Interest in data protection issues has increased significantly in recent years. We pay more and more attention to by whom, how and for what purposes our data is processed; also among entrepreneurs, there is a growing awareness of the importance of ensuring an adequate level of security of customers’ personal data.

But how does the protection of personal data look in employment relations? Do employers know what employee data they can process legally? Are employees aware of what data the employer may request from them? What data can we, as a  potential employer, require in the application documents during the recruitment process?

The frequently raised doubts also relate to the practice of installing video surveillance on the premises of  the workplace. Many employers are also considering introducing modern solutions to facilitate the keeping of working time records, such as an electronic system for recording employees’ entrances and exits based on fingerprint or iris reading.

What employee data can we, as an employer, process securely, and what are the most common breaches of the data protection regulations, more or less knowingly committed by employers?

Personal data of the job applicant and employee.

Image protection.

In the current legal situation, a potential employer may, in the course of recruitment, require only data such as name, date of birth and contact details – but only those indicated by the candidate. Therefore, it is up to the person applying for the job to provide us with a telephone number or, for example, an e-mail address or a mailing address.

Where justified by the requirements laid down for a given post, a potential employer may also request from the candidate for employment data concerning education, professional qualifications and the course of previous employment.

Interestingly, despite the common habit of candidates sending their photos to the potential employer (most often included in Curriculum Vitae), in fact, the employer in the recruitment process does not have the right to require the job applicant to make their image available.

If a candidate decides to send application documents containing a photograph, his or her image may be processed on the basis of his or her consent, but it should be borne in mind that such consent may be withdrawn at any time, which should consequently result in the cessation of processing of that data by the employer.

Once the employment relationship has been established, the employer may require the employee to provide additional personal data, such as address of residence, PESEL number or payment account number to which the remuneration for work is to be transferred. The full catalogue of data is indicated in the provisions of the Labour Code.

Employers often use outdated personal questionnaire forms and, consequently, require employees to provide redundant data such as gender, marital status, military service status, interests, series and ID card number, and many, many other data that the employer should not seek to obtain.

Often, employers require employees to wear photo IDs; they also post pictures of employees on websites on the Internet, in promotional brochures or in newsletters. At the same time, the applicable law does not constitute the basis for the employer to process the employee’s image. If the publication of an employee’s image, for example on the employer’s website or social media profile, is a part of a marketing strategy or communication with contractors, it will most often be possible to publish the image of employees on the basis of their consent or in the performance of an additional contract concluded for this purpose.

How to legally use video surveillance on the premises of the workplace?

It is an increasingly common – and certainly justified – practice to install video surveillance in workplaces. The current rules give the employer the possibility to introduce specific supervision of the workplace by using technical means to record the image, but only for well-defined purposes, that is to say, to ensure the safety of employees or to protect property or control the production or confidentiality of information the disclosure of which could expose the employer to harm.

At the same time, the provisions of law contain a number of guidelines specifying in which rooms video surveillance cannot be applied (it should not cover premises made available to the trade union, sanitary facilities, changing rooms, canteens and smoking rooms). It also indicates the dates and means of storing the recorded data (as a rule, recordings may be stored for a period not exceeding 3 months from the date of recording), as well as the forms and time limit for correctly informing employees about the introduction of video surveillance, as well as specific guidelines for the correct, legible marking of the monitored area.

Before starting monitoring on the premises of the workplace, it is therefore worth reviewing the applicable regulations in order to avoid involuntary violations of the law.

Processing of biometric data.

E-registration of employees’ entrances and exits.

Due to the increasingly dynamic development of modern technologies, some employers introduce electronic systems for the registration of employees’ entrances and exits in workplaces. Systems that allow you to register an entry or exit based on fingerprint reading or iris scanning may seem particularly attractive.

However, it must be borne in mind that such data are biometric data within the meaning of the provisions on the protection of personal data law. Apart from truly exceptional situations, it is not possible for an employer to process employee biometric data.

Biometric data, unsurprisingly, fall into a specific category of data, which are subject to increased protection by both the European and Polish legislators. They may be processed only with the explicit consent of the data subject and, in relation to employees, only if the transfer of this personal data takes place at the initiative of the employee.

According to the provisions of applicable law, the employer cannot actively seek to be granted a consent by employees for the processing of their biometric data. The employer cannot ask employees to give such consent or encourage them to do so in any way.

Furthermore, it should be borne in mind that consent is the least certain, ‘weakest’ basis for data processing, as it can be withdrawn at any time. Therefore, if employees withdraw their consents, this could cause significant problems in the day-to-day keeping of working time records.

Electronic registration of entrances and exits can therefore be introduced, for example, by using personalized electromagnetic cards, assigned to employees (in an encrypted manner, of course), while scanning the fingerprints of employees or the iris of the eye will, in principle, constitute a flagrant violation of the applicable data protection regulations.

The rules for the processing of employees’ personal data should be known to each employer. Fortunately, we observe an increasing awareness of the importance of compliance with data protection regulations among entrepreneurs. On the one hand, compliance with the applicable regulations obviously reduces the risk of unauthorized access by third parties to personal data, and on the other hand – it minimizes the risk of negative outcome of a possible inspection carried out by the authorities – Office for the Protection of Personal Data. Taking the above into account, it is certainly worth the time and commitment needed to implement appropriate data protection rules within the enterprise.

Katarzyna Wypychowska

Associate, Attorney-at-Law
katarzyna.wypychowska@ckpartners.pl