As of 4 May 2019, the so called implementing act comes into force, amending the provisions of more
than 170 laws due to GDPR regulations. The Act introduces necessary regulations with almost a year
delay, but this extra time allowed taking into consideration issues that have arisen at the application of the GDPR regulations in daily practice. The changes discussed cover such areas as banking, insurance and financial sectors, public procurement, environment protection regulations; however, those most expected pertain to the employment law.
Following the entry of the implementing act into force, a catalogue of data that an employer may request from work candidates and employees will be changed. In particular, during the recruitment process any data regarding education, professional qualifications and work career may be requested only when it is necessary to perform a specific type of work or take a specific position/workplace. The implementing act also explicitly states that the data other than those listed in the statutory catalogue may be processed on the basis of the data subject’s consent. So far, the possibility to process personal data on the basis of an employee’s consent was questioned due to imbalance between the parties to the employment relationship and the doubts as to the voluntary nature of such consent.
The law now allows for using this processing premise, except data pertaining to criminal convictions and offences, and also on condition that lack of consent or its withdrawal does not cause any negative consequences for a work candidate or employee, in particular it may not justify termination of employment relation or failure to establish one.
On the basis of a consent the controller will also be able to process the data of special categories, mentioned in the art. 9 (1) of GDPR, i.e. data pertaining to health, political opinions, trade union membership, biometric data – but only in case the provision of such data is initiated by the employee or a candidate for work. With regard to biometric data of the employee, their processing is allowed also if the provision of such data is necessary due to the control of access to particularly important information, or access to premises which require special protection.
With the entry into force of the implementing act, the employers will then need to revise the recruitment questionnaires and the policies of personal data protection of the employees, so that they are compliant with the new regulations.
The data of special categories may be processed only by persons holding a written authorization to process such data, issued by the employer. Persons admitted to process such data are obliged to keep them confidential. Therefore, in case of these employee data, the implementing act introduces an obligatory written authorization, which document is not required explicitly under GDPR.
Act on social benefit fund has also been subject to changes. Personal data of a beneficiary of the fund, which are made available to the employer for the purpose of receiving service and benefit, as well as surcharge from the social benefit fund and for the purpose of determining amount of these benefits, shall be made available in a form of a statement.
The employer may demand for the personal data to be evidenced in the scope necessary for their confirmation. Confirmation may be made, in particular on the basis of statements and certificates on life situation (including health situation), family and material status of the given beneficiary. Personal data processed by the employer in connection with the social benefit fund may be processed for the period necessary for granting a service, a benefit or a surcharge from the fund, as well as determining amount of the given benefits and further for the period necessary for protection of rights and submission of claims.
The employer shall review these personal data in order to determine whether storage thereof is still required, not less than once a year. Individuals allowed to process these personal data on behalf of the employer must hold a written authorization, should the data cover special categories of personal data.
Upcoming changes in the legal provisions are not the only issue which has recently attracted entrepreneurs’ attention in the privacy area. The President of Personal Data Protection Office imposed a first financial penalty. The penalty amounting to almost one million zlotys was imposed on an entity which had not satisfied information
obligation to the benefit of data subjects whose data are included in a database of individuals carrying out business activity, maintained by this entity. What triggers doubts in relation to this case is that the information obligation concerned in fact entrepreneurs, whose data came under personal data regulations only after GDPR entry into force, as well as that the given data were collected from publicly available sources and were entered into the database kept by the punished entity before GDPR entered into force. The fact that the financial penalty was imposed in the given circumstances may mean that the Polish supervisory authority is of the view that if the information obligation had not been satisfied at the moment of collecting data, it should have been performed once GDPR became applicable.