Drafts of the new Polish Personal Data Protection Act ("PDPA Draft") and Provisions Implementing the Personal Data Protection Act (“Amending Act Draft”) were published on 14 September 2017. The Amending Act Draft amends 133 sectoral acts, in this client alert we describe changes to the Labour Law. The drafts are now subject to social consultations. The proposed regulations are to ensure the successful implementation of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR").
PDPA DRAFT - WHAT IS NEW
There are several important changes proposed in the PDPA Draft. Firstly, a new state agency will be created: the Personal Data Protection Office. Conditions and procedures have been established for the appointment of personal data protection inspectors, i.e., new bodies whose authority will be similar to that of the present Administrator of Information Security. Two-instance proceedings regarding the violation of data protection regulations will be reduced to a single instance. Proceedings will be pursued based on the provisions of the Code of Administrative Procedure.
Personal data processors will be subject to certification in order to confirm the lawfulness of their operations, which can include audits. Under the PDPA Draft, audit proceedings conducted by the President of the Personal Data Protection Office will take a maximum of 30 days. Additionally, applicable criminal regulations will be adjusted. Any prevention or obstruction of audits will be treated as a petty offence while any processing of sensitive data without an appropriate legal basis will be judged under the Code of Criminal Procedure. Administrative fines may be imposed in specific cases.
Lastly, a person whose rights under the Personal Data Protection Act have been infringed may demand that such actions be terminated and that the infringer take action to remove their effects. Such person may also assert additional claims for infringement of personal data protection regulations.
KEY AMENDMENTS TO LABOUR CODE
The Labour Code needs to be amended to implement GDPR. The Amending Act Draft slightly extends the current list of personal data which an employer may request from an employee. Pursuant to the Amending Act Draft, such data also includes the address or telephone number of a job applicant. However, in order to process the data after the conclusion of an employment agreement, the employee must give his/her consent. Additionally, the Amending Act Draft permits the employer to process other data, such as biometric data, provided that it relates to the employment relationship and the job applicant or employee consents to the processing in written or electronic form. The Amending Act Draft prohibits the processing of data concerning addictions, health or a natural person's sex life or sexual orientation, even in cases in which the employee has given consent.
However, an employer is allowed to request further data, including biometric data or data concerning addictions or health, if the obligation to provide such data results from separate legal provisions or it is necessary for the purposes of carrying out an employer's legal obligations. The processing of such data is permissible only to the extent necessary for the performance of these obligations.
The Amending Act Draft permits an employer to introduce visual monitoring for the purpose of ensuring employee safety, protection of employer property, and maintaining secrecy of information, the disclosure of which could expose the employer to damage. However, such monitoring may not be used as a tool for controlling an employee's work performance. Monitoring is prohibited in rooms not dedicated to work, in particular bathrooms, cloakrooms, and/or canteens. An employer must inform employees about the introduction of monitoring 14 days (at the latest) before the monitoring is activated.