GDPR, personal data, HR

GDPR in HR - the most frequent employers` questions

GDPR, personal data, HR
Each employer processes the personal data of employees and job candidates. Moreover, a company may also process employee data with regard to the work environment (e.g. monitoring recordings). Failure to comply with GDPR may lead to serious consequences for an employer, so it is worth taking advantage of some practical advice.

Below we present the answers to some frequently asked questions about the implementation of GDPR in the HR area.

  1. Is an employer obliged to use questionnaires for job candidates and employees?

    Article 221 of the Labour Code defines the scope of data categories which the employer may collect from job candidates and employees. Pursuant to Article 94 point 9a of the Labour Code, the company is obliged to keep personal files for each employee. The files should include information obtained from a job candidate and an employee. It is not indicated in what form this information should be provided - by means of a statement for each data category or collectively in a personal questionnaire. In practice, personal questionnaires are the most common solution.

  2. Is an employer allowed to process the information concerning employee`s health?

    An employer may process employee’s personal data necessary to exercise special rights (Article 221 § 4 of the Labour Code), e.g. information on the degree of disability or pregnancy. If these data are necessary for the exercise of a special right or obligation under the labour law, the employer is allowed to process them. Providing personal data about health condition or other sensitive data which have not been collected in accordance with the law (i.e. they are not necessary to exercise the rights or to fulfil the obligation or the employee has not given his or her express consent to their processing) should result in the return of such documents to the employee and permanent removal of the data from the company's database.

  3. Does an employer have the right to make photocopies of employment certificates and diplomas confirming education?

    In accordance with the provisions of the Labour Code, an employer has the right to demand from a job candidate personal data covering the course of his/her previous employment (Article 221 § 1 of the Labour Code). The data may be provided in the form of a statement submitted by that person. The employer may also demand to document this information to the extend necessary to confirm it with the data provided (Article 221 § 5 of the Labour Code). It can be clearly stated that the employment certificates contain all the necessary information concerning the period of employment - they are necessary to determine the new employment relationship (e.g. the length of leave).  According to the GDPR, the employer may make a photocopy of employment certificates issued by the previous employers.

    As far as photocopies of university certificates or diplomas are concerned, the employer must assess whether the job requires specific qualifications. If so, it is advisable to make photocopies of documents confirming graduation from the relevant education level or faculty. It is also a good practice to submit a statement of your qualifications and to present relevant documents to confirm them, e.g. original certificates, diplomas and attestations confirming professional competences. A person from the HR department should attach to the statement a note about the documentation presentation.

  4. How to change an employee's name so that it matches the data held by the employer?

    The personal data are provided to an employer in the form of a personal data statement. The employer also has the right to document these personal data (Article 221 § 5 of the Labour Code). In such a case it will be desirable to provide by the employee, depending on the reason for the change of name, a document confirming that this action has been taken (e.g. abbreviated marriage certificate). The document should not be photocopied, but only presented for inspection, and the employer should make a note of the presentation (e.g. on a personal questionnaire).

  5. Is an employer allowed to process personal data of job candidates and employees collected before the change of regulations concerning the scope of personal data of 4 May 2019, on the basis of Article 221 of the Labour Code - e.g. names of parents?

    The law is not retroactive - there is no legal basis for deleting the data from employees' personal files. Moreover, by introducing the new provisions, the legislator has not defined the obligations for an employer to handle data which could previously have been processed. However, this is now not allowed. If the personal data held by an employer were collected in accordance with the provisions of law in force at the time, there is no need to delete them.

  6. Is an employer allowed to collect and process employees' fingerprints in order to control work time with the employee's consent? Is an employer allowed to process the employee's biometric data?

    In judgements (e.g. the judgment of the Supreme Administrative Court of 1 December 2009, I OSK 249/09, the opinion of the former GIODO) dominate the view that the submission a statement by an employee, which includes the consent to process personal data in the form of fingerprints, does not constitute a prerequisite for legalising such processing of employees' personal data. It is not advisable to use fingerprint processing equipment in order to control employees' work, even after obtaining their prior consent.

    In Article 221b § 2 of the Labour Code, the specificity of processing data belonging to a special category, i.e. biometric data (Article 4 point 14 of the GDPR) has been shown in order to unambiguously identify an individual. However, the provisions indicate the specific purpose which may accompany the processing i.e. when it is necessary to provide such data due to the control of access to particularly important information the disclosure of which may expose the employer to damage, or due to the access to premises requiring special protection. When controlling access to such places by means of biometrics, an employer does not need to take separate consent collected from employees in order to verify the persons entering the secured zone. The processing of data in such a situation will be based on the legitimate interest of the employer. It should also be borne in mind that persons who have been authorised to process special categories of data should be authorised to do so in writing - preferably in a separate document indicating the specific data the employee will have access to and the extent to which the data will be processed.

  7. Does an employer have the right to place an image of employees on identifiers, in the intranet and in other similar places? Can he use the image of an employee for promotional purposes?

    An employer may use the image of an employee both in the internal area of business activities (e.g. photo of an employee on identifiers, intranet, newsletter) and in the external area (in offers for customers, in marketing materials). The employer may use the image of the employee if it is allowed by law regulations or on the basis of the consent given by the employee. The use of a person's image for the purpose of its dissemination is regulated by Article 81 of the Copyright Law, according to which appropriate permission is required (with three exceptions). The employer must therefore obtain the employee's consent in order to be able to use the image of the employee in the area of internal business operations.

Contact our expert

Krzysztof Grabowski
Krzysztof Grabowski
Data Protection Officer

Protection of personal data