A new version of the bill amending the acts containing specific regulations on personal data processing has been published in order to adjust them to the GDPR
The bill with the explanatory memorandum has over 800 pages. One of the amendments that draws major attention are amendments to the Labor Code. In the new bill we should pay attention to the following issues:
- The rules of employee monitoring have been expanded.
In addition to video-surveillance, the bill introduces the possibility of e-mail monitoring, as well as other forms of employees monitoring. The rules regarding video-surveillance are to be applied respectively to other forms of employees monitoring. An important change is the need to define the objectives, scope and method of monitoring in a collective bargaining agreement, in the internal work regulations, or if the employer is not obliged to set the regulations or is not covered by the collective bargaining agreement – in an announcement. This requirement may significantly limit the possibility of monitoring in large entities with a collective bargaining agreement. The bill introduces a standard 3-month retention period for monitoring data, which in the case of ongoing proceedings may be extended until the final conclusion of the proceedings. Afterwards, the monitoring data should be destroyed, what may give rise to problems especially in the context of retaining log data in IT systems, which for security reasons are often stored for longer.
- Significant doubts as to the possibility of processing of employee data not listed in the regulations by the employer on the basis of its legitimate interest.
The bill provides that an employer may demand from the employee (candidate) only the data specified in the law (in particular, in the Labor Code). At the same time, it is pointed out that the processing of personal data other than this specified in the law is possible only with a consent of the employee (candidate) and only if such processing is beneficial for them. In practice this provision may exclude the possibility of processing employee data, other than this indicated in the law, by the employer in its legitimate interests. At present, the legitimate interest of the employer or group of companies is the basis for the processing of employee data collected, e.g. in the course of internal investigation as a result of reporting irregularities through the hotlines or for the purposes of career development and planning. The need to obtain a consent and the requirement that the processing must be beneficial for an employee will in practice prevent the data processing for these purposes, which is incompliant with the GDPR and the current position of the Art. 29 Working Party.
- Limitation of processing of special categories of data.
The bill limits the possibility of processing of special data only to a situation when it is necessary to fulfill the employer’s duty imposed by the law, which is a significant limitation in comparison to the premises for processing of such data specified in Art. 9 of the GDPR. However, the biometric data are subject to an exception and it is possible to process such data if it is necessary to control access to particularly sensitive information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection. It seems that this premise for processing of biometric data modifies the basis for their processing specified in Art. 9 of the GDPR which will raise doubts as to its effectiveness.