Under Polish labour law, an employer may request the following data from an employee:
- first name (names) and surname
- parents' names
- date of birth
- place of residence (mailing address)
- employment record
An employer can obtain the above data without the employee's consent.
Due to the narrow range of personal data that employers are allowed to process under the Labour Code, employers also try to obtain and process other personal data of employees with their consent. Employers indicate that such consent is one of the conditions permitting personal data processing on the basis of the Act on Personal Data Protection dated 29 August 1997.
However, this practice is being challenged by the Inspector General for the Protection of Personal Data as well as by the courts for the following reasons:
- consent, understood as one of the legal conditions permitting personal data processing, must be voluntary and freely given. The consent may be considered voluntary only where giving such consent or denying it has no impact on the employee's rights. Due to the imbalance in the relationship between an employer and an employee, the consent given by an employee cannot be considered voluntary;
- demanding from an employee additional data other than specified by the Labour Code or other legal acts is a circumvention of the Labour Code, which clearly states that the employee's (or job candidate's) personal data may be processed only on the basis of statutory provisions;
- only a legal provision may constitute a basis for collecting the personal data of an employee. If there is no such provision, an employer cannot request personal data from an employee, even if the employee gave their written consent.
The above opinion is very strict and does not allow employers to verify the job candidate or employee and to demand, for example, a criminal record statement when filling a position linked with financial liability, even with the employee's consent.
Under the General Data Protection Regulation 2016/679 ("GDPR"), which will enter into force on 25 May 2018, it is permitted to process employees' personal data with their voluntary consent. Therefore, it seems that under the GDPR it will not be possible to exclude the consent given by an employee as the basis for processing their personal data.