The basic rules concerning processing of personal data are set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation (GDPR)) and in the Act on Personal Data Protection of 10 May 2018, which transposes some provisions of the GDPR to the Polish legal system. There are also specific regulations on processing the personal data of employees and candidates in the Labour Code of 26 June 1974.i Requirements for personal data processing
An employee's consent for the employer to process personal data is not necessary if the personal data is processed in relation to the employment agreement (with regard to personal data indicated in Article 221 of the Labour Code).
Processing of employee personal data can be based on other legal grounds such as necessity for performance of employment contracts (Article 6.1.b of the GDPR), necessity for compliance with a legal obligation to which the employer is subject (Article 6.1.c of the GDPR) or legitimate interests of the employer (Article 6.1.f of the GDPR). The employer is required to notify employees on the processing of their personal data and to provide them with the information required by Article 13 of the GDPR (e.g., information on the purposes and legal grounds for the data processing, information on data recipients and information on employee rights under the GDPR).
Under the GDPR, employers are obliged to maintain records of data processing activities, to implement appropriate technical and organisational measures to ensure a level of security of personal data appropriate to the risk, and to ensure that an individual who has access to employees' personal data (acting under the authority of the employer) processes it on instructions from the employer. However, there is no obligation imposed on employers to register processing of employees' personal data with the data protection authority (DPA).ii Cross-border data transfers
With respect to cross-border transfers of personal data of employees, registration of the transfers with the DPA is not required. However, it is required to obtain the DPA's consent for the transfer of personal data, if the destination country does not ensure an adequate level of personal data protection in its territory and if none of the conditions allowing for transfer to such countries, as indicated in the GDPR, are met (e.g., explicit consent of the data subject, necessity to perform a contract between the data subject and the controller or the implementation of pre-contractual measures to be taken at the data subject's request). The consent of the DPA is not required for transfers of personal data to third countries based on EU Model Clauses and for transfers of personal data to US entities that obtain certification of the EU–US Privacy Shield Framework. Transfers of personal data can also take place on the basis of the Binding Corporate Rules approved pursuant to procedures established in the GDPR.
As stated above, the consent of the employee may potentially be one of the instances in which the transfer may be effected without the DPA's consent; however, as it may be questioned whether the consent was freely given by an employee based on the nature of the employment relationship, obtaining the DPA's consent to a transfer of the employees' personal data or implementation of EU Model Clauses and Binding Corporate Rules is considered a safe approach.iii Special categories of personal data
The processing of special categories of personal data is allowed only in cases explicitly indicated in the GDPR. Employers are allowed and indeed obliged to process particular health information that relates to occupational health. The GDPR introduces the definition of special categories of personal data. They cover data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Under the GDPR, processing of special categories of personal data is prohibited and allowed only in certain cases, for instance if it is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security, and social protection law insofar as it is authorised by EU or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. Processing based on data subject consent is also allowed and it does not require written form of such consent. Processing of personal data relating to criminal convictions and offences or related security measures can be carried out only under the control of an official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.iv Background checks
As a principle, unless specific types of jobs are involved, Polish law does not allow background checks on employees, including criminal records or credit checks. The Labour Code specifically lists information that the employer may request from the employee, in particular, date of birth, education, previous employment and parents' names.