Amendments to the Polish Labour Code in force since May 2019 resolved the existing doubts as to the admissibility of obtaining employees’ consent to processing of their personal data by employers.
Before, the courts had held quite clearly that if an employee’s consent to processing of his personal data were considered a circumstance legalising the gathering of personal data from an employee other than those specified in Art. 221 of the Labour Code, that would constitute a breach of that provision and a circumvention of the law (Supreme Administrative Court judgments of 1 December 2009, case no. I OSK 249/09, and 6 September 2011, case no. I OSK 1476/10). Therefore, as a rule, obtaining personal data other than those indicated in Art. 221 of the Labour Code based on the employee’s consent was deemed inadmissible.
However, this rigorous position presented in the judgments was somewhat softened in the justifications for the judgments. The courts shared the view of the EU’s Article 29 Working Party that an employer commits an error if it tries to legalise the processing of personal data coming from an employee by means of consent from the employee. Consent may be used if it refers to a case where the employee has complete freedom to grant it and may refuse to grant such consent without suffering any damage.
It seems that this opinion of the Article 29 Working Party was also shared by the Polish parliament when introducing the new Art. 221a and Art. 221b to the Labour Code, which provide for the admissibility of processing of employees’ personal data by the employer on the basis of their consent, but also for limitations in the use of such consent.
Under the new provisions, an employee’s consent may constitute a basis for processing of personal data by an employer other than those specified in Art. 221 §§ (1) and (3) of the Labour Code, except for personal data referred to in Art. 10 of the EU’s General Data Protection Regulation, i.e. data concerning convictions, prohibited acts or related security measures. Such data may be provided at the employee’s initiative or at the employer’s request. However, the employer shall not ask the employee for access to special categories of personal data (formerly known as “sensitive data”).
For the worker’s consent to be valid, it must meet the requirements set by the GDPR. In particular, it must be given voluntarily and constitute informed and unequivocal consent of the person to processing of his personal data. The obligation to demonstrate the freedom to give consent lies with the data controller (here the employer). Before giving his consent, the person shall be informed of the possibility of withdrawing consent with effect for the future (see recitals 32, 42 and 43 and Art. 7 GDPR).
The absence or withdrawal of consent by an employee shall not give rise to any adverse treatment of the employee. It cannot cause any negative consequences for the employee; in particular, it cannot be grounds for refusal to hire the person, or termination of the employment contract by the employer with or without advance notice.
The fact that Polish law allows the employee’s consent as a prerequisite for the processing of the employee’s personal data by the employer does not mean that this solution should be applied universally. Employers process employees’ personal data primarily on the grounds of fulfilling legal obligations imposed on them, performance of the contract with the employee, and their legally justified interests (if they take precedence over the employees’ interests, rights and freedoms). They process data based on the employee’s consent only exceptionally.
This has recently been pointed out by the Hellenic Data Protection Authority, imposing a fine of EUR 150,000 on an employer for processing employees’ personal data on the basis of their consent where other legal grounds for processing might have applied. In addition to breaching the principle of accountability, the Greek authority held that the employer infringed the principles of legality, fairness and transparency, as well as the principles of data minimisation and purpose limitation, since the employer misled the employees that it was processing their personal data on the basis of consent, when in fact it was processing them on a different basis, of which the employees were not informed.