The General Data Protection Regulation (“GDPR”) was approved on 27 April 2016 and is set to come into force on 25 May 2018. It will replace the EU Data Protection Directive of 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data and the current national legislations on data protection. Although the GDPR will be directly applicable, some national laws will have to be introduced mostly to adapt existing areas of law to new data processing regulations.
Particularly, the Ministry of Digitization (PL: Ministerstwo Cyfryzacji) has presented proposed changes to the Labour Code. The changes are to strengthen the employer's position. For example, now the employer has only the "right to demand" specific personal data from the prospective employee. Under new rules, he will be able to demand this data from the candidate. Additionally, the scope of data to be processed by the employer will change: the databases will no longer contain names of employees’ parents; instead, the candidate’s email address and phone number may be included.
The employer will also have the right to process the employee's biometric data. However, the biometric data shall be processed only if the employee agrees in writing or by electronic means.
The rules on monitoring in the workplace has also been defined – it may be used by the employer to protect employees, property or inside information. Nevertheless, monitoring must not cover the premises where the actual work is not performed, i.e. sanitary premises, dressing rooms, smoking rooms or canteens.
Two crucial changes have been proposed with regard to banking law and banking sector employers. The first enables the bank to verify criminal history of prospective employees, if they would have access to the bank’s and/or clients’ data at work. Moreover, the bank will be entitled to demand and process employees biometric data to control their access to information or premises.
Conclusions: Even though those who process only employee’s data must be aware that the GDPR will affect their activities. Consequently, employers will have to amend internal procedures on recruitment and employee’s documentation. On the other hand, the change in data processing law will enable employers to introduce new monitoring and controlling measures.