On 4 May 2019, the provisions of the Act amending certain acts in connection with ensuring the application of the GDPR entered into force.
This ‘Act implementing the GDPR’, which is intended to ensure the correct application of the GDPR in Polish legislation, amends around 170 acts to the extent that these acts address the issue of personal data. Among these changes there was also a new version of the provisions of the Labour Code with regard to the processing of personal data of candidates for employment, as well as employees already on board.
These changes can be listed in the following way:
1. changes in the scope of the basic catalogue of personal data that may be requested by the employer from candidates and employees;
2. the regulation of the processing of ordinary and sensitive data of the candidate and the employee;
3. clarification of the rules for video monitoring at the workplace.
1. BASIC DATA CATALOGUE
From 4 May onwards, the employer may not require the applicant to provide parents’ names. Instead, the employer will require the applicant to provide contact details (e-mail address, telephone number). Currently, however, the employer may expand his knowledge by adding a wider than previously catalogue of data indicating the suitability of a given person for the position they apply for, apart from the previous education and employment, demanding also the description of professional qualifications, but only if it is necessary to perform work for the position applied for by the candidate.
The reservation introduced by the legislator is nothing more than a sanctioning of the principle of personal data minimization expressed in the GDPR, i.e. limiting the data for the processing.
The catalogue of data collected from an employee who successfully passed the recruitment process was also modified. The employer may collect from the employee the data that were not collected at the stage of recruitment (i.e. the address of residence, education and the course of previous employment).
Moreover, the employer, as in the previous legal status, requires the employee to provide: PESEL number (or, if there is none, identity document), other employee data, as well as data of children and family members of the employee – if their provision is necessary for the employee to exercise special rights provided for in the labour law.
A novelty introduced is directly indicated right to request the payment account number in order to pay the remuneration.
Basic data catalogue – employer’s obligations
Changes in the scope of the basic catalogue of personal data make it necessary to verify the documentation used by the employer in the recruitment and employment processes. Employers should adapt the recruitment forms and personal questionnaires to the new regulations, but also the human resources systems where the data of candidates and employees are processed.
2. ‘OTHER DATA’. – I.E. DATA BEYOND THE BASIC DATA DIRECTORY
Legal basis for the processing of ‘other data’
In special cases, the employer shall be entitled to demand that the candidate and the employee provide ‘other data’ than the data from the ‘basic catalogue’. Such a request is only entitled if it is necessary to exercise the right or to comply with the law. If the employer cannot justify the collection and processing of ‘other data’ with such rights or provisions of law, then the only basis for legalising the processing of data outside the closed ‘basic directory’ is the consent of the candidate or employee.
At the same time, the legislator categorically determined that data concerning convictions and infringements of the law cannot be processed even with the consent of the candidate or employee. Thus, the legislator explicitly eliminates controversies related to the illusory voluntary nature of ‘consent’ to the processing of data on the candidate’s or employee’s criminal record.
Since the consent to process ‘other personal data’ must meet the requirements of the GDPR consent (i.e. voluntariness, clarity, awareness and concreteness), it is unacceptable to force the consent, and its lack or withdrawal cannot cause any negative consequences in the area of labour law for both the candidate and the employee.
‘Other data’ may be collected and processed on the basis of consent, either at the initiative of the candidate and employee himself or at the request of the employer themselves, but only if the data belong to the ordinary data catalogue. A good example could be e.g. an image:
(a) a photograph attached to the CV at the initiative of the candidate,
b) or a photo on the website of the company which is requested by the employer.
Image data go beyond the basic catalogue of data strictly indicated by the legislator. They are also not necessary for the exercise of any right or fulfillment of a legal provision.
However, with regard to data from the so-called of ‘sensitive data’ catalogue (such as data revealing ethnicity, race, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data), the legislator categorically determines that apart from the fact that the data processing is still based on the consent of the candidate or employee, such data may be processed only at the initiative of the candidate or employee. This could be the case, for example, when a candidate submits such data in order to increase their chances in the recruitment process.
This principle is only broken with regard to biometric data that can be processed by the employer for the purpose of controlling access to sensitive information, the disclosure of which may cause harm to the employer, or access to sensitive premises (e.g. fingerprint or iris scan in biometric access control).
Specific authorisation for the processing of ‘sensitive data’
The amendment has clearly determined that only persons who have received a written authorisation from the employer to process such data and have been obliged to keep them confidential may be allowed to process personal data from the ‘sensitive data’ catalogue.
While the very confidentiality obligation does not raise any doubts, the written form of authorisations raises controversies in doctrine. The legitimacy of an analogue and definitely bureaucratic formula of paper authorisations with a handwritten signature of a person authorised to grant them versus e.g. a collective electronic catalogue of such authorisations in an IT system raises legitimate objections. This may be of considerable practical significance, especially in large organisations.
Without getting into a polemic about the ratio legis of the regulation in question the categorical wording of the introduced regulation should be taken into account. Especially since the authorisation to process personal data is one of the basic means of personal data protection in the context of the GDPR, and Article 88 of the GDPR gave the national legislator a clear delegation to introduce ‘a more detailed provisions to ensure the protection of rights and freedoms in the case of processing personal data of employees in connection with employment’. Therefore, the failure of the employer to observe the form of written authorisation may, in the event of an inspection of an UODO employee [pol. Office for Personal Data Protection], result in at least a decision of the inspection authority calling for the removal of this absence and for the issuance of authorisation in writing as provided for by the amended provisions of the Labour Code.
‘Other data’ – employer’s obligations
Taking the latest regulations in the area of personal data from the “sensitive data” catalogue into account, employers should review whether they process possible data outside the ordinary data catalogue on an appropriate legal basis, in particular on the basis of consent, and whether the persons to whom such data relate have been duly informed.
With regard to persons entrusted with the processing of personal data from the ‘sensitive data’ directory, it will be necessary to review the form of the authorisations granted so far.
3. CHANGES IN MONITORING – CONTINUATION OF CHANGES
It should be recalled that the provisions of the Labour Code went through the first ‘GDPR revolution’ with the entry of the Act of 10 May 2018 on the protection of personal data into force
The Act on Personal Data Protection introduced a detailed regulation of the principles of monitoring in the workplace, including both the processing of the image of the employee by means of video monitoring, as well as the control of business mail and other business equipment used by the employee (e.g. mobile devices).
In the scope of monitoring regulations the legislator places a dot over “i”, introducing a categorical ban on monitoring the premises occupied by a trade union. And while the ban on monitoring in such rooms as smoking rooms, canteens, cloakrooms and (with the consent of the trade union) even sanitary rooms may be repealed in exceptional situations in the cases specified in the Act, the legislator does not allow such exceptions in relation to the trade union, ensuring complete discretion of its members.
It should be given to the legislator that this regulation is consistent with both Article 9 of the GDPR which lists among the so-called ‘sensitive data’ the same membership of trade unions, as well as satisfying the constitutional principle of freedom of trade unions and the principle of their independence, expressed in the provisions of the Act on Trade Unions.
Monitoring – obligations of the employer
It will be the logistic and technical responsibility of the employer to ensure that the premises (and possibly part of the corridors directly adjacent to those premises) are completely excluded from the range of the video cameras. An employer who on 4 May used to monitor premises made available to a trade union organisation must cease monitoring within 14 days of the date of entry into force of the amendment.
The provisions of the Act implementing the GDPR have introduced several changes requiring employers to make some effort to review and update the documentation used in recruitment and employment processes and in the processing of ‘sensitive data’, or to verify the legality of data processing outside the basic personal data directory.
This amendment is an excellent opportunity to re-examine processes involving employee personal data, especially as this month marks one year after the entry into force of the RODO GDPR Regulation itself. According to one of the principles governing the processing of personal data, i.e. the ‘principle of regularity’, data should be accurate and, where necessary, kept up to date.