Grzegorz Gęborek

Attorney at law (Poland)
Senior Associate
Phone: +48 32 721 24 22

The data protection reform in Poland is still a work in progress and nothing indicates that it will be finished in the forthcoming months. The lawmakers were unable to meet the deadline of 25 May 2018 for amending all industry-specific regulations, which are spread among some 300 statutes. After the two-year period set for adjusting the Polish legislation to GDPR a new personal data protection act was adopted. The act came into force on 25 May 2018 and contains provisions amending some selected acts. The remaining laws are to be amended later, so the major amendment of the data protection law is still being worked on. Not only the laws themselves but also regulations implementing those laws need to be amended (draft regulations are still missing).

The reform of Polish laws is under way

Therefore, numerous concerns arise about the day-to-day application of personal data protection provisions in highly specialised areas of law, such as medical law, or laws relevant to businesses, such as labour law. Employers and HR departments are faced with a difficult task of aligning the processing of job candidates’ and employees’ personal data with GDPR requirements without being provided with a coherent legal framework in this scope. Consequently, all measures taken to ensure the compliance of personal data processing with the binding legislation will have to be verified and amended several times in response to new laws and regulations yet to be passed within the next few months. 

Personal Data Protection Office

Recently, however,  the President of the Personal Data Protection Office [UODO], the Polish supervisory authority, has become more active, organising training events and issuing handbooks on the most important changes in data protection law. His most notable activities include a training session on employers' duties concerning personal data protection held on 5 October 2018, which was addressed in the first place to personal data protection inspectors.  A great plus for the event was that it was available online.

During the training, experts from the Data Protection Office provided instructions on how to process personal data during recruitment and throughout the employment period. The participants were taught situation-specific procedures and thus received answers to questions directed to UODO in the first months of the office's operations and during the office-led social consultations.

A guidebook on personal data protection in the workplace

The Data Protection Office regularly investigates all forms of employee monitoring, including video monitoring, which have finally been regulated in the Labour Code. This topic was also discussed during the training session. The training event was held at the time of publishing a guidebook entitled “Ochrona danych osobowych w miejscu pracy. Poradnik dla pracodawców” [Personal Data Protection in the Workplace – A Guide for Employers]. The guidebook is available at the office’s website.

It addresses many practical questions which are of great importance to enterprises conducting cross-boarder operations, such as the very controversial transfer of personal data within a corporate group, establishing of roles in the case of hiring temporary workers through a temporary work agency, or the use of new technologies by employers. The guidebook covers four topic areas: job search, recruitment process, employment period, and forms of employment other than those regulated by the Labour Code.

Despite a great interest in the training and the guidebook, they do not cover all problems connected with data protection in HR. Moreover, some of the opinions presented in the guidebook and during the training have triggered doctrinal concerns.

There are still many doubts

What is more, because of complex and sometimes unclear argumentation, UODO’s standpoint may be misunderstood and, consequently, wrongly implemented, which might bring enterprises more harm than good.  An example is the widely discussed lack of obligation to receive consent from job candidates only in cases strictly specified by law, which, however, do not include the transfer of non-standard data not listed in the Labour Code.  

To sum up, at the moment it is difficult to point out practical HR solutions which would allow avoiding potential sanctions for breaching the data protection laws. Noteworthy, besides the administrative fines stipulated in Article 83 GDPR and applicable across the EU the Polish lawmakers have introduced criminal regulations in the new Polish Data Protection Act (as allowed under GDPR). This makes it all the more difficult to comment on the guidebook of UODO’s President. On the one hand, this guidebook reflects some preferences of the supervisory authority which may influence its approach during data processing inspections. On the other hand, its interpretations, which in some cases seem quite uncommon, are not a source of law, whereas all parties involved in data processing must first follow GDPR and then national legislation as long as it is not in conflict with GDPR.

If you are interested in this subject, please contact Rödl & Partner’s experts available in our offices in Cracow, GdanskGliwicePoznanWarsaw or Wroclaw.

Grzegorz Gęborek