Do I need consent to process employee data?

The employer’s duty to obtain the employee’s written consent for personal data processing depends on what data the employer intends to process.

The grounds for the processing employee’s personal data without prior consent is employment contract (art. 6 sec. 1 b and c GDPR)

The above applies to data enumerated exhaustively in art. 22 of the Labor Code, i.e.:

1. first name(s) and surname,
2. date of birth,
3. contact details indicated by the employee,
4. education,
5. qualifications,
6. the course of previous employment,
7. address,
8. PESEL number, and in the absence of it – the type and number of the document confirming the identity,
9. other personal data of the employee’s children and other members of his immediate family, if providing such data is necessary due to the employee’s use of special rights provided for in the labor law,
10. bank account number, if the employee has not submitted an application for payment of remuneration to his own hands.

If the employer intends to process more data than those resulting from the Labor Code, it will be necessary to obtain an individual consent from the employee.

The processing of personal data on the basis of applicable law includes image processing using video surveillance cameras (Article 6 (1) (c) of the GDPR).

Importantly, the processing of personal data for the purposes of the employer’s supervision in the form of e-mail or GPS system monitoring in company vehicles is treated similarly.

On the other hand, consent to the processing of employees’ personal data is required if the employer plans to use the employee’s image, e.g. for the marketing purposes of his business.

What are the privacy and data protection issues inherent in alcohol / drug testing?

Information about sobriety is a personal data.

In the near future, the Polish legislator will enable the control of sobriety of employees on the terms referred to below.

Sobriety control and related processing of personal data will be possible only if it is necessary to ensure the protection of life and health of the employees or the employer’s property.

The employer should regulate issues related to sobriety control in work regulations or in the collective agreement.

The sobriety check of the employee will take place using methods that do not require laboratory testing or a device with a valid document confirming its calibration.

Each employer will be obliged to inform employees about the introduction of sobriety control rules not later than two weeks before the start of their application.

The result of the sobriety test will have to be stored in the employee’s personal file for a year from the date of collecting data about the examination.

How can I legitimately monitor employees’ email, internet usage and social media?

Monitoring of company mailboxes may be introduced when it is necessary to ensure work organization enabling full use of working time and proper use of the work tools provided to the employee. Monitoring cannot violate the secrecy of correspondence and other personal rights of the employee. Therefore, it is not allowed to monitor the content of an employee’s private messages, even if they were sent using company mail and/or equipment.

The employee must be notified about the employer’s use of corporate e-mail monitoring – an employee who has not been notified that the employer is undertaking communication control may have a reasonable expectation as to the protection of his privacy in the field of e-mail. The employer should include the corporate e-mail monitoring procedure in the collective agreement, work regulations or announcement and inform about its introduction at least 2 weeks before starting the monitoring.

The employer is obliged to indicate the scope of data collected as part of the monitoring, adequate to its purpose – if it is sufficient to obtain information about the senders and recipients of communication and the date and time of messages sent and received, as well as the subject of the message, the content of the correspondence should not be analysed.

The same rules apply to monitoring the employee’s use of Internet access.

Polish regulations do not regulate the possibility of monitoring an employee’s activity in social media. As a rule, employees are obliged to take care of the well-being of the workplace both during and outside working hours, and thus the employee’s online activity may not have a negative impact on his employer.

What are the limits of using artificial intelligence in employment?

The Polish legislator has not introduced copyright regulations governing the use of artificial intelligence in employment. As a consequence, the current limits of using AI in the recruitment and employment process are the same as those contained in EU regulations, in particular the norm from Article 22 of the GDPR.

Thus, the use of AI in the employment process requires the employee’s or candidate’s consent to the automated processing of their personal data. AI may not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data in order to uniquely identify a natural person or data concerning health, sexuality or sexual orientation of that person, unless it expressly consented to the processing of this data, indicating the purpose of such processing, and there are appropriate measures to protect the rights, freedoms and legitimate interests of the data subject.

What are the data protection issues in whistleblowing?

Currently, Poland has not yet adopted an act introducing the obligation to create a policy for whistleblowers

The new regulations will most likely enter into force at the beginning of next year and will primarily apply to entities employing over 250 employees.

In turn, at the end of 2023, the regulations are to apply to other employers.

In practice, the new regulations will impose an obligation on employers to implement a breach notification procedure in the organization. This procedure is primarily intended to protect whistleblowers and their personal data. All reports will be considered by a committee whose members are obliged not to disclose the whistleblower’s personal data to third parties. Personal data contained in the documentation of the commission will be a company secret and will be subject to special protection.