First official explanations of GDPR provisions in Poland

The new Law on Business Entities, passed in March 2018, which is part of the so-called “business constitution”, authorises public authorities, in particular competent ministers, to issue legal explanations, explaining in practical terms the provisions on starting a business in Poland. These explanations are supposed to help business entities, especially small and medium-sized ones, who find themselves in a legal maze. The Law stipulates that, despite the explanations not being binding, no administrative or financial sanctions or penalties can be imposed on them to the extent they have complied with the explanations.

One of the first (if not the first) to take advantage of this possibility was the Minister of Digitalisation, who on 23 January 2019 published legal explanations concerning the application of the GDPR provisions in the context of employee recruitment. Justifying the need for explanations, the Minister pointed out that “this issue concerns a very large number of businesses in Poland and has an impact on their business activity – the publication of the explanation was therefore necessary”.

• The recommendations and guidelines given in the explanations, although focusing on the recruitment process, may have a much wider meaning, e.g. where business entities obtain consents to the processing of data or where they have to comply with the information obligation, which is often not an easy task. According to the Minister of Digitalisation: There should be no doubt about the admissibility of the processing of personal data contained in the recruitment documents of a person recruited, even after termination of the employment contract, for the purpose of protection against any possible claims. In the Minister’s opinion, this also applies to the data of candidates who took part in the recruitment process but were not employed. In the latter case, the need to process the data may be justified, e.g. in the case of an accusation of discrimination.
• The practice of those employers who seek consent from candidates to the processing of their personal data in order to carry out a specific recruitment process (for a specific position) is incorrect. In such a case, the basis for data processing is a provision of law (Labour Code) and a premise allowing data processing in order to undertake actions prior to the conclusion of a contract (i.e. employment contract).
• In the opinion of the Minister, consent for the purpose of future recruitment may be expressed implicitly. The candidate’s specific conduct, i.e. “handing over the recruitment documents to the company together with the information that their use in future recruitments is allowed” will also constitute such consent.
• The Minister was also quite liberal in his approach to the information obligation, assuming that it would be fulfilled, e.g. by publishing the information required under Article 13 of the GDPR on the employer’s website.

The Minister’s position differs in several points from the approach of the Polish Office for Personal Data Protection, expressed in the guidebook “Protection of personal data in the workplace. Guidebook for employers” about which we wrote in an article published on Lexology. In particular, this concerns the possibility of processing a candidate’s data for the purpose of protection against any possible claims. The Polish Office for Personal Data Protection rejected such a possibility, while the Minister allows it.

In connection with the work on and publication of the explanations, a more serious dispute between the Ministry of Digitalisation and the Office for Personal Data Protection emerged. In a special statement, just few hours before the explanations have been published, the Office for Personal Data Protection writes that: “in Poland, the only authority that is competent and specialised in matters concerning personal data protection is the President of the Office for Personal Data Protection”. Moreover, “in the light of EU law, the President of the Office for Personal Data Protection is not bound by any formal legal explanations concerning the application of the GDPR”. This means that even if a business entity complies with the explanations of the Minister of Digitalisation it does not guarantee that the President of the Office for Personal Data Protection will not impose a fine on the business for infringing the GDPR, if he comes to a different conclusion than the Minister.

This difference in opinion between public authorities that play a key role in the interpretation and application of the GDPR provisions in Poland is certainly not good for business. It is rather ironic, given that the legislator’s intention was that the legal explanations would increase legal certainty among business entities and be “a manifestation of some kind of legal aid provided to business entities (...), which, by its very nature, cannot cause any damage to business entities” (from the justification for the bill). The situation therefore needs to be clarified quickly and, preferably, all parties concerned should work together to dispel the doubts about the practical application of the GDPR requirements.