Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship. There are more prescriptive requirements for obtaining consent under the General Data Protection Regulation, including the ability to withdraw consent at any time.
The legitimate interest of employers can sometimes be invoked as a legal ground for processing personal data, but only if the processing is strictly necessary for a legitimate purpose and the processing complies with the principles of proportionality and subsidiarity. A proportionality test should be conducted in order to consider whether all data collected is truly necessary, and measures must be taken to keep personal data processing limited to the minimum necessary.
Clear communications should be provided to employees, informing them how their personal data is being processed. Where possible, such as in the event of monitoring technologies, employees should be given the option to prevent their data from being captured. Where employees are expected to use online applications which process personal data, they should consider enabling employees to designate certain private spaces to which the employer may not gain access under any circumstances, such as a private mail or document folder.
Allowed Employee and Applicant Data in Poland
The Polish Labor Code lays out the personal information that an employer may collect from an applicant and employee.
Employers can request the following from job applicants: name and surname, date of birth, contact information (as provided by the applicant), education, occupational qualifications and employment history.
When requesting education information, occupational qualifications or employment history from job applicants, the data should only be collected if directly related to the position or to the performance of specific work. Generally, employers can collect this information, except when hiring for work that doesn’t require any special education, training or experience.
Employers can collect the following from hired employees: personal data including surnames and dates of birth of employee’s children (if required for employees to exercise rights provided by the labor law); residential address; PESEL number (or other document type and number for the purpose of verifying identity); education and employment history; payment account number (if employee hasn’t applied for direct payment); and, other legally necessary data.
Under the Labor Code, the consent of a job applicant or employee may form the grounds for processing special categories of personal data, only when the data is processed upon the initiative of the job applicant or employee. For example, biometric data generally requires an employee’s consent, except when necessary to control access to especially important information or areas where the disclosure of that information can be detrimental to an employer (ex. important R&D labs).
Criminal convictions and offences related data cannot be collected on the basis of an employee’s consent, and can only be collected when explicitly permitted by binding legal provisions.
Video Recordings and Email Correspondence
Video recordings are allowed under the Labor Code if necessary to protect employees, property, production or confidential data (Article 111). When necessary to use video monitoring in locker rooms, sanitary rooms (i.e. bathrooms), canteens or smoking rooms, the monitoring should not violate employees’ dignity or interests. Prior consent from either the trade union organization or official employee representative is required to monitor sanitary rooms. Note, recordings can’t be used in areas made available to trade union organizations.
In order to use video recordings:
- the recordings can only be used for their original purpose;
- the method, scope and objectives should be set in a collective agreement, workplace regulations or, in an announcement (when an employer is not subject to a collective agreement or isn’t required to adopt workplace regulations);
- employees must be notified in writing in advance of starting employment or, be provided with at least two weeks’ notice if it’s a new system;
- signs or sound-notices must be located in the recording area;
- and, data must be deleted within 3 months of the recording, unless there is a legal claim which justifies longer-term storage.
Under the Labor Code, employers can monitor email when necessary to ensure the organization of work, full use of working time or, the appropriate use of work tools made available to an employee. The monitoring can’t violate the secrecy of correspondence or the personal interests of the employee. Similar to video recording requirements, certain conditions must be met to use email monitoring.
HR Best Practices: As consent on its own might not be enough to justify lawful processing of employee personal data, other processes should be documented and implemented. Consider legitimate requirements, such as those outlined in Poland's Labor Code. Commit to properly informing employees, documenting legal rationales for data collection and offering consent/correction/deletion where possible.