On 14 September 2017, long-awaited drafts of new laws adjusting the provisions of Polish law to the Regulation (EU) 2016/679 – General Data Protection Regulation (“GDPR”), which will take effect on 25 May 2018.
The draft law comprises: (1) the draft of a new personal data protection law, and (2) a draft of a new law setting out the legal provisions implementing the personal data protection law, which introduces amendments to 132 legal acts, including the Labour Code, and the law on the company’s social benefit fund.
New basis for personal data processing
Distinction between the personal data of persons applying for jobs (candidates for employment) and actual employees was preserved. At the same time, the legislator proposed crucial changes that relate, first and foremost, to the legal basis and the catalogue of data processed.
The new version of the provisions indicates that collecting certain types of data on candidate, including data related to educational backgrounds or employment records, will be obligatory (the words “the employer may request” will be replaced in the new provisions by the phrase “the employer demands”). The same applies to the employee data collected by employers, such as the personal identification number (PESEL). The data will be available for processing to an extent required to perform the employment relation only. At the same time, the processing of contact data collected from candidate employees, such as their mailing addresses, e-mail addresses or telephone numbers, upon commencing their employment relations, will be admissible only if authorized by the given employees.
The draft law resolves the currently controversial issue, namely, the possibility to obtain a valid consent of the (candidate) employee for the processing of his / her personal data which is outside the statutory catalogue stemming directly from the provisions of the Labour Code. At the same time, the draft law specifies that the processing of such additional data is admissible only when it pertains to employment relations. Additionally, the lack of such consent will not be the basis for any unfavourable treatment of the individual applying for a position or an employee and cannot entail any negative consequences for them. A consent is to be granted in the form of a declaration made on paper or in electronic form.
The draft law contains a reservation that it will not be possible to collect data regarding addictions, health condition, sexual life or sexual orientation, unless the obligation to provide such data stems from any separate provisions of law or the provision thereof is required to fulfil any employer’s obligation imposed by law.
According to the draft provisions of law, an employee’s consent is to become a crucial (sufficient) basis for the processing of biometric data, namely, a fingerprint, iris image or voice sample, for example. The collection of biometric data will only be possible in the case of employees since the authors of the draft law found that there was no justification for employers to use any biometric data of any candidates for employment. General terms of obtaining the employee’s valid consent will apply. Consequently, a refusal to grant such consent or the revocation of such consent will not be the basis for any negative consequences for the person involved. The draft law provides that the terms of collecting and safeguarding the biometric data will be defined in a separate regulation.
Extended catalogue of data
The draft law also expands the catalogue of personal data to be processed by the employer. A new option it offers is the possibility to process the type and number of an identity comment in a situation where an employee does not have the personal identification number (PESEL) (which is particularly important when hiring non-Polish citizens) or the processing of the aforementioned biometric data.
The proposed regulation of monitoring operations at a work place is another crucial issue. Monitoring, which is construed as a particular type of surveillance at the work place or in the area surrounding an employing facility in the form of some technical means with an image recording function will be admissible as a tool to be used by the employer to provide for the safety of employees or property protection, or the protection of any confidential information, the disclosure of which might expose the employer to the risk of damage.
The amended law also introduces a catalogue of limitations for the use of such solutions. Namely, monitoring cannot be used as a means of controlling work performed by the employee or cover any premises that are not intended for performing work, and, especially, any sanitary premises, cloak rooms, canteens or smoking rooms. Personal data obtained as a result of using monitoring will be available for processing by the employer exclusively for the purposes for which it has been collected and will be stored only for the time period required to fulfil such purposes. Before resorting to monitoring, an employer will be required to duly inform employees of his intent to do the same.
Company Social Benefit Fund
The drafted provisions implementing the Personal Data Protection Law also provide for changes of the basis for the processing of personal data of the individuals using the benefits of the Company’s Social Benefit Fund (PL: ZFŚS). Such persons will grant their consent for providing their personal data, as well as the personal data of their family members or other persons sharing a household with them. The catalogue of such data is to be open-ended and include, in addition to such persons’ names, surnames, birthdays, the degree of kinship and the address of residence, also other data that is required to determine what is the life, family and economic situation of persons eligible like. A consent should always be expressed with due respect for the employee’s liberty in grating the same.
Evaluation of the proposed changes
As a rule, the changes proposed in the published legislative portfolio should be assessed to be a step in the right direction.
There is no doubt that the proposals are aimed to meet the needs voiced by employers as to the demand for a wider scope of data to be processed as compared to the scope of data which is currently processed, including the data processed on the basis of the employees’ consents. However, in view of the objections that are voiced both by the EU regulators and consultative bodies as to the possibility of an employee expressing free consent, we may expect the discussions of the proposed amendments to continue. It is worth noticing here that, for example, the amended provisions of German law stipulate that the employee’s consent will be expressed only when the equal status of both parties is preserved, which will take place, in general, when the expression of the employee’s consent means some favourable, legal or economic consequences for the employee.
The pre-defined catalogue of “obligatory” and “prohibited” data stimulates transparency in the sphere of employer powers. However, the proposed regulation still has some significant drawbacks that may undermine the justifiability of certain solutions adopted in the reform. For example, if the processing of biometric data is to be contingent on the employee’s voluntary consent, it is not clear whether it will be possible to introduce certain solutions based on biometry ii, e.g. in the field of restricted access to certain areas.
Additionally, the amended law does not contain any provisions that would regulate the common practice of exchanging employee related data in corporate groups, which means that the general provisions of the GDPR will apply in that respect. Adopting an employee’s consent as the basis for personal data processing for the purposes of using the company’s social benefit fund should also be assessed negatively.
At the time of preparing this publication, the first draft of the set of amendments to legal acts was sent to public consultation and directed to the institutions concerned for their opinion. In order to provide for the full consistency of the Polish legislature with the provisions of the GDPR, the amendments to these legal acts must become effective by 25 May 2018.