• Insights

Poland – Act applying GDPR regulations to take effect

Written by
Raczkowski largest boutique firm focusing on HR law.
Poland has implemented a set of legislative changes to allow the GDPR to apply. This article sets out some of the main points for employers to keep in mind.

On 21 March 2019 the legislative process for an Act changing certain pieces of legislation to allow for the application of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) came to an end. It has now been signed by President Duda and will come into force 14 days after its publication.

The Act changes 162 other pieces of legislation in order to adjust the Polish legal system to allow for the application of the GDPR. This includes introducing significant changes to the Labour Code.

After the Act comes into force, employers will have to implement a set of measures adjusting their daily operation to new legal requirements. These are set out below.

  1. Employers must verify the content of questionnaires used in the course of recruitment procedures and adjust them to the new scope of information that they can demand from job candidates. An employer will be entitled to ask for personal data regarding qualifications, education and current employment record from a job candidate only when it is necessary to perform work at a particular job position. Demanding such data indiscriminately from all candidates will not be possible. It will be necessary to conduct an assessment whether that information is really needed.
  2. Employers need to check whether consent to process personal data is a sufficient legal basis for processing job candidates’ and employees personal data, where the scope exceeds the personal data described in Article 221 (§ 1 and § 3) of the Labour Code. Job candidates and employees can provide the employer with special categories of personal data mentioned in the article 9 paragraph 1 of the GDPR only on own initiative and after giving consent to the processing of their personal data. For ‘ordinary’ personal data the scope of which exceeds the list in Article 221 of the Labour Code, it will be possible for the employer to ask job candidates or employees to provide their personal data but only if they consent to processing of their personal data. Employer will not be allowed to process personal data regarding criminal convictions and offences even with the consent of the individuals whose data is concerned. Processing that data will only be admissible if there is direct legal basis present to do so (e.g. for certain employees hired in financial sector organisations).
  3. Written authorisations to process personal data must be provided to individuals permitted to process personal data that falls in the special category from Article 9, paragraph 1 of the GDPR regarding job candidates and employees.
  4. Employers must verify whether their currently used system of video monitoring covers rooms shared with a company trade union: this will no longer be admissible. There is some debate over how the legislator intends the word ‘covers’ to be understood. You need to pay attention to it right now. If on the day when new provisions come into force an organisation uses video monitoring in rooms shared with a company trade union,it will have 14 days to cease doing so. It will be required to inform the company trade union that video monitoring is being discontinued.
  5. Similarly, it will be necessary to verify whether video monitoring is used in washrooms: prior consent of the company trade union or employee representatives be obtained must to use this monitoring. If on the day the Act enters into force an employer has video monitoring in washrooms, it will have 30 days to obtain the consent described above. If consent is not obtained within 30 days or three days after refusal of consent the use of video monitoring in washrooms must stop and company trade union or representatives of employees must be immediately informed of this.
  6. It will be mandatory to issue written authorisations to process health-related personal data to individuals responsible for processing applications to obtain benefits from the Company Social Benefits Fund.
  7. Employers must introduce efficient procedures for verifying the period for which they store personal data gathered in the course of granting benefits from the Company Social Benefits Fund. At least once a year employers must verify gathered personal data and determine whether it is necessary to keep storing it or delete it when necessary.
Dominika Dörre-Kolasa
Partner - Poland