Storing employee documentation according to GDPR 

The most important changes


A new regulation about the processing of personal data by employers applies from 4th May 2019 in Polish legislation. What changes have introduced the new law?

The employer managing the employee documentation is obliged to apply the provisions on the protection of personal data.

Companies are required to collect information which are necessary to achieve the purpose of processing (the adequacy principle). 

Exhaustive list of personal data collected by the employer

Personal data that epmpolyer may require from applicants and employees are included in Article 221 of the Labour Code and also in separate regulations. 

Currently, the employer is entitled to receive the following personal data from applicants:

  • first name (names) and last name
  • date of birth
  • contact details
  • education
  • professional qualifications
  • the course of previous employment.

It is worth noting that the employers should collect only personal data which is necessary for the purpose of employment (the principle of minimization). 

The employers is entitled to receive the following personal data from the employee, regardless of the data which the employers had obtained in the recruitment process:

  • address
  • PESEL number or other the type and number of identity document
  • other personal data of the employee, and personal data of the children of the employee and other members of his immediate family, if it is necessary to use of special rights by the employee under the labour law
  • education and course of previous employment, if there was no basis to demand them from the applicants
  • the account number, if the employee hasn’t applied for the payment to emplyee personally.

In addition, the employers is entitled to request other data when it is necessary to exercise the right or fulfil the obligation under the law. 

The basis for collecting the above-mentioned personal data is Article 6 paragraph 1 letter C GDPR.

What is the basis for processing personal data from outside the exhaustive list ?

The basis for collecting other personal data is consent (Article 6 paragraph 1 letter A GDPR).

There are also regulations regarding the collecting of sensitive data. It is required clear consent (Article 9 paragraph 1 GDPR).

The processing of personal data regarding convictions and violations of law (Article 10 GDPR) have been excluded. Such data may be processed only on the basis of the law. 

Controller duties 

Under the new regulations, the employer should update information and consent clause and should make changes in personal questionnaires. 

The most important questions:

  1. Is the personal data that has been collected so far, should be covered in order to stop the processing?
  2. Does changing the basis for the processing of personal data gives an obligation for the Controller to re-comply of the information obligation about the circumstances of the changes that have taken place?

Do you want to know more?
We invite you to contact us! 


Find out how we can help you


For more information, please contact our expert.