Below we present the answers to some frequently asked questions about the implementation of GDPR in the HR area.
Article 221 of the Labour Code defines the scope of data categories which the employer may collect from job candidates and employees. Pursuant to Article 94 point 9a of the Labour Code, the company is obliged to keep personal files for each employee. The files should include information obtained from a job candidate and an employee. It is not indicated in what form this information should be provided - by means of a statement for each data category or collectively in a personal questionnaire. In practice, personal questionnaires are the most common solution.
An employer may process employee’s personal data necessary to exercise special rights (Article 221 § 4 of the Labour Code), e.g. information on the degree of disability or pregnancy. If these data are necessary for the exercise of a special right or obligation under the labour law, the employer is allowed to process them. Providing personal data about health condition or other sensitive data which have not been collected in accordance with the law (i.e. they are not necessary to exercise the rights or to fulfil the obligation or the employee has not given his or her express consent to their processing) should result in the return of such documents to the employee and permanent removal of the data from the company's database.
In accordance with the provisions of the Labour Code, an employer has the right to demand from a job candidate personal data covering the course of his/her previous employment (Article 221 § 1 of the Labour Code). The data may be provided in the form of a statement submitted by that person. The employer may also demand to document this information to the extend necessary to confirm it with the data provided (Article 221 § 5 of the Labour Code). It can be clearly stated that the employment certificates contain all the necessary information concerning the period of employment - they are necessary to determine the new employment relationship (e.g. the length of leave). According to the GDPR, the employer may make a photocopy of employment certificates issued by the previous employers.
As far as photocopies of university certificates or diplomas are concerned, the employer must assess whether the job requires specific qualifications. If so, it is advisable to make photocopies of documents confirming graduation from the relevant education level or faculty. It is also a good practice to submit a statement of your qualifications and to present relevant documents to confirm them, e.g. original certificates, diplomas and attestations confirming professional competences. A person from the HR department should attach to the statement a note about the documentation presentation.
The personal data are provided to an employer in the form of a personal data statement. The employer also has the right to document these personal data (Article 221 § 5 of the Labour Code). In such a case it will be desirable to provide by the employee, depending on the reason for the change of name, a document confirming that this action has been taken (e.g. abbreviated marriage certificate). The document should not be photocopied, but only presented for inspection, and the employer should make a note of the presentation (e.g. on a personal questionnaire).
The law is not retroactive - there is no legal basis for deleting the data from employees' personal files. Moreover, by introducing the new provisions, the legislator has not defined the obligations for an employer to handle data which could previously have been processed. However, this is now not allowed. If the personal data held by an employer were collected in accordance with the provisions of law in force at the time, there is no need to delete them.
In judgements (e.g. the judgment of the Supreme Administrative Court of 1 December 2009, I OSK 249/09, the opinion of the former GIODO) dominate the view that the submission a statement by an employee, which includes the consent to process personal data in the form of fingerprints, does not constitute a prerequisite for legalising such processing of employees' personal data. It is not advisable to use fingerprint processing equipment in order to control employees' work, even after obtaining their prior consent.
In Article 221b § 2 of the Labour Code, the specificity of processing data belonging to a special category, i.e. biometric data (Article 4 point 14 of the GDPR) has been shown in order to unambiguously identify an individual. However, the provisions indicate the specific purpose which may accompany the processing i.e. when it is necessary to provide such data due to the control of access to particularly important information the disclosure of which may expose the employer to damage, or due to the access to premises requiring special protection. When controlling access to such places by means of biometrics, an employer does not need to take separate consent collected from employees in order to verify the persons entering the secured zone. The processing of data in such a situation will be based on the legitimate interest of the employer. It should also be borne in mind that persons who have been authorised to process special categories of data should be authorised to do so in writing - preferably in a separate document indicating the specific data the employee will have access to and the extent to which the data will be processed.