The establishment of employee capital plans (PPK) is associated with many challenges for employers, also in the area of personal data protection.
The following article provides guidance on how to prepare for the implementation of the PPK in accordance with data protection requirements.
- Does the employer have to conclude a personal data processing agreement with a financial institution?
As a rule, there is no need to conclude such an agreement. Personal data of PPK participants are transferred by the employer to a financial institution on the basis of a sharing between independent administrators.
However, the contract for running the PPK with a financial institution itself may indicate that it will commission the employer to act on its behalf in the framework of selected activities related to the implementation of the contract, which will require the processing of personal data. In this case, it may be necessary to conclude a personal data processing outsourcing agreement for a specific scope of activities. The employer will then act in a double role - as a data controller providing data identifying the participants of the PPK and as a processor as to the data entrusted in connection with the performance of activities for the benefit of a financial institution. A similar design is often used, e. g. in the case of contracts with entities providing employee benefit services.
- What personal data of employees should be transferred to a financial institution?
The scope of personal data of participants in employee capital plans transferred to a financial institution includes:
- name(s), surname,
- address of residence,
- correspondence address,
- phone number,
- e-mail address,
- PESEL number or date of birth in case of persons without PESEL number,
series and number of identity card or passport or other document confirming identity in case of persons who are not Polish citizens.
These data constitute an annex to the agreement on running the PPK.
Attention! Attention! The telephone number and e-mail address should only be provided if the employee makes them available to the employer. Employees have voluntary mailboxes and telephones and cannot be required to set them up for the purpose of participating in PPK.
- On what basis does the employer transfer personal data of employees to a financial institution?
The basis for processing personal data of employees - participants of the PPK is art. 6 (1) c GDPR, i.e. fulfilling the legal obligations of the employer as a personal data controller.
Therefore, it is not necessary to obtain the consent of employees to process their personal data for this purpose, even if they have provided their telephone number or e-mail address to the employer.
Basing the processing of personal data of PPK participants on art. 6 (1) c GDPR, finally confirmed the President of the Office for the Protection of Personal Data (UODO), despite the fact that in earlier recommendations the Office for the Protection of Personal Data indicated the need to collect additional consent of employees to provide the financial institution with their e-mail address and telephone number.
- How long should personal data processed in connection with the operation of the PPK be kept?
The period of storage of personal data of PPK participants does not result directly from the provisions of the Act. However, in the newsletter for the data protection officers, UODO provided some guidelines for the controllers in this respect. According to his assessment, the time limit for keeping records should be the same as in the case of other documents related to the determination of the amount of remuneration, i. e. 10 years.
However, some experts question whether this data is actually related to the determination of the remuneration, and therefore whether the period indicated by the President of the Office for Official Publications of the European Communities is not too long. This applies in particular to documents not related to payments on PPK such as e. g. Declaration of withdrawal from the PSC, for which a 4-year period seems more appropriate. Since the President of UODO has announced the preparation of guidelines for employers in connection with running the PPK, this issue may be subject to further analysis.
- What else needs to be done to ensure that the processing of personal data in relation to PPK is compatible with the GDPR?
As with any new processing process in the organization, the PPK assumption should be implemented taking into account the principles of privacy by design and privacy by default. Therefore, the risks associated with the processing of personal data for this purpose should first of all be verified and, if necessary, an additional impact assessment - DPIA - should be carried out and security measures should be adapted on this basis. In particular, it is worth considering how to safely transfer personal data to a financial institution in order to avoid accidental disclosure to third parties.
The employer should also complete the register of treatment activities with a new process and review the existing information clauses for workers. Where objectives and processing grounds are specified in detail, they may need to be updated. If the PPK service is entrusted to specific employees, the scope of their authorisations to process personal data should also be verified.