New Polish data protection legislation entered into force on 4 May 2019. The legislation introduces amendments to 162 existing sectoral acts to ensure compliance with the GDPR. This includes the Telecommunications Law, the Electronic Services Act, the Public Procurement Law and the Tax Ordinance. The most striking and discussed changes were introduced into the Labor Code, and the Banking and Insurance Law.
For the first time, the Labor Code recognized consent as a legal basis for an employer to process the personal data of employees and job applicants. In addition to the "usual" conditions which must be met to obtain a valid consent, the Labor Code specifies that an employee's or work candidate's refusal to give consent, or his withdrawal of consent already granted, cannot be used by an employer as a basis for any adverse treatment of the individual concerned. The new regulations specify that such refusal or withdrawal cannot constitute the reason for the denial or termination of employment. However, the processing of special categories of personal data (e.g. health data, ethnic origin, trade union membership) can ONLY be based on consent if the provision of such personal data occurs at the initiative of the applicant/employee. In practice, it will be a challenge to recognize unequivocally in all cases whether personal data has been freely given by an employee or disclosed under pressure from the employer. An additional exception was made with respect to biometric data, which can now be used by an employer without their employee's consent if it is necessary to ensure security, and restricted access to the employee's critical data and facilities. Notably, personal data processing relating to criminal convictions and offences (e.g. criminal background checks) is subject to restrictions (Poland has separate regulations significantly limiting the use of such data by employers). This means that some businesses will continue to be hamstrung by their inability to meet customer expectations of stricter security measures being in force regarding employee access to key assets and data. Finally, it should be mentioned that a number of questions have been raised on the practical implementation of regulations concerning the monitoring of employees at work and the surveillance devices available to employer.
This Act gives banks the right to take automated decisions and profile clients without their consent in determining the creditworthiness and credit risk analyses checks. However, automated decisions without a client's consent can be based only on listed and limited types of personal data and, importantly, such decisions cannot be based on special categories of personal data. But the Act gives clients the right to acquaint themselves with the basis of their creditworthiness assessments, and banks must ensure that the reconsideration of automated decisions involves human-made assessments.
A similar provision allowing for automated decisions and profiling was introduced for insurers. Customer consent is not necessary if automated decisions are taken for insurance risk assessment purposes or in handling claims if they are based on the types of personal data listed in the Act. The right to obtain human intervention and explanations applies. This new law also introduced a maximum retention period of 12 years for listed personal data that can be used for profiling and automated decision-making processes.
A new law exempts entities conducting Know Your Client (KYC) assessments from compliance with Article 15 of the GDPR (right of access), if conducted for anti-money laundering purposes.
Legal professions are exempted from the obligation to comply with the right to object if personal data is processed in connection with legal assistance; the statutory retention period for case files, in most cases, is now 10 years upon closure of proceedings.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.