GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Poland
Poland’s Personal Data Protection Act went into effect with the GDPR on May 25, 2018. The Act includes a few requirements that employers should be aware of.
First, the Act sets rules that video recordings can be used in the context of employment if it’s necessary to protect employees, property, production or confidential data (Article 111). Note, video recordings can’t be used in certain areas such as break-rooms and bathrooms. In order to use video recordings:
- the recordings can only be used for their original purpose;
- the method, scope and objectives are set in a collective agreement (or, if there is no collective agreement, employees are informed);
- employees must be notified in writing in advance of starting employment or, are provided with at least two-week’s notice if it’s a new system;
- signs or sound-notices must be located in the recording area;
- and, data must be deleted within 3 months of the recording, unless there is a legal claim.
Data Protection Officers
The Act also requires that businesses register their Data Protection Officer with the Polish Office for the Protection of Personal Data within 14 days of appointment or change.
Employee and Applicant Data
Separately, the Labor Code lays out the personal information that an employer may collect from an applicant and employee. Employers can request the following personal data from job applicants and employees: name, name of parents, date of birth, residential address, education, employment history.
Employers may also require the following from hired employees: other personal data including surnames and dates of birth of employee’s children if it’s required for employees to exercise rights provided by the labor law; PESEL number (government I.D.); and, other legally necessary data.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.