The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
Poland’s Personal Data Protection Act went into effect with the GDPR on May 25, 2018. The Act, along with the Polish Labor Code, includes a few requirements that employers should be aware of.
The Polish Labor Code lays out the personal information that an employer may collect from an applicant and employee. Employers can request the following from job applicants: name and surname, date of birth, contact information (as provided by the applicant), education, occupational qualifications and employment history.
When requesting education information, occupational qualifications or employment history from job applicants, the data should only be collected if directly related to the position or to the performance of specific work. Generally, employers can collect this information, except when hiring for work that doesn’t require any special education, training or experience.
Employers can collect the following from hired employees: personal data including surnames and dates of birth of employee’s children (if required for employees to exercise rights provided by the labor law); residential address; PESEL number (or other document type and number for the purpose of verifying identity); education and employment history; payment account number (if employee hasn’t applied for direct payment); and, other legally necessary data.
Under the Labor Code, the consent of a job applicant or employee may form the grounds for processing special categories of personal data, only when the data is processed upon the initiative of the job applicant or employee.
Biometric data generally requires an employee’s consent. Poland’s Labor Code allows employers to process employee biometric data without consent when necessary to control access to especially important information, where the disclosure of that information can be detrimental to an employer or, in order to access areas requiring special protection (such as data centers and important R&D labs).
Criminal convictions and offences related data cannot be collected on the basis of an employee’s consent, and can only be collected when explicitly permitted by binding legal provisions.
Video recordings are allowed under the Labor Code if necessary to protect employees, property, production or confidential data (Article 111). When necessary to use video monitoring in locker rooms, sanitary rooms (i.e. bathrooms), canteens or smoking rooms, the monitoring should not violate employees’ dignity or interests. Prior consent from either the trade union organization or official employee representative is required to monitor sanitary rooms. Note, recordings can’t be used in areas made available to trade union organizations. In order to use video recordings:
Under the Labor Code, employers can monitor email when necessary to ensure the organization of work, enabling the full use of working time or, the appropriate use of work tools made available to an employee. The monitoring can’t violate the secrecy of correspondence or the personal interests of the employee. Similar to video recording requirements, certain conditions must be met to use email monitoring.
The Act also requires that businesses register their Data Protection Officer with the Polish Office for the Protection of Personal Data within 14 days of appointment or change.