On March 21, 2019 came to an end the legislative process regarding the act on changing certain pieces of legislation to provide application of regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Currently the act awaits only for the signature of the President.

It will come into force after 14 days from its publication. The act changes 162 other pieces of legislation in order to adjust the Polish legal system to provide application of the GDPR. This includes introducing significant changes to the Labor Code.

After the act comes into force, employers will have to undertake a set of measures adjusting their daily operation to new legal requirements:

1. You have to verify the content of questionnaires used in the course of recruitment procedures and adjust them to the new scope of information that the employer can demand from job candidates. Employer will be entitled to demand from job candidate personal data regarding qualifications, education and current employment record only when it is necessary to perform work at a particular job position. Demanding such data will not be possible in case of all of the candidates. It will be necessary to conduct an assessment whether that information is really needed. 
2. You need to check to what extent consent to process personal data is a legal basis for processing personal data of job candidates and employees, in the scope exceeding the catalogue of personal data mentioned in the article 22¹ § 1 and § 3 of Labor code. Job candidates and employees can provide the employer with special categories of personal data mentioned in the article 9 paragraph 1 of the GDPR only out of their own initiative and after expressing consent to process their personal data. In case of ‘ordinary’ personal data in the scope exceeding the catalogue mentioned in the article 22¹ § 1 and § 3 of Labor Code, it will be possible for the employer to ask job candidate or employee to provide their personal data but only if they consent to processing their personal data. Employer will not be allowed to process personal data regarding criminal convictions and offences even on the basis of consent of person whose data are concerned. Processing those will be admissible only if there is direct legal basis present to do so (e.g. in case of certain employees hired in entities from financial sector);
3. It is necessary to provide written authorizations to process personal data to persons admitted to processing personal data of special category from article 9 paragraph 1 of the GDPR regarding job candidates and employees.
4. You have to verify whether currently used system of visual monitoring covers rooms shared with company trade union- such action will no longer be admissible. It is disputable how the legislator understands the word ‘covers’. You need to pay attention to it right now. If on the day when new provisions come into force you have used the monitoring of rooms shared with company trade union, you have 14 days to cease doing so. It will be necessary to inform the company trade union about discontinuation of using visual monitoring.
5. Similarly, it will be necessary to verify whether you use visual monitoring in sanitary rooms- you have to obtain prior consent of company trade union or representatives of employees for such activity. If on the day of entering into force of the act you use visual monitoring of sanitary rooms, you have 30 days to obtain consent mentioned above. In case of lack of consent within 30 days or after 3 days after refusal of consent you have to stop using visual monitoring of sanitary rooms and immediately inform about that fact the company trade union or representatives of employees.
6. It will be mandatory for you to issue written authorizations to process personal data regarding health to persons processing motions to obtain benefits from Company Social Benefits Fund;
7. You are obliged to introduce efficient procedures of verifying the period for which you store personal data gathered in the course of granting benefits from Company Social Benefits Fund. At least once a year you will have to verify gathered personal data, determine whether it is necessary to keep storing them and delete when necessary.

Our personal data protection team is at your disposal.

CONTACT:

Dominika Dörre-Kolasa, Ph. D.
Attorney-at law/ Partner
dominika.dorre-kolasa@raczkowski.eu