Company’s Social Benefits Fund and protection of personal data. What the employer should remember while processing personal data in accordance with the applicable law
Running the Company’s Social Benefits Fund (CSBF) is associated with the need to obtain personal data not only of employees, but also members of their families and other people. In May 2019, changes were implemnted concerning the method of obtaining and processing personal data in order to perform the tasks of the CSBF in the so-called sectoral law. However, not all employers managed to adapt their procedures and regulations to the new regulations.
To correctly process personal data within the Social Fund, you need to follow a few basic rules:
- personal data collected on the basis of the statement
Until now, it has been common practice to require employees to provide photocopies of PIT-37 and other documents in order to use the Social Fund. Copies of documents were then stored together with documentation regarding the fund or in the employee’s personal files. The legislator dispelled employers’ doubts whether this practice is correct, indicating that the transfer of the personal data of the authorized person should take place in the firstly on the basis of a statement made by the employee. The employer has, of course, the right to verify the information provided by the authorized person, requesting the delivery of relevant documents. In accordance with the principle of minimalism and purposefulness, it is recommended, however, only to show the documents and possibly record this fact by the person receiving the application – without collecting photocopies.
The scope of data collected for the needs of the Social Fund and documents that the employer may require to present must be regulated directly in the Regulations of the Social Benefits Fund. It is a good practice to draw up a model statement for those wishing to use the Social Fund – this will avoid, for example, the excessive collection of data provided by applicants.
- information obligation
When processing data as part of the Company’s Social Benefits Fund, the employer acts as the administrator of this data. Therefore, they bear information duties in accordance with art. 13 and 14 of GDPR. For its employees, the employer can fulfill this obligation already at the employment stage – when providing information on the processing of personal data in employment. For other persons whose data is obtained in order to fulfill the tasks of the Social Fund, the information obligation must be met separately. A good way to comply with the obligation to provide information about the processing of data is to include the so-called information clause in the application form submitted to the CSBF. In this way it will be easy to show that the information has been sent to all interested parties.
At this point, it is worth mentioning that the processing of data of people using the CSBF, also the so-called ‘Sensitive data’ is not done on the basis of their consent, but in order to fulfill legal obligations incumbent upon the employer (under Article 6 (1) (c) and Article 9 (2) (b) of the GDPR). Therefore, there is no need to obtain additional consent from these persons to process their data in connection with handling the application.
- authorization to process personal data
Obligably all employees who have access to personal data processed in relation to the CSBF should receive written authorizations from the employer to process personal data (containing, among others, information on the scope of personal data, categories of data subjects and permitted processing activities). This mainly applies to members of the social commission and trade union representatives. Authorized employees should be additionally obliged to keep their personal data secret. In order to properly manage authorizations, it is recommended to keep a record of the authorizations granted and to update it on an ongoing basis.
Because members of the social commission gain access to a wide range of data, including sensitive data (in particular about the health of employees), it is worth to properly train them in the scope of principles of personal data protection.
- the period of storage of personal data
By amending the Act on the Social Fund, the legislator imposed on the employer an obligation to periodically review personal data collected for the needs of the fund and to remove those that are no longer needed to achieve this goal. Reviews should take place at least once a year.
The period of storage of data processed in relation to the CSBF was indicated quite generally as: the period necessary for granting a concessionary service and benefits, subsidies from the Fund and establishing their amount, as well as for the period necessary to chaste their rights or claims.