The Polish data protection authority (‘UODO’) issued, on 4 October 2018, guidance for employers on data protection in the workplace, under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) (‘the Guidance’), following a public consultation on the same. In particular, the Guidance focuses on the processing of employee data during recruitment, selection and the employment period, as well as distinguishes between different types of employment contracts, such as those concerning temporary and permanent workers.
Michał Lisawa, Senior Associate at CMS Cameron McKenna Nabarro Olswang Pośniak i Sawicki sp.k., told DataGuidance, “The Guidance relates to a number of matters in the recruitment process and parts of it follow the market’s already existent and commonly established views. However, other parts of the Guidance are highly controversial. It must be remembered that the Guidance [is not] binding. Rather, it constitutes UODO’s interpretation of the existing law. In case issues arise, it will be up to the courts to decide whether such interpretation is correct.”
When discussing employee privacy issues, both the privacy and employment perspective must be taken into account and those angles are not always the same
The Guidance emphasises the special nature of processing personal data in the employment context due to the unequal relationship between employees and their employers. Furthermore, it aims to provide clarifications in areas such as consent for recruitment purposes; processing of sensitive data, including criminal data; employee monitoring; data retention; and processing by third parties.
Magdalena Kogut-Czarkowska, Associate at Baker McKenzie Krzyżowski i Wspólnicy sp. k., outlined, “Employees’ rights in the area of privacy are now broader and stronger […] but we must keep in mind that the rights provided in the GDPR are not absolute. For instance, the employee cannot always exercise the right to be forgotten and demand that the employer deletes certain data on the employee, as […] such data will be required and necessary due to the existing employment relationship. Understanding the limitations of the data subjects’ rights is tricky. In many instances the GDPR is quite nuanced and does not provide straightforward answers. Additionally, the GDPR also recognises that local laws may provide specific rules on the processing of personal data in the employment context. Thus, when discussing employee privacy issues, both the privacy and employment perspective must be taken into account and those angles are not always the same.”
With respect to changes introduced under the GDPR in relation to handling employee data, apart from focussing on changes to the scope of the rights of employees, the Guidance also addresses additional requirements that must be followed by employers accordingly. In particular, the Guidance highlights that employees should be well-informed as to by whom, for how long, to what extent and for what purpose their personal data are processed.
Lisawa concluded, “It is difficult to say whether the new [data protection] rules have strengthened the employee’s position in relation to their employer. However, they certainly impose additional requirements on the employers […] For instance, the Guidance emphasised that any additional personal data can only be collected for a specified and legitimate purpose, rather than ‘just in case.’ By way of example, the Guidance indicates that the data of rejected job candidates, such as their CV or motivation letters, must be permanently deleted, for example by destroying or sending it back, immediately after the recruitment process is finished. Such information cannot be retained for longer than necessary, even for the purpose of protection against potential claims from rejected candidates […] As a consequence, in case an issue materialises, it may be difficult for an employer to present evidence in its favour as to why the candidate has been rejected, since such evidence would have to be deleted earlier.”
WERONIKA NATALIA BLASZCZYK Junior Privacy Analyst