In today’s digital world, personal data is often called the currency of the future. In many ways, it already is. In the workplace, where vast amounts of employee and candidate data are collected and processed, compliance with data protection laws such as the GDPR is not optional – it's essential.
Here are the key areas that employers should focus on when it comes to GDPR compliance in employment relationships in Poland:
Legality
Employee personal data must be processed lawfully, fairly and for a specific purpose. Employers cannot collect data "just in case". This also means limiting data use strictly to the purpose for which it was collected.
Using AI tools
AI tools are becoming more and more popular in HR. These tools are used for recruitment, performance analysis and internal communication, meaning that personal data processing is becoming more automated and complex. In addition, profiling is happening ever more frequently. It is important to design compliant systems and documentation that ensure AI tools are implemented and, more importantly, used in line with GDPR principles and provisions.
Screenings
From automated CV screening to background checks, modern recruitment processes often involve extensive data analysis. It is vital to be engaged from the earliest design phase of these processes to ensure that the data will be processed in accordance with the GDPR.
Incident management
Even with the best systems in place, data breaches can happen. That is why it is important to develop data protection policies, to have incident response procedures in place, and to notify the Polish Data Protection Authority.
Local regulations
The Polish Labour Code introduces specific regulations covering the collection of data from candidates and employees. For example, consent can be a legal basis for processing special categories of personal data (e.g. health data, sexual orientation, etc.), provided that the candidate/employee has taken the initiative to provide such data. On the other hand, Poland has not introduced legislation on monitoring diversity in the workplace, so any global initiatives to verify diversity in the workplace should be carried out with caution.
Regarding consent, it cannot be the legal basis for processing data on convictions and violations of the law. Such prohibition arises from the Labour Code.
The above prohibition causes challenges in conducting background checks in Poland. Most global suppliers base such processes on candidate/employee consent. Poland has introduced regulations allowing such screening only for selected industries, such as finance, and even then to a limited extent. At Raczkowski, we have experience have experience in how to conduct such processes for all employers, minimising the risk of fines from data protection authorities.
Data processing practices among Polish employers vary widely in terms of their legal basis. Some data are processed on the basis of legal regulations, others on the basis of contractual arrangements, while the legitimate interest of the employer is the basis for processing a lot of data. The processing of data on the basis of consent should be approached with great caution, as it can be used only in exceptional situations.
Final Thought
The data protection in the workplace is not just about avoiding fines, it is about building trust, protecting people’s rights and creating responsible workplaces. Whether you are digitising HR processes, exploring AI tools, or simply want to browse your documents, data protection in employment relationships must be a priority.