Employers in Poland are legally required to respect their employees’ dignity, privacy, and confidentiality. The rules about processing the personal data of employees and job candidates are set out in the Polish Labour Code and the Data Protection Act, which is Poland’s interpretation of the General Data Protection Regulation (GDPR).
Employee data privacy in Poland
Employers in Poland must collect certain personal data about employees and job candidates. This is allowed under Poland’s data protection laws because it is required for the employment contract. Specifically, the Polish Labour Code specifies that employers must collect the following information from job candidates during the recruitment process:
- First name and last name
- Date of birth
- Contact information
If it is required to perform the work in question, they may also collect information about the candidate’s education, qualifications, and employment history.
Once an employee is hired, the employer can then ask for further information:
- Address
- National ID number (PESEL)
- Employment and education history
- Bank account number
- Other personal data if necessary
Employee consent for data processing in Poland
Employers in Poland may also collect and process other data about their employees if they have the consent of the data subjects. However, consent is not enough to justify processing data related to criminal convictions and offences in Poland. Polish employees may only collect this data if it’s necessary to comply with a legal obligation (e.g. when hiring for certain sensitive positions like those in finance, education, or healthcare).
If an employee doesn’t consent to their data being processed (or gives consent and then withdraws it), this can’t be used as a reason to treat the candidate less favourably. For example, an employee can’t refuse employment or terminate an employee’s employment contract because they withdrew consent for data processing.
The GDPR in Poland
The main piece of legislation that impacts employee data privacy in Poland is the General Data Protection Regulation (GDPR). The GDPR is an EU law that sets minimum requirements for data protection across Europe. Polish employers can ensure compliance with the GDPR by:
- Only processing personal data that is strictly necessary
- Limiting who can access employees’ personal data
- Keeping personal data only as long as necessary
- Disclosing what data they are processing to the data subjects
- Performing Data Protection Impact Assessments (DPIA) to ensure data is secure
Employee monitoring and surveillance in Poland
Poland’s data privacy laws provide specific rules about the monitoring and surveillance of employees, including CCTV and email monitoring.
Specifically, employers can only use CCTV in the workplace to ensure employee safety, protection of property, production control, or confidentiality of information. They are not allowed to monitor areas where work doesn’t take place, such as toilets, cloakrooms, canteens, or smoking areas. Employers may only use CCTV recordings for their intended purpose and must inform employees at least two weeks before they set up CCTV cameras. The areas or rooms that are monitored by CCTV must also be marked.
The monitoring of employees’ professional email accounts is allowed if it’s necessary to ensure work is organised effectively or to ensure the proper use of work tools. However, Polish employers must not violate their employees’ confidentiality of correspondence or other personal rights.