Many employers wish to know more and more about their employees and request the provision of an increasingly wide range of personal data. It has become a widespread practice for companies, in particular those operating in the insurance and financial industries—including banks—to collect a broader scope of personal data concerning their employees than is envisaged by the Labour code. Companies are particularly interested in collecting data regarding the criminal records of their employees and information concerning their financial situation, as found in the reports of the Credit Information Bureau. However, the desire to process such data and the eligibility to lawfully do so are two fundamentally different things.
The act on the protection of personal data requires a data controller (the employer) to exercise due care in protecting the interests of those whose data are concerned, especially as regards the duty to ensure that data is lawfully processed.
The Labour code clearly indicates the scope of personal data that an employer may process in relation to job applicants and the scope of personal data that may be processed in relation to employees.
Employers may require job applicants to provide the following data: forename(s) and surname; forenames of parents; date of birth; residential address (correspondence address); education and employment history. As regards existing employees, an employer may also require, in addition to the aforementioned personal data, the following: other personal data concerning the employee; the forenames, surnames and dates of birth of the employee’s children, where this is necessary because the employee exercises special rights laid down by labour law, and the employee’s individual identification number (PESEL).
An employer may demand personal data other than those referred above, provided that provision of them is obligatory on the basis of separate legal provisions.
Requesting the data concerning an employee’s criminal history or financial situation falls outside the aforementioned scope, unless the obligation to provide such data results from separate legal provisions. In the absence of such legal provisions, an employer may not lawfully process such data. The Supreme Court noted in the reasoning to its ruling of 5 August 2008 (case no. I PK 37/08) that “It is possible to obtain information about a particular person (including an employee) only when the basis for collection of such information arises from an express provision of law and only insofar as permitted by such law.” Moreover, according to the position of the Polish Data Protection Authority as expressed in a decision dated 29 March 2011 issued towards the bank, even where an employee has explicitly consented to the processing of personal data, this does not serve to expand the scope of personal data contained in the Labour code which employers may lawfully process about employees.
The Supreme Administrative Court, in a ruling of 1 December 2009 (case no. I OSK 249/09), clearly stated that “an employee’s written consent to the processing of his/her personal data, provided at the request of the employer, infringes the employee’s rights and the free expression of his/her will. This arises due to the employee’s dependency upon the employer. The imbalance in the employer-employee relationship raises doubts as to the voluntariness of consent for the processing of personal data.”
