Almost two years have passed since the GDPR came into being and yet many employers are still unaware that special regulations were introduced to the Workplace Social Benefits Fund Act which impose on them numerous obligations related to the processing of personal data for the purposes of granting benefits from the Workplace Social Benefits Fund (Zakładowy Fundusz Świadczeń Socjalnych, ZFŚS).
Authorisation required to process health related personal data
Declarations by persons entitled to ZFŚS benefits often contain health related personal data. Employers should remember that such data can be processed only by persons authorised thereto by their employer in writing. These persons should also be formally obligated to keep the confidentiality of such data. In the light of recent GDPR explanations, it is assumed that an electronically produced authorization to process personal data is equal to an authorization provided in written form.
Obligation to conduct regular personal data reviews
The legislator imposed an obligation on employers to regularly review personal data submitted thereto by ZFŚS beneficiaries, in order to determine the necessity of its further storage. This review should be conducted at least once a calendar year. Such data should be deleted if it turns out that its further storage is unnecessary for the purpose of granting benefits, determining their amount or asserting rights or claims. Employers should remember that these reviews need to be documented to comply with the GDPR principle of accountability. The Personal Data Protection Authority wishes to remind employers that the GDPR requires an uninterrupted and correct data processing, so a one-time review of data in existing resources is not sufficient.
Requesting documents only for review purposes
According to Article 8(1)(a) of the Workplace Social Benefits Fund Act, granting the employer access to personal data of persons eligible for ZFŚS benefits takes the form of a declaration. The employer may request that the data be documented to the extent necessary to confirm it. As emphasized in the GDPR, these regulations allow the employer only to view certain documents, but they do not give him or her the right to store their copies or record them in any other way.
Compliance with the maximum data storage period
It should be kept in mind that the regulations directly indicate the maximum period of data storage. The employer may process personal data for the period necessary to grant a service or benefit at a reduced cost, to grant ZFŚS subsidies and determine their rate, as well as for the period necessary to assert rights or claims (e.g. tax liabilities).
Appropriate legal basis for personal data processing
Employers often believe that consent is needed for the processing of personal data for the purposes of granting ZFŚS benefits. However, it is clearly indicated in the GDPR that the grounds for employers to process personal data for this purpose are:
- In the case of ordinary data: Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject;
- In the case of special categories of data such as health-related: Article 9(2)(b) GDPR – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
This means that employers should not collect consents to the processing of personal data for this purpose. As the Greek supervisory authority recently pointed out, employers may face an accusation of misleading employees by collecting consents to the processing of personal data where the processing is carried out under a different legal basis.