The study discusses the principles of awarding benefits under the Company Social Benefits Fund (original Polish name: Zakładowy Fundusz Świadczeń Społecznych) from the point of view of legitimacy of the processing of personal data. The con-ducted analysis covers the present legal framework in force in Poland, taking the European Union law – GDPR – into consideration. Given the local specificity of the institution in question, the article does not include references to regulations adopted in other countries. The article proposes two theses. One is that the award-ing of benefits under the CSBF with the participation of representatives of the stakeholder community, especially in the area of hardship benefits, should be based on anonymised applications. Documents proving the circumstances acting as the grounds to apply for a benefit to be true should be verified by an employer’s authorised representative in charge of employee welfare initiatives. The other thesis is that copies of documents proving the legitimacy of application for a social benefit, especially in the area of hardship benefits, should be kept by the data controller – meaning the employer – for a period during which Polish tax authori-ties and Social
Insurance Institution (ZUS) may verify the legitimacy of application of the impost law. In this case, this refers to the practice of non-payment of the tax on the awarded benefits and the social insurance contributions. The conclusions the said theses lead to are significant to the practical application of law, and because they are controversial, they may pave the way for a further academic discourse.