Skip to main content
Vrtual officeJuly 7, 2026

Virtual office and GDPR — data protection in practice (2026)

How to use a virtual office in line with GDPR: processing agreement (art. 28), address privacy, confidentiality of mail and a compliance checklist.

~7 min read
Virtual office and GDPR — personal data protection

A virtual office is not just an address — it is also an entity that processes your company's data: from the address visible in public registers to the contents of the mail it receives. That is why GDPR applies to this service directly. We explain what data is involved, who is responsible for it, and what to take care of so that using a virtual office complies with data protection rules.

What personal data does a virtual office process

By using a virtual office, you entrust the operator with more data than it seems. There are usually three categories — and each is subject to GDPR.

Address and company data

For a sole proprietorship, the address and your name are personal data — public, among others, in the CEIDG register.

Contents of correspondence

Letters from public offices, banks and contractors contain personal data — yours and third parties'.

Contact details

Phone, email and proxy details provided to the operator for handling.

Controller or processor? The processing agreement (art. 28 GDPR)

This is the most common misconception. Your company is the controller — you decide on the purposes of processing. The virtual office operator that receives and scans letters on your behalf acts as a processor. This relationship requires a data processing agreement (art. 28 GDPR).

Myth vs fact

Mit

Since the virtual office processes the letters, it is responsible for the data.

Fakt

Your company remains the controller — and most GDPR obligations rest on it. As a processor, the operator is liable within the scope set by the processing agreement (art. 28 GDPR) and acts only on the controller's documented instructions.

Mit

A processing agreement is a needless formality.

Fakt

It is a GDPR requirement, not a formality. Entrusting data to a processor without an agreement meeting art. 28 is a breach — and the President of the UODO has imposed fines for it, including for the lack of processor verification alone.

Entrustment or disclosure of data?

These are two different things. Entrustment (art. 28 GDPR) is processing by a processor on your documented instruction and for your purposes — this is how an operator that receives and scans your correspondence works. Disclosure is passing data to an entity that itself decides on the purposes of processing, i.e. a separate controller. What determines the type of relationship is the independence in setting purposes: the postal service and a courier delivering an item are separate controllers, whereas an operator handling correspondence on your instruction is a processor.

What a processing agreement must contain (art. 28 GDPR)

A standard office-service contract is not enough — entrusting data requires a separate document. A good processing agreement specifies several things.

01
A separate document compliant with art. 28 GDPR

A standard office-service contract does not replace a processing agreement — a separate document governing the processing of personal data is needed.

02
Scope and categories of data

The agreement must specify which categories of data are processed in mail handling (e.g. data from letters and invoices), for what purpose and for how long.

03
Physical and digital safeguards

The operator must apply appropriate security measures (art. 32 GDPR): among others lockable, secured cabinets, access control to correspondence and encryption of scans.

04
Retention and destruction

Documents and items are kept only for as long as necessary to provide the service, and afterwards securely destroyed or returned.

05
Processing only on your instruction

The operator may process data solely on the controller's documented instruction and within the agreement — not for its own purposes (art. 28(3) GDPR).

06
Sub-processing only with consent

Using further subcontractors (sub-processors) requires your consent and imposing the same data protection obligations on them.

07
Confidentiality, audit and assistance to the controller

Persons processing the data are bound by confidentiality; the operator provides the information needed to demonstrate compliance and allows an audit or inspection.

Company address and privacy protection

For a sole proprietorship, the registered address is public in the CEIDG register. If you run your business from home, that means publishing your private address — which is personal data. A virtual office lets you provide the service address instead of your home, limiting the exposure of your data.

Czytaj również

A business address for a freelancer in Warsaw

For freelancers and sole traders, address privacy is often key.

Przeczytaj artykuł

Confidentiality of correspondence and data security

Data protection is not only GDPR. Confidentiality of correspondence is guaranteed by art. 49 of the Polish Constitution, and unlawfully opening or reading someone else's mail is a criminal offence (art. 267 of the Penal Code). A professional operator also applies the technical and organisational security measures required by GDPR (art. 32).

Czytaj również

Business mail handling in a virtual office

See how secure mail collection and scanning work in practice.

Przeczytaj artykuł

What to ask the operator — a GDPR compliance checklist

Checking the operator before entrusting data is the controller's obligation directly under art. 28 GDPR — you must make sure it provides 'sufficient guarantees' of appropriate safeguards. In practice a security questionnaire or a few questions serve this purpose, and the check should be repeated periodically.

  • Will you sign a data processing agreement (art. 28 GDPR)?
  • Who — and how — has access to the correspondence and its scans?
  • How long are letters and scans stored, and how are they deleted?
  • What technical and organisational safeguards does the operator apply (art. 32 GDPR)?
  • Does the operator use sub-processors and does it inform you about it?
  • Is the data processed solely within the EEA?

How The Nest protects data

The Nest runs a virtual office at 49 Piękna Street in Warsaw with a staffed reception that receives and secures correspondence. On request we conclude a data processing agreement, and access to letters and scans is limited to authorised persons.

A GDPR-compliant virtual office in central Warsaw

The Nest receives, scans and secures your company's correspondence at a prestigious address at 49 Piękna Street — with a processing agreement and a staffed reception. Virtual office packages from PLN 109/mo.

See the virtual office packages

Frequently asked questions

If the operator processes personal data on your behalf (e.g. scans correspondence containing data), a data processing agreement compliant with art. 28 GDPR is required. It is an obligation, not an option — your company remains the controller.

Your company is the controller, because it decides on the purposes and means of processing. The virtual office operator acts as a processor and processes data solely on your documented instruction, within the scope of the processing agreement.

It helps protect privacy. For a sole proprietorship the registered address is public in the CEIDG register, so providing the office address instead of your home limits the publication of private data. It does not, however, remove the other GDPR obligations.

The operator scans letters on your instruction, in line with the agreement. Confidentiality of correspondence is protected by art. 49 of the Polish Constitution, and unlawfully reading someone else's mail is a criminal offence (art. 267 of the Penal Code). Access should be limited to authorised persons.

It depends on the operator — so it is worth asking about the retention time, security measures (art. 32 GDPR) and whether the data stays within the EEA. A reliable operator describes these rules in the processing agreement.

No. Each controller is a party to the processing agreement in its own right. An agreement signed by one company does not automatically cover subsidiaries or your separate business — unless the parent company acts under a power of attorney. Every entity whose data the operator handles needs its own basis for entrustment (art. 28 GDPR).

Yes. Verifying the processor is the controller's obligation under art. 28 GDPR — you must ensure the operator provides 'sufficient guarantees' of appropriate safeguards. A security questionnaire or questions about safeguards serve this purpose, and the check should be repeated periodically. The President of the UODO has fined companies for failing to do it.

Sources and legal basis
  1. [01]Regulation (EU) 2016/679 (GDPR), art. 28 (processing on behalf of a controller).
  2. [02]Regulation (EU) 2016/679 (GDPR), art. 32 (security of processing).
  3. [03]Constitution of the Republic of Poland of 2 April 1997, art. 49 (secrecy of communication).
  4. [04]Act of 6 June 1997 — Penal Code, art. 267 (breach of confidentiality of correspondence).
  5. [05]Act of 10 May 2018 on the Protection of Personal Data.
  6. [06]Decisions of the President of the Personal Data Protection Office (UODO) on processing agreements and processor verification (e.g. DKN.5131.29.2022, DKN.5131.35.2021).

Legal status: July 2026. This material is for information purposes only and does not constitute legal advice. If in doubt about the controller's obligations, consult a lawyer or a data protection officer.

Share this article