Publication date: May 21, 2025
The processing of employee personal data is an important aspect of labor law, especially in the context of the growing popularity of remote work and the digitalization of employment processes. In accordance with national and EU law, the processing of such data must be carried out in accordance with specific principles that ensure the protection of employee privacy. In particular, regulations such as Regulation (EU) 2016/679 of the European Parliament and of the Council, known as GDPR impose a number of obligations on employers regarding the storage, collection and processing of personal data. In addition to GDPR, issues related to the processing of employee personal data are also regulated in detail in the Labor Code, which is the basic legal act regulating labor relations in Poland.
According to Article 22¹ of the Polish Labor Code, the employer may process the personal data of employees only for the purpose of concluding an employment contract, its performance and after its termination, to the extent necessary to fulfill the obligations arising from the provisions of labor law. The Labor Code specifies that the employer has the right to request only those data that are necessary to establish, perform or terminate the employment relationship. In practice, this means that basic personal data, such as name, surname, address of residence, PESEL number (Personal Identification Number), data on education, work experience, bank account number or information on remuneration, may be processed by the employer only for the purpose of fulfilling the obligations arising from the employment contract.
The Labor Code also refers to the processing of special category data, such as data on the health of employees. According to Article 22² of the Polish Labor Code, an employer may collect data on the health of employees only for the purpose of performing obligations arising from labor law provisions regarding ensuring safe working conditions. An example would be the obligation to conduct medical examinations or to adapt the workstation to the needs of an employee in the event of a disability. The Polish Labor Code clearly indicates that such data may be processed only when it is necessary to ensure occupational health and safety.
In addition, in the context of processing employee personal data, the employer is also obliged to obtain the employee’s consent in cases where the data is not necessary for the performance of the employment contract but is required for other purposes, such as organizing training or processing data for marketing purposes. However, the employer cannot process special category data, such as health data, without the employee’s express consent or an express legal basis that allows such processing, e.g. as part of occupational health and safety obligations.
Another aspect that is important in the context of processing employee personal data is the employer’s responsibility to provide appropriate means of protecting this data, especially in the era of growing popularity of remote work. The Labor Code, although it does not refer directly to personal data protection regulations, indicates the employer’s obligation to provide appropriate working conditions, including conditions ensuring data security. According to the Labor Code, the employer is obliged to provide employees with appropriate tools for remote work, as well as to create conditions that will enable compliance with the provisions on personal data protection. This means that employers must implement appropriate technical and organizational measures, such as data encryption, securing access to systems and training for employees in the field of personal data protection. Employers are also obliged to provide appropriate protection measures, especially when employees use private devices for remote work.
In the context of employee personal data protection, it is necessary to take into account both the obligations of employers resulting from national regulations and EU requirements that impose specific rules for processing this data. Compliance with the provisions of national labor law and the GDPR becomes crucial in ensuring an adequate level of protection. This regulation establishes a number of principles of personal data protection that must be observed by all entities processing data, including employers. According to Article 4 of the GDPR, personal data is any information relating to an identified natural person, including an employee. The provisions of the GDPR impose on the employer the obligation to ensure appropriate security of employees’ personal data and to comply with the principles of legality, reliability and transparency of processing. In the context of labor law, particular attention is drawn to Article 6 of the GDPR, which states that the processing of personal data is only permissible if at least one of the following conditions exists: the consent of the data subject, the necessity of processing the data for the performance of a contract to which the data subject is a party, i.e. an employment contract, the processing of data is necessary to fulfill a legal obligation incumbent on the employer, or the processing of data is necessary for the purposes of the employer’s legitimate interests, provided that these interests do not override the rights and freedoms of the employee.
Since the GDPR precisely defines the principles of personal data processing, employers must pay special attention to the types of data that can be collected and processed in the context of employment. It is crucial that the processing of this data takes place in accordance with the specified purposes, as well as in accordance with the principle of data minimization.
Basic personal data that an employer may process include, among others, name and surname, date of birth, address of residence, PESEL number, information on education, work experience, bank account number, as well as data on employment and remuneration. In accordance with the regulations, an employer may also process special categories of data, e.g. health data, if this is necessary in the context of fulfilling obligations resulting from labor law or to ensure occupational health and safety.
According to Article 5 of the GDPR, the processing of employees’ personal data should be carried out in accordance with certain principles. The first principle is the principle of legality, fairness and transparency, which means that data processing must be lawful, fair and transparent for the employee. The employer is obliged to inform employees about the purpose of processing their data and about the rights they have in connection with the processing of personal data. The second principle is the principle of purpose limitation, which states that employees’ personal data may be collected only for a specific purpose, which must be lawful. The employer cannot collect data “for spare”, but only for the purpose of performing the employment contract, fulfilling legal obligations or in connection with ensuring security. The third principle is the principle of data minimization, which imposes the obligation to process only those data that are necessary to achieve the purpose for which they were collected. This means that there is no need to collect excess data that is irrelevant to the purpose being achieved.
The fourth principle is the principle of data accuracy, which requires the employer to ensure that the data processed is accurate and, if necessary, updated. The fifth principle is the principle of data retention, which states that employees’ personal data may be stored for no longer than necessary to achieve the purpose of processing. After this time, the data should be deleted or anonymized. The sixth principle is the principle of integrity and confidentiality, which requires the employer to provide appropriate measures to protect employees’ personal data against unauthorized access, loss, destruction or damage.
The provisions of the GDPR and national labor law impose a number of restrictions on employers regarding the processing of employees’ personal data. First of all, the processing of personal data should be carried out in accordance with the principle of proportionality and necessity, which means that the employer cannot collect or process data that is excessive or unnecessary in the context of achieving the purpose of the employment. The employer also has no right to process personal data that is of a special category, e.g. data concerning health, sexual orientation, trade union membership, unless there is a clear legal basis for their processing, e.g. for the purpose of fulfilling health and safety obligations or in the case of the employee’s consent. Another important restriction is the prohibition of processing employees’ personal data for marketing purposes, unless the employee gives consent. The employer is also prohibited from using employees’ personal data for purposes that are unrelated to their employment, such as conducting unnecessary analyses, monitoring employees’ activities outside working hours or collecting information about their private lives.
In the context of remote work, the provisions on the processing of personal data are of particular importance. Employers must ensure that the personal data of employees who perform their duties outside the company’s headquarters are adequately protected. Remote data processing involves the introduction of appropriate procedures and safeguards to prevent unauthorized access to this data, especially when employees use private devices or Internet networks, which are not always secure. According to the law, the employer must implement technical and organizational measures to ensure the security of the processed data. In the case of remote work, the use of appropriate security protocols is required, such as data encryption, systems securing access to information, as well as regular software updates that provide protection against cyberattacks.
In addition, the employer is required to provide employee training on personal data protection, especially when it comes to using technologies that enable remote work. The employer’s ability to monitor compliance with data protection rules in remote work is important, but it must be carried out in a proportionate and lawful manner. It is worth adding that the employer should implement appropriate procedures and rules that allow for monitoring data security, e.g. by using tools to monitor access to IT systems.
Employees have a number of rights in relation to the processing of their personal data by their employer. According to the GDPR, employees have the right to access and correct their personal data. They also have the right to request the deletion of personal data if it is no longer necessary for the purpose for which it was collected. Another employee right is the right to limit the processing of data if there are doubts as to its accuracy or compliance with the regulations. Employees may also request the transfer of their personal data to another administrator. In addition, employees have the right to object to the processing of data if the processing is based on the employer’s legitimate interest. In the event of a breach of personal data protection regulations, employees may file complaints to the supervisory authority, which is the President of the Personal Data Protection Office (PUODO), if they believe that their personal data is being processed in a manner inconsistent with the law.
The employer is responsible for compliance with personal data protection regulations. In the event of a breach of the GDPR regulations, the employer may be fined and may also incur civil liability if the employee has suffered damage as a result of the illegal processing of personal data. In the event of serious violations, the supervisory body, PUODO, may impose high financial penalties on the employer.
Therefore, employers must exercise special caution and diligence when processing the personal data of their employees to avoid violating the GDPR regulations and the related consequences. It is important that they adhere to certain rules, especially in the case of sensitive data, which requires special protection and compliance with strict legal requirements.
The judgment of the Supreme Administrative Court of 19 December 2024, file reference III OSK 136/23, introduces important clarifications regarding the processing of personal data in the context of employees’ political and ideological views. In this case, the court ruled that an employer cannot process data revealing employees’ political or ideological views, if they were obtained from external sources, without the employee’s express consent. The processing of such data is inadmissible unless there is a clear and justified legal basis, in accordance with the provisions of the GDPR. This means that employers who want to collect or use such data must have the employee’s express consent to such processing. Without the employee’s consent, the processing of data revealing their political or ideological views constitutes a violation of personal data protection regulations. Importantly, the judgment of the Supreme Administrative Court also emphasizes the obligations of administrative bodies that examine cases related to the protection of personal data. Such a body, in this case the President of the Personal Data Protection Office, must demonstrate that the data processing was carried out on the basis of relevant legal provisions and had a justified basis. Failure to meet evidentiary obligations in administrative proceedings may lead to a resolution of the decision, which emphasizes the importance of conducting the explanatory proceedings correctly. In the context of this judgment, employers should exercise particular caution when processing employee personal data, especially sensitive data such as political or ideological views. The employee’s consent to the processing of such information is absolutely crucial, and the lack of such consent means that the employer has no right to process it. In addition, it should be demonstrated each time that the processing of data complies with the provisions of the law, and administrative bodies must carefully check whether all the requirements for the protection of personal data are observed.