Protection of employee personal data (GDPR)

🔹 Introduction

Every employer processes the personal data of their employees – from the moment of recruitment, throughout the entire period of employment, to the storage of documentation after its termination. These principles are regulated by:

Regulation of the European Parliament and Council (EU) 2016/679 (GDPR),
Labour Code, and
Act on the Protection of Personal Data of May 10, 2018

🔸 1. What personal data can an employer process?

✅ Mandatory data (based on art. 22¹ Labour Code):

Recruitment - first name, surname, contact details, education, work experience
Employment - PESEL, address, children’s data (for tax purposes), bank account number
During employment - data on disability, medical certificates, court rulings (if required)
After employment ends - data in personal files for 10 years

📌 Biometric, genetic, health, or religious data cannot be processed by the employer unless explicitly required by law and necessary.

🔸 2. Employer's obligations as a data administrator

According to GDPR, the employer as a data administrator is obliged to:

✅ a) Lawfulness of processing

Data may be processed based on an employment contract or legal obligation (e.g., Labour Code, Social Insurance, Tax Office) – consent is not required

✅ b) Data minimization

Only data necessary for the purpose (e.g., employment, payroll calculation, Social Insurance)

✅ c) Provision of information clause

Information obligation – e.g., during recruitment and employment (art. 13 and 14 GDPR),
Must include: administrator, purpose, legal basis, retention period, employee rights.

✅ d) Data security

Organizational (e.g., access only for HR department),
Technical (passwords, encryption, access control).

✅ e) Storing data only as long as necessary

Personal data in personal files – 10 years,
Data processed based on consent – until revoked or purpose fulfilled.

🔸 3. Informational obligations towards the employee

The employee must be informed, among other things, about:

the purpose and scope of data processing,
their rights (access, rectification, objection, deletion, restriction),
contact details of the data protection officer (if appointed),
the right to lodge a complaint with the President of the Personal Data Protection Office.

📌 The information should be provided in writing or electronically (e.g., as an attachment to the contract or regulations).

🔸 4. Rights of the employee (as the data subject)

Access to data - Right to view and obtain a copy of the data
Rectification of data - Ability to request correction of incorrect data
Deletion (“right to be forgotten”) - Only when data is processed based on consent
Restriction of processing - In certain situations (e.g., dispute regarding data accuracy)
Objection - When data is processed based on a legitimate interest

📌 In practice, data arising from the Labour Code and public legal obligations cannot be deleted upon request (e.g., personal files, documents for Social Insurance).

🔸 5. Can data of candidates, family, health be processed?

Data of job candidates - Only necessary (art. 22¹ Labour Code) + consent for CV
Data of children (for benefits, Employee Benefit Fund) - Yes, but only if required by law (e.g., PIT-2)
Health data - Only based on referral to a doctor / ruling
Photos, monitoring, location - Required information and justification in regulations

🔸 6. Consequences of violating GDPR

Lack of information clause - Complaint to the Data Protection Office, recommendations, order to delete data
Processing unnecessary data - Warning or administrative penalty
Loss or disclosure of data - Fine up to €20 million or 4% of turnover (in practice: up to PLN 1 million in Poland)
Failure to report a breach - Additional sanctions and inspection proceedings

📚 Legal basis

GDPR (Regulation of the European Parliament and Council (EU) 2016/679),
Labour Code – art. 22¹–22⁵
Act of May 10, 2018 on the Protection of Personal Data