New regulations implementing the GDPR- selected amendments
On May 4, 2019, the Sectoral Act entered into force, which introduces provisions implementing the GDPR into a number of legal acts. The amendments concern over 160 acts from various areas, including labor law, banking law, insurance law, telecommunication law, education law and administrative law. The amendment is aimed at strengthening the protection of privacy and increasing the guarantee of access to personal data.
Below we present the key changes in selected areas of law, which in our opinion should be of special attention to entrepreneurs.
Changes in labor law
Changes in the provisions of the Polish Labor Code concern primarily the range of personal data of candidates that may be processed in recruitment processes and personal data that the employer may request from his employees.
The personal data of the candidate, which the employer will have to obtain from him, will be his name and surname, date of birth and contact details indicated by the candidate (e.g. e-mail address or telephone number). The employer will no longer be able to request the candidate’s parents’ names or correspondence address.
The new regulations also limit the processing of personal data such as education, professional qualifications, or the course of employment. The employer will be able to demand such data only if it is necessary to do so in order to perform a specific type of work or work at a specific position. It should be noted, however, that this is primarily about an objective need resulting from the nature of the duties to be performed by the potential employee, and not about a subjective impression of the employer. The above changes are to serve the principle of minimalism of data processing, as not every employment relationship justifies the collection of all the above information.
It will also be acceptable to process specific personal data of the candidate or employee on the basis of their consent. However, some categories of personal data will be excluded from the possibility of data processing upon consent, e.g. data concerning convictions and prohibited acts. Processing of such data will only be possible if required by law. It should be emphasized that the lack of consent or its subsequent withdrawal will not have negative consequences for the candidate or employee with respect to the employment relationship.
The changes also apply to the provisions governing monitoring at the workplace and the surrounding area. Pursuant to the new regulations, it will be unacceptable to monitor the premises of trade union organizations, as according to the justification for the draft act, such monitoring could violate the principle of freedom and independence of trade unions. Furthermore, in the case of monitoring systems in sanitary facilities, prior approval must be obtained from the trade union organization or employee representatives.
Changes in consumer law
The new wording of the provisions of the Act on Consumer Rights is intended to facilitate the implementation of information obligations for micro-entrepreneurs, i.e. entrepreneurs who employ no more than 10 employees and do not have a turnover exceeding EUR 2 million net per year in at least one year of the last two fiscal years. In the case of micro-entrepreneurs, it will be sufficient to place the information clause in a visible place in the premises of the enterprise or on its website. The information obligation will be met when the natural person concerned has a real opportunity to become acquainted with the information obligation. This means that the information clause will not be able to be placed in a place which makes it impossible or significantly more difficult for the consumer to become familiar with its content.
Changes in administrative proceedings
There have also been changes to the Code of Administrative Procedure, including the implementation of the information obligation in administrative proceedings. The administrative authorities will be able to provide the information requested by the GDPR already in the first letter addressed to the parties to the proceedings. Moreover, the person who will file a complaint against the authority’s action will be obliged to indicate his or her basic personal data. Otherwise, the complaint may not be examined by the authority.
This publication deals only with selected changes. Should you like to check whether the changes also apply to your business, please contact us.
Author: Maria Szczęsna Associate | Advocate