As of 4 May 2019, the so called implementing act
comes into force, amending the provisions of more
than 170 laws due to GDPR regulations. The Act
introduces necessary regulations with almost a year
delay, but this extra time allowed taking into
consideration issues that have arisen at the
application of the GDPR regulations in daily
practice. The changes discussed cover such areas as
banking, insurance and financial sectors, public
procurement, environment protection regulations;
however, those most expected pertain to the
employment law.
Following the entry of the implementing act into
force, a catalogue of data that an employer may
request from work candidates and employees will
be changed. In particular, during the recruitment
process any data regarding education, professional
qualifications and work career may be requested
only when it is necessary to perform a specific type
of work or take a specific position/workplace. The
implementing act also explicitly states that the
data other than those listed in the statutory
catalogue may be processed on the basis of the
data subject’s consent. So far, the possibility to
process personal data on the basis of an employee’s
consent was questioned due to imbalance between
the parties to the employment relationship and the
doubts as to the voluntary nature of such consent.
The law now allows for using this processing
premise, except data pertaining to criminal
convictions and offences, and also on condition that
lack of consent or its withdrawal does not cause
any negative consequences for a work candidate or
employee, in particular it may not justify
termination of employment relation or failure to
establish one.
On the basis of a consent the controller will also be
able to process the data of special categories,
mentioned in the art. 9 (1) of GDPR, i.e. data
pertaining to health, political opinions, trade union
membership, biometric data – but only in case the
provision of such data is initiated by the employee
or a candidate for work. With regard to biometric
data of the employee, their processing is allowed
also if the provision of such data is necessary due to
the control of access to particularly important
information, or access to premises which require
special protection.
With the entry into force of the implementing act,
the employers will then need to revise the
recruitment questionnaires and the policies of
personal data protection of the employees, so that
they are compliant with the new regulations.
The data of special categories may be processed
only by persons holding a written authorization to
process such data, issued by the employer. Persons
admitted to process such data are obliged to keep
them confidential. Therefore, in case of these
employee data, the implementing act introduces an
obligatory written authorization, which document is
not required explicitly under GDPR.
Act on social benefit fund has also been subject to
changes. Personal data of a beneficiary of the fund,
which are made available to the employer for the
purpose of receiving service and benefit, as well as
surcharge from the social benefit fund and for the
purpose of determining amount of these benefits,
shall be made available in a form of a statement.
The employer may demand for the personal data to
be evidenced in the scope necessary for their
confirmation. Confirmation may be made, in
particular on the basis of statements and
certificates on life situation (including health
situation), family and material status of the given
beneficiary. Personal data processed by the
employer in connection with the social benefit fund
may be processed for the period necessary for
granting a service, a benefit or a surcharge from
the fund, as well as determining amount of the
given benefits and further for the period necessary
for protection of rights and submission of claims.
The employer shall review these personal data in
order to determine whether storage thereof is still
required, not less than once a year. Individuals
allowed to process these personal data on behalf of
the employer must hold a written authorization,
should the data cover special categories of personal
data.
Upcoming changes in the legal provisions are not
the only issue which has recently attracted
entrepreneurs’ attention in the privacy area. The
President of Personal Data Protection Office
imposed a first financial penalty. The penalty
amounting to almost one million zlotys was imposed
on an entity which had not satisfied information
obligation to the benefit of data subjects whose
data are included in a database of individuals
carrying out business activity, maintained by this
entity. What triggers doubts in relation to this case
is that the information obligation concerned in fact
entrepreneurs, whose data came under personal
data regulations only after GDPR entry into force,
as well as that the given data were collected from
publically available sources and were entered into
the database kept by the punished entity before
GDPR entered into force. The fact that the financial
penalty was imposed in the given circumstances
may mean that the Polish supervisory authority is of
the view that if the information obligation had not
been satisfied at the moment of collecting data, it
should have been performed once GDPR became
applicable.
MILLER CANFIELD
W. BABICKI, A. CHEŁCHOWSKI I WSPÓLNICY SP.K.
ul. Batorego 28-32
81-366 Gdynia
Tel. +48 58 782-0050
Fax +48 58 782-0060
gdynia@pl.millercanfield.com
ul. Nowogrodzka 11
00-513 Warszawa
Tel. +48 22 447-4300
Fax +48 22 447-4301
warszawa@pl.millercanfield.com
ul. Skarbowców 23a
53-125 Wrocław
Tel. +48 71 780-3100
Fax +48 71 780-3101
wroclaw@pl.millercanfield.com
Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of
certain recent legal developments of selected areas of law. For this reason the information contained in this publication should not form the basis of any
decision as to a particular course of action; nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual cases.
The services of a competent professional adviser should be obtained in each instance so that the applicability of the relevant legislation or other legal
development to the particular facts can be verified.