The social fund and the GDPR – data processing on the basis of a declaration
After the GDPR came into force, new questions are surfacing with respect to personal data processing for the purposes of the operation of the company social benefits fund, concerning the admissibility of data collection, the scope of the data, the processing time or the employee’s consent to processing. Changes to the laws in this respect have not been made yet.
Personal data is to be made available to the employer for the purposes of the operation of the social fund on the basis of the employee's declaration. Importantly, on this basis it will be possible to process not just the employee's data, but also the data of other persons authorized to use the fund's benefits. The employer will have the right to request the documents confirming the data. This means that the collection and the processing of the data for the purposes of the fund will happen without the need to obtain the employee’s consent. These are the key assumptions of the proposed regulations. It should be remembered, however, that data collection and processing can only happen for the purposes and in the scope that is necessary to grant service discounts and fund benefits. It is the employer’s responsibility to ensure that the data collected are not excessive, i.e. that they are necessary for the fund to function correctly. This is particularly important in the situation when the data collected is of sensitive nature, e.g. concerning the health of the employee or their family members. This is why it is important to introduce an appropriate data processing procedure, to adjust the fund's regulations and the related documentation to the requirements of the GDPR, to develop processing methods, to prepare appropriate authorizations for the persons who have access to the data within the fund and to carry out an appropriate training for the members of the social committee.