-advised to obtain electronic mail addresses and telephone numbers, particularly given the increasingly mobile character of modern beneficiaries who may frequently change their physical location.
D. Entitlement-Related Information
The register must contain data necessary for the realization of specific distributions. This category encompasses bank account details, documentation substantiating eligibility for particular charter-based entitlements (such as certificates of continuing education or medical records for health-related distributions), and notation of any special communication requirements the beneficiary may have.
IV. Legal Basis for Data Processing
A. The Distinction Between Consent and Legal Obligation
The processing of data enumerated in Article 32(1) of the Family Foundation Act proceeds on the basis of a legal obligation incumbent upon the data controller, pursuant to Article 6(1)(c) of the GDPR. This classification carries significant practical implications: the foundation requires no consent from beneficiaries to collect and process mandatory information—a written declaration of disclosure suffices.
This distinction warrants emphasis. The beneficiary’s declaration serves to convey data to the foundation; it does not constitute consent within the meaning of data protection legislation. The foundation possesses both the right and the obligation to process mandatory data irrespective of the beneficiary’s subjective preferences regarding such processing.
B. Implications for Foundation Administration
The legal obligation basis for processing liberates foundation administrators from the complexities attending consent-based processing, including the ever-present possibility of consent withdrawal. For mandatory data categories, the foundation’s processing authority derives from statutory mandate rather than individual permission, providing a stable and predictable framework for register administration.
V. Discretionary Data and Its Limitations
A. Scope of Permissible Additional Processing
With beneficiary consent, foundations may process personal data beyond the statutory minimum, provided such processing is justified by the necessity of safeguarding beneficiary rights and interests or by obligations arising under the charter. The consent mechanism for discretionary data falls within the GDPR Article 7 regime, permitting withdrawal at any time. Upon withdrawal, the foundation must cease processing the specific data categories to which withdrawn consent pertained.
B. Absolute Prohibitions
Certain data categories remain entirely beyond the foundation’s processing authority, regardless of consent. Data concerning criminal convictions and offenses, as contemplated by Article 10 of the GDPR, may under no circumstances be processed by the foundation—an absolute prohibition that admits of no exception even where the beneficiary affirmatively wishes to provide such information.
VI. Form and Security Requirements
A. Medium of Record-Keeping
The legislation affords foundations discretion in selecting between paper and electronic formats for register maintenance. Regardless of the chosen medium, the manner of maintenance must guarantee four essential qualities: confidentiality (protection against unauthorized access), integrity (safeguards against unauthorized modification), completeness (preservation of all required elements), and accessibility (availability of data when operationally necessary).
B. Practical Security Measures
In practical terms, these requirements translate into specific administrative protocols. Paper documentation should be maintained in locked cabinets with controlled access. Electronic records require encryption and appropriate access controls to prevent unauthorized entry. The foundation bears responsibility for implementing technical and organizational measures proportionate to the risks attending the data it processes.
VII. Verification, Review, and Ongoing Obligations
A. Documentary Verification Rights
The foundation possesses authority to demand documentation substantiating data necessary for distribution performance. This power extends to requiring presentation of identity documents for verification of basic identification data, as well as documentation confirming eligibility for specific charter-based entitlements.
B. Annual Review Obligation
The management board bears a statutory obligation to conduct data reviews no less frequently than annually. The purpose of such review is to ascertain whether continued retention of particular information remains necessary. Data whose retention no longer serves the protection of beneficiary rights or the discharge of charter-based obligations must be deleted without undue delay.
C. Data Subject Notification Requirements
As data controller, the foundation must provide each beneficiary with prescribed information concerning the administrator’s identity and contact details, the purposes and legal basis of processing, the categories of data undergoing processing, and the rights available to data subjects, including rights of access and rectification.
VIII. Post-Dissolution Custody
Upon foundation dissolution, documentation—including the beneficiary register—passes to a custodian designated in the charter or by resolution of the beneficiary assembly. Where no such designation exists, the registry court appoints an appropriate custodian. This arrangement ensures continued protection of personal data and preservation of records that may retain legal significance following the foundation’s termination.
IX. Interface with Tax Authorities
The beneficiary register serves as an information source for the National Revenue Administration (Krajowa Administracja Skarbowa). Pursuant to Article 84 of the governing statute, tax authorities may demand transmission of register data. This public law dimension of register maintenance produces two significant consequences: first, the charter may not exclude the obligation to collect statutorily prescribed data; second, the competence to maintain the register may not be delegated to any entity other than the management board.
X. Conclusion
The beneficiary register, though auxiliary in legal character, occupies a position of considerable practical importance within the Polish family foundation framework. Its proper maintenance requires careful attention to the distinction between mandatory and discretionary data elements, the differing legal bases for processing each category, and the ongoing administrative obligations attending register management. Foundation administrators who appreciate these distinctions will be well-positioned to discharge their statutory duties while avoiding the pitfalls that attend improper data handling in an era of heightened regulatory scrutiny.
