On 21 February 2019, the lower house of the Polish Parliament (Sejm) passed new legislation aimed at ensuring the application of the GDPR. The new act introduces changes to more than 160 legal acts which are relevant to the processing of personal data by businesses from various sectors, including financial, healthcare, telecommunication and e-commerce as well as by public authorities. As far as we are aware, Poland is the first EU Member State to introduce the GDPR to sectoral regulations on such a scale. Now the act is awaiting voting in the upper house of the Parliament (Senat) and the President’s signature.

Key changes affecting businesses are summarised below.

Processing of personal data by employers

  • The amended Labour Code changes the catalogue of personal data that employers may request from employees and candidate employees. In the recruitment process, employers will be able to request information about candidate employees’ education, professional qualifications and previous employment only when it is necessary to perform specific types of work or a specific job.
  • Moreover, the new provisions allow the processing of data that are not specified in the law (in particular in the Labour Code), based on a candidate’s or employee’s consent. However, sensitive personal data will be subject to processing on this basis only if it is provided at the initiative of the candidate or employee, which may cause practical problems about how to interpret “initiative”. Nonetheless, personal data on convictions and violations of law may be processed by employers only in situations when a special provision of law expressly allows it.
  • The principles of video monitoring (CCTV) are further clarified by indicating that, as a rule , CCTV may not cover areas such as changing rooms, canteens or smoking rooms.
  • These changes will affect all employers, regardless of the sector in which they operate. Adapting to the new rules should be a priority for businesses, as according to the annual control plan approved by the President of the Polish Office for Personal Data Protection (“UODO”), in 2019 UODO plans to verify employers in terms of processing personal data recorded using CCTV and in connection with recruitment processes.

Rules affecting marketing activities

  • One of the most important amendments to Polish telecommunications law and the act on the provision of services by electronic means (applicable, in particular, to the e-commerce sector in Poland), is the rule that data protection provisions (i.e. the GDPR) apply accordingly to obtaining consent for e-mail and telephone marketing communications. Businesses should thus verify that their currently used marketing consent forms meet these new requirements.

Processing data in the financial sector

  • Amendments to the banking law will enable banks and other loan providers to make decisions based solely on automated data processing, including profiling for the purposes of assessing credit worthiness and credit risk analysis. Similarly, insurance companies will also be able to profile personal data to assess insurance risk and certain other insurance activities.
  • Companies that carry out profiling operations will, however, not only have to inform persons about the profiling, but will also have to meet additional requirements, including: ensuring that the data subjects have the right to receive explanations regarding the basis of a decision (e.g. refusal to grant a loan), the right to express their own view with respect to the decision, or the right to human intervention.
  • Moreover, thanks to the new provisions, insurers will obtain a clear, statutory basis for the processing of health data for purposes related to the conclusion and performance of an insurance contract. Thus, the previously proposed (and rightly criticised) approach – i.e. basing the processing of such data on the grounds of consent – has been rejected.

Healthcare sector

  • Under an amendment to the Polish act on patient’s rights, if a healthcare service provider has concluded a data entrusting agreement, the execution of this agreement must not disrupt the provision of healthcare services, in particular with regard to ensuring, without undue delay, access to data contained in medical records.