Personal data of employees in the light of the new provisions of the GDPR


On May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and the repeal of Directive 95/46 EC ( general regulation on the protection of personal data), hereinafter referred to as the GDPR. What personal data of employees can an employer receive in the light of the new GDPR regulations? Check!

When do we deal with personal data?

These are all information relating to an identified or identifiable natural person, eg name and surname, address, PESEL number, etc. Personal data is divided into ordinary and sensitive. Sensitive data is subject to special protection and its disclosure, even with the consent of the data subject, is prohibited. These are information about racial or ethnic origin, political views, religious or philosophical beliefs, religious, party or trade union affiliation, health condition, genetic code, addictions, sexual life, conviction by a court, rulings on punishment and penal fines, as well as other decisions issued in court or administrative proceedings. The employer will be able to process other personal data of employees, provided that there is a legal basis for this. In this case, it is the Labor Code.

In connection with the entry into force of the GDPR, the scope of personal data requested by the employer from the candidate for an employee and from the employee will change. The draft act on the protection of personal data of employees in accordance with the GDPR provides for a complete change of the provision of art. 22¹ of the Labor Code specifying, inter alia, the scope of personal data that may be requested by an employer from a job applicant. Therefore, the questionnaire for the person applying for employment will have to be changed, which will include such personal data of employees as: name (s) and surname, date of birth, correspondence address, e-mail address or telephone number, education and previous employment history.

Employees 'personal data, such as the applicant's parents' names and place of residence, will not be in the possession of the employer. However, the candidate will have to provide either a telephone number or an e-mail address. It is also important that the date of signing the questionnaire for a job applicant is earlier than the date of completing the employee's personal questionnaire, as the scope of information that may be provided by the applicant for employment and the person already employed will be different.

Personal data of employees in the light of the new provisions of the GDPR

In light of these provisions, issuing referrals for initial medical examinations seems problematic. As is known, an employee, in order to be allowed to work, must present a medical certificate of fitness for it. In order to obtain them, he must first receive a referral for a test. Until now, the employer has included the name, address and PESEL number on the referral.After the entry into force of the provisions of the GDPR, the PESEL number will have to be replaced with the date of birth, and the address will not be able to be given at all, because at the recruitment stage the employer cannot request it.

The draft assumes that the employer will request from the person who has been employed: the address of residence, PESEL number, and in the absence of such number - the type and number of the document confirming identity. He may also request other personal data, including personal data of the employee's children and other members of his family, if it is necessary due to the employee's use of special rights provided for in the labor law, e.g. the use of an exemption for a child under Art. 188 of the Labor Code, reporting the employee's family members to the Social Insurance Institution, i.e. providing their names, surnames or PESEL number.

The processing of personal data of the employee, such as the telephone number or e-mail address provided by him at the recruitment stage, will only be possible after obtaining a separate consent from him to process this data in paper or electronic form.

Often, in the files you can find personal data of employees, such as: a copy of an abbreviated marriage certificate in order to document the change of name by the employee. From May 25, 2018, this will be a violation of the GDPR. Including this document in the personal files also contradicts the provisions of the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2016, item 922, as amended). The abbreviated marriage certificate, in addition to the employee's personal data, also contains the personal data of the employee's spouse, as well as his parents and spouse's parents. Such personal data of employees are not needed for anything by the employer and should not be processed by them. Therefore, the above-mentioned documents should be removed from the personal files, and in their place a statement of the employee about the change of name should be placed, on which the employee responsible for human resources should put his annotation that the statement is true, because the marriage certificate has been presented. Therefore, before the entry into force of the GDPR, it is necessary to review the employee files and remove from them all documents that should not be there, such as - apart from marriage certificates - children's birth certificates, photocopies of identity cards or military books must disappear. The content of the employee's personal file cannot be arbitrary. The documents that should be included are indicated in the regulation of the Minister of Labor and Social Policy of May 28, 1996 on the scope of keeping documentation by employers in matters related to the employment relationship and the manner of keeping personal files of an employee (Journal of Laws of 2017, , item 894, as amended).

GDPR and timesheets

One of the most important elements of labor law is working time. It requires proper planning and recording. Proper record of working time is one of the basic obligations of the employer, which results directly from Art. 149 of the Labor Code On the other hand, the content of the records of working time is regulated by § 8.1 of the Regulation of the Minister of Labor and Social Policy of 28 May 1996 on the scope of keeping documentation by employers in matters related to the employment relationship. The employer is obliged to prepare working time schedules in writing or in electronic form (Art. 129 § 3 of the Labor Code). Due to the new regulations, the pattern of the attendance list will also change. Pursuant to Art. 104¹ § 1 of the Labor Code, the method of confirming employees' presence at work should be specified in the work regulations, and if there is no such, the employee should be informed about it by the employer in the Information on employment conditions within 7 days from the conclusion of the employment contract (Art. 29 § 3 of the Labor Code). The regulations do not specify the method of confirming the employee's presence at work. The most common way is to sign the attendance list. If the employee is absent, the employer enters the reason for the absence, i.e. sickness, child leave under Art. 188 of the Labor Code, maternity leave, parental leave, etc. After the change of regulations it will be unacceptable. First of all, health data are sensitive data and their processing is prohibited (Article 9 (1), (2) of the GDPR). So what should be included on the lists of attendance in a place where the employee does not sign, because he is absent, e.g. due to illness? The safest solution will be to type: "justified absence". The details and type of this absence should be included in the work time records that the employer is obliged to keep. The attendance list is only used to confirm the employee's presence at work. The only excuse for the employee's absence from work, which may be included in the attendance list, is the information on planned or on-demand vacation leave.

Can employers use biometric data for timesheets?

According to GIODO, they cannot. The collection of fingerprints, the image of the iris of the eye or the DNA code for the purpose of timesheets is not proportionate to the intended purpose of their processing. According to GIODO, working time should be controlled by means less interfering with the privacy of employees.

Monitoring - as a means of controlling the work performed by an employee

Another element that definitely interferes with privacy and violates personal data of employees is monitoring in the workplace. Until now, no legal act has regulated this control measure. The gap in this respect is to be filled by the new Labor Code. First of all, a new definition of the concept of monitoring is to appear. These will be technical measures to record the image, which can be used to ensure safety in the workplace and around it. It may also be used to protect the employer's property or to keep secret information, the disclosure of which could harm the employer. Importantly, it will not be able to be used as a means of controlling the work performance by an employee. The draft changes regarding the monitoring issues also introduced a provision that the personal data of employees obtained as a result of the monitoring application may not be used for a purpose other than the one for which they were collected, i.e. for the safety and protection of property. Of course, the employer will have to inform the employee about the intention to apply this supervision measure 14 days before the introduction of monitoring, and in relation to new employees this obligation will have to be fulfilled before being allowed to work.

Consent to the processing of personal data for recruitment purposes

Due to the application of the GDPR, the consent to the processing of personal data for the purposes of recruitment will have to be changed. Pursuant to Art. 13 of the Regulation, job applicants will have to provide information about the period of data processing, the legal basis, the right to object or the right to lodge a complaint with the supervisory authority. These clauses should be written clearly, concisely and specifically.

Will the consents for data processing collected on the basis of the Personal Data Protection Act (before May 25, 2018) expire? According to GIODO, "the data subject does not have to give consent again, if the original manner of expressing it corresponds to the conditions of this regulation". Art. 4 sec. 11 GDPR defines consent as "voluntary, specific, informed and unambiguous demonstration of will, which the person to whom the employee's personal data relates to, in the form of a declaration or a clear affirmative action, authorizes the processing of his personal data".

To sum up, every employer as the administrator of personal data should ensure proper processing of this data. This is related to the analysis of the adequacy of their collection for the purposes of the recruitment or employment process. He should follow the principle "the less the better". All personal data of employees included in the collection should be checked for whether they are necessary and whether there is a legal basis for their processing. The legislator has provided for very high fines for non-compliance with the provisions of the GDPR, which is why it is very important for every employer to prepare for the entry into force of the new provisions.