A new regulation to protect personal data is coming
There is a growing chance that after more than a year from the date of application of the GDPR, sectoral regulations on the protection of personal data will be amended. Last week, the Sejm passed a long-awaited act in connection with ensuring the application of Regulation no. 2016/679, which changes 168 acts in total. Some changes only slightly modify the processing of personal data, e.g. by explicitly indicating the administrator of personal data or the permitted period of data processing. Certain acts, including those concerning labor law, await much more serious changes, including the scope of obtained data, the right of data subjects and the method of obtaining personal data by the data controller. Below are the most important changes:
The Act prohibits employers from monitoring the premises granted to the trade union organization. If the employer currently uses this type of monitoring, he will be obliged to remove it within 14 days from the entry into force of the Act and immediately inform the trade union organization about the discontinuation of monitoring in these rooms. If, however, the employer uses monitoring in the sanitary rooms, he will have to obtain the consent of the trade union organization/employee representatives for its continuation within 30 days from the entry into force of the Act. If the employer does not obtain consent, he must stop monitoring these rooms after this date. If he receives a negative response within this time, he has only 3 days to disable the monitoring. Employer is obliged to inform the trade union organization or employees’ representatives about the cessation of monitoring.
2.Authorizations for processing of employees’ data
Persons authorized by the administrator to process personal data of employees will have to be authorized in writing and undertake to keep data confidential.
3.The company’s social benefits fund
Persons wishing to use the Social Fund will be able to share their personal data with an employer only by submitting an appropriate statement. On the other hand, the employer will have the right to request that this data is documented to the extent necessary to confirm them, e.g. by presenting a tax return. Data collected by the employer may be stored for the period necessary to implement the fund’s tasks and to exercise any rights or claims. At least once a calendar year, the employer will be obliged to review personal data obtained from people who want to use the Social Fund and remove those that are not necessary to achieve this goal.
4.Subsidiary of data protection inspector
The Act of 10th of May 2018 on the protection of personal data will not avoid changes as well. Positively should be assessed the introduced act amending the possibility of appointing a subsidiary data protection inspector to perform the duties of the inspector during his absence. Appointment of the subsidiary inspector should be notified to the President of the UODO electronically within 14 days.
The Act, with minor exceptions, will come into force within 14 days of its announcement.