The principle of data minimization and the storage of employee documentation


The processing of personal data is subject to strict regulations. The main legal act regulating this issue is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC ( General Data Protection Regulation) - abbreviated as "GDPR". With regard to matters related to the employment relationship, the processing of personal data is additionally subject to the regulations contained in the Labor Code. The principle of data minimization is very important with regard to information storage in HR and payroll departments.

Processing of personal data

Pursuant to Art. 4 point 2 of the GDPR, the processing of personal data is an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as:

  • collecting,
  • fixation,
  • organization,
  • tidying up,
  • storage,
  • adapting or modifying,
  • download,
  • browsing
  • exploitation,
  • disclosure by sending,
  • dissemination or other types of sharing,
  • matching or combining,
  • limitation,
  • removal or destruction.

What personal data can the employer request?

The employer may require the applicant to provide personal data including:

  • first name (names) and surname,
  • date of birth,
  • contact details indicated by such a person,
  • education,
  • professional qualifications,
  • the course of previous employment,

data on education, professional qualifications and the course of previous employment may be requested by the employer when it is necessary to perform work of a specific type or in a specific position (Article 221 § 1 and § 2 of the Labor Code).

Example 1.

In the announcement about the recruitment for the job of a messenger, the requirements for candidates only include readiness to shift work. Due to the fact that the employer has not specified the requirements in terms of education, professional qualifications and the course of previous employment, he has no right to demand from persons applying for a job in this position to provide personal data in this regard.

From the employee, in addition to the above-mentioned data, the employer has the right to request personal data, including:

  • address;
  • PESEL number, and in its absence - the type and number of the document confirming identity;
  • other personal data of the employee, as well as personal data of the employee's children and other members of his immediate family, if providing such data is necessary due to the employee's use of special rights provided for in labor law;
  • education and course of previous employment, if there was no basis for their request from the person applying for employment;
  • payment account number, if the employee has not submitted an application for payment of remuneration personally (Article 221 § 3 of the Labor Code).

In addition, the employer may request other personal data to be provided when it is necessary to exercise the right or fulfill the obligation resulting from the law (Article 221 § 4 of the Labor Code).

How the data is made available

The personal data is made available to the employer in the form of the data subject's declaration. The employer may request documentation of personal data to the extent necessary to confirm them (Article 221 § 5 of the Labor Code).

Consent to the processing of personal data

The data of the person applying for employment or the employee, which the employer cannot demand on the basis of the regulations discussed so far, may be processed with the consent of the data subject. This concerns both the processing of personal data provided by the job applicant or employee at the employer's request, and personal data provided to the employer at the initiative of the job applicant or employee.

Lack of consent or its withdrawal may not be the basis for unfavorable treatment of a job applicant or an employee, and may not cause any negative consequences for them, in particular, it may not be a reason justifying refusal of employment, termination of an employment contract or its termination without notice by the employer (Article 221a of the Labor Code). The consent of the data subject does not authorize the processing of his personal data relating to criminal convictions and offenses or related security measures (cf. Article 10 of the GDPR). In the Polish legal system, the possibility for employers to process information on convictions for crimes has been regulated in Art. 6 sec. 1 point 10 of the Act of May 24, 2000 on the National Criminal Register. Pursuant to this provision, employers have the right to obtain information about persons whose personal data has been collected in the register, to the extent necessary for employing an employee, for whom the provisions of the Act require no criminal record, full use of public rights, and determination of the right to occupying a specific position, performing a specific profession or conducting a specific business activity.

Processing of biometric data

The consent of the job applicant or employee may constitute the basis for the processing by the employer of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data, biometric data in order to uniquely identify a natural person or data concerning health, sexuality or sexual orientation of that person, only if the transfer of such personal data takes place at the initiative of the job applicant or employee.

The processing of the employee's biometric data is also permissible when providing such data is necessary due to the control of access to particularly important information, the disclosure of which may expose the employer to damage, or access to rooms that require special protection (Article 221b of the Labor Code and Article 9 par. 1 GDPR).

Example 2.

The employer processes information on the layout of fingerprints of employees authorized to access the rooms where information constituting a company secret is stored - access to these rooms takes place after electronic reading of the employee's thumb fingerprints.

Start a free 30-day trial period with no strings attached!

The principle of data minimization

In art. 5 GDPR, there are seven rules for the processing of personal data. According to this provision, personal data must be:

  1. processed in accordance with the law, fairly and transparently for the data subject (principle of lawfulness, fairness and transparency);
  2. collected for specific, explicit and legitimate purposes and not further processed in a manner inconsistent with these purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered incompatible with the original purposes (purpose limitation principle);
  3. adequate, relevant and limited to what is necessary for the purposes for which they are processed (the principle of data minimization);
  4. correct and updated as necessary; all reasonable steps should be taken to ensure that personal data that is incorrect in view of the purposes of their processing are immediately deleted or rectified (principle of correctness);
  5. kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for a longer period as long as they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, provided that the appropriate technical and organizational measures required by this Regulation are implemented to protection of the rights and freedoms of data subjects (principle of storage limitation);
  6. processed in a manner ensuring adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by appropriate technical or organizational measures (the principle of integrity and confidentiality).

The controller of personal data (in particular the employer) is responsible for compliance with the above principles and must be able to demonstrate compliance with them (accountability principle).

Handling redundant data

The above-mentioned - in point 3 - principle of data minimization excludes the possibility of acquiring and storing redundant data, i.e. not necessary for the implementation of the prescribed - lawful - purposes, in particular related to the employment of employees. Therefore, the employer should not request or accept redundant data from job applicants and employees, and if they receive them, they should immediately return them or delete them.

As it follows from the above, in the current legal state, HR units cannot collect information about employees "in reserve" or "just in case", but only strictly to the extent provided for in the applicable regulations.