• Insights

Poland – The GDPR one year on

Written by
Raczkowski largest boutique firm focusing on HR law.
This article reviewing the first year of the GDPR in Poland highlights enforcement and guidance activity by the data protection authority and changes to the Polish Labour Code relating to employee monitoring and personal data collection. 

The Polish DPA has imposed two GDPR fines so far. The first, of PLN 943,000 (approximately EUR 218,803), was imposed on an entity that processed the data of 6 million data subjects, but only 90,000 of them were informed about it. The second fine was imposed (only a few days ago) on a sports association for failing to delete judges’ data effectively. A penalty of PLN 55,000 (approximately EUR 12,762) was imposed.

Last year was also unique in terms of number of reported complaints and breach notifications. According to figures gathered by the Panoptykon Foundation, from 25 May 2018 to 28 February 2019, 5651 complaints were filed in Poland. Additionally, 3189 data breach notifications have been submitted to the DPA.

Although the main result of entry into force of GDPR was the introduction of a completely new Act on the protection of personal data in Poland, amendments to the Polish Labour Code introduced even more significant changes in the field of the employment market and practice. Firstly, specific provisions regarding monitoring in workplace are now in force and this monitoring is allowed only in certain situations. In addition, a list of employees’ and job candidates’ personal data which can be processed by employers has been established. There is a list of data that ‘must’ be requested by employers and provided by candidates and employees. Additionally, new provisions expressly allow employers to collect other personal data on the basis of the job candidates’ or employees’ consent. However, any special categories of data can only be processed based on consent if provided by the job candidate or employee at their own initiative. Employee biometric data processing is also possible if it is necessary to control access to particularly sensitive information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection.

Recently GDPR-related issues have dominated the labour law market. The DPA has issued a handbook for employers with answers to frequently asked questions. One hot topic is undoubtedly the scope and retention of data collected during recruitment. And yet, the appropriate duration of retention is unclear, since the opinions of the DPA and Polish Ministry of Digital Affairs differ. Close scrutiny of practical developments will be essential in this field.

Lastly, video monitoring is expected to become one of the main issues in 2019. The DPA has announced that its activity will focus on this area. In parallel, these types of cases (related to the legality of video monitoring or the legal basis of employee data processing) are slowly starting to be reviewed by the courts.