The Polish draft data protection law
The Polish government has formally approved the draft Data Protection Act (DPA). The main purpose of the draft law is to implement the GDPR and ensure its application, but also to set a new legal and procedural framework for the Polish Data Protection Authority. The draft law has been forwarded to the Polish Parliament and may yet come into effect on time by 25 May 2018.
The legislative work is being coordinated by the Ministry of Digitalisation, which is concurrently working on another, equally important piece of legislation which will amend a number of other acts (including the Labour Code, Telecommunications Act, E-Commerce Act, Copyright Act ) to the extent necessary to make them consistent with the GDPR.
The new Data Protection Authority regulatory framework
Currently the powers of the Polish Data Protection Authority (PDPA) are rather limited, both for legal reasons (the DPA is not entitled to impose fines) and practical ones (budget limitations). There is no doubt that the GDPR will bring a significant change to the status and the role of PDPA. Under the DPA, the PDPA President will be entitled to appoint three deputies (as opposed to only one under the current law) which reflects the wide range of new regulator responsibilities under the GDPR. The draft law also provides for a new consultative body, the Data Protection Council, which will support the PDPA President. Some of the DPA's powers will go beyond Article 58 of the GDPR. For example, the PDPA will be in a position to issue an interim ban on processing a pending an investigation, provided that an infringement of the data protection provisions is substantiated and further processing may result in serious consequences which would be difficult to remedy.
One of the current issues is the lengthy timescale of PDPA proceedings, which may, in practice, take years. In order to resolve this issue, the draft DPA provides that there will be no right to appeal against decisions at the level of the PDPA although there will still be the right to appeal to the administrative court. This change has very practical consequences as it means that, in principle, all decisions of the PDPA will be final and, therefore, immediately enforceable. Having said that, there is a significant exception to this where fines are imposed.
Processing of employee data
The GDPR will bring significant amendments to the current regulations on processing employee data. Currently under Polish law, the scope of personal data of an employee which may be processed by the employer is stipulated in Article 22(1) of the Polish Labour Code, which states that the employer may request:
- name and surname;
- names of parents;
- date of birth;
- place of residence (mailing address);
- education history; and
- employment records.
An employer may also require the PESEL identification number and other personal data of an employee, as well as the names and surnames and dates of birth of his/her children, if necessary to exercise special rights to which an employee is entitled under Polish labour law. Other personal data may only be processed if a separate legal provision allows the employer to do so.
The current position is controversial and unsuitable for the needs of modern employment relationships and technological development, yet there may not be any lawful basis for processing other data in an employment context. Employee consent is not an ideal solution to this issue. Pursuant to some decisions of the Polish administrative courts, consent given by an employee to their employer cannot be regarded as being freely due to the intrinsic imbalance in the employment relationship.
This issue has been dealt with under the GDPR - recital no. 155, unambiguously states that Member States may allow for personal data in the employment context to be processed on the basis of employee consent (although this language is not reflected in Article 88). The draft PDPA provides for major amendments to the Polish Labour Code in this particular respect: processing personal data of an employee which is not specifically allowed for under the Labour Code will be generally permitted where:
- the candidate/ employee consents to it; and
- the processing is advantageous to the candidate/employee.
Whether or not the second element is satisfied, is subject to an assessment by both parties to the employment relationship, but the final say will rest with the candidate/employee, who will either provide or refuse to provide the personal data in question. Failure to provide consent cannot result in any unfair treatment of the employee or any other negative consequences (including refusal to recruit or terminate the employment agreement).
Processing special categories of personal data will only be permissible if it is necessary for the employer to carry out statutory obligations. However, an employee can give valid consent to the processing of biometric data, if processing of such data is necessary to control access to particularly important information, the disclosure of which would be damaging to the employer (for example, to control access to rooms which require particular protection).
If necessary to ensure the safety of employees or employer assets, to supervise production or to maintain confidentiality of information, the employer may use technical means of image registering (e.g. video monitoring) subject to: further requirements with regards to informing employees of such measures; data retention (in principle up to three months); and some other exceptions (e.g. image registering will not be possible in sanitary premises, smoking rooms, cloakrooms or rooms used by trade unions). Furthermore, under certain circumstances the employer will be entitled to monitor company email accounts of employees, provided that this does not interfere with correspondence secrecy and the employee's personal rights (such as privacy).
Poland's initial approach to the introduction of restrictions with regards to rights and obligations under the GDPR caused something of a stir. The issue which made headlines was the planned exemption for micro, small and medium-sized enterprises in relation to their obligations to provide data subjects with certain information, the data subject right of access and breach communication obligations. This sparked a fierce public debate and much criticism by various stakeholders including lawyers, academics, the head of the current PDPA, NGOs, and even the European Commission itself, which argued that the planned exception did not meet the requirements under Article 23 GDPR. In addition, the suggested threshold (250 employees) was criticised as being too high as it would have covered the majority of Polish entrepreneurs. As a result of the debate, the intended exemption was first watered down and eventually entirely removed from the draft DPA.
The Polish legislator also intended to make use of the option under Article 8 GDPR to lower the age of digital consent from 16 to 13, however, this idea has also been abandoned.
The draft DPA still envisages some exemptions for bodies/entities which exercise public powers – they may, under certain circumstances, be exempt from the obligation to inform data subjects about further processing for other purposes, from the information obligations where data is collected from other sources than the data subject, as well as from subject access requirements. In addition, fines which may be imposed by the PDPA on public sector bodies are likely to be capped at around EUR 25,000 (PLN 100,000).