The long-awaited Polish Whistleblower Act will enter into force on 25 September 2024. This means that employers should now prepare the relevant procedures, or at least update the existing ones, in order to comply with the new regulations. According to the provisions of the Act, a violation of the law is an act or omission that is unlawful or intended to circumvent the law, including the protection of personal data. Therefore, in addition to implementing new whistleblower procedures, we recommend reviewing procedures and documentation related to data protection.
Procedures must be effective and up to date
Under Article 24 of the GDPR, the data controller is required to implement appropriate technical and organisational measures to ensure that the processing of personal data is lawful and to be able to demonstrate this in the event of a potential audit. These measures should be regularly reviewed and updated. This means that they need to be regularly adapted to changing conditions within the organisation and to comply with changing laws and legal interpretations.
Personal data must also be accurate and up to date
It is important to remember that it is not only the technical and organisational data protection measures that need to be updated and modified, but also the personal data processed by the company. This data needs to be accurate and, where necessary, up to date. This means that the controller should take steps to ensure that personal data that is inaccurate in relation to the purposes for which it is processed is promptly deleted or rectified.
Responsibility of the data controller
The controller (company) is responsible for compliance with the principles relating to the processing of personal data and for the proper performance of its duties in this area. This means reviewing existing procedures, introducing new ones, and creating and modifying documents needed to implement data protection, in particular the register of processing activities, authorisations and, where necessary, data protection impact assessments. The review of the above procedures and documentation should take place on a regular basis, paying particular attention to any organisational changes that affect internal procedures.
Special care in employment law
Although the processing of personal data generally affects all departments of a company, HR departments process special categories of personal data, such as employee health data. It is worth noting the decision of the Supreme Court (Case No. II PSKP 7/21), according to which an employer who delegates anti-mobbing procedures to a third party is responsible, as the data controller, for violating the personal rights of an employee whose personal data was transferred in violation of data protection regulations. In this case, an employee’s health data was transferred to the external body when it was not necessary for the investigation and the employee had not consented to the transfer.
We also draw attention to the UODO (Polish Office for Personal Data Protection) guidelines on the retention of employee records. For example, in relation to disability certificates, employers should review the need to process personal data at least once every five years. The assessment should determine whether the data is still necessary to achieve specific and legitimate purposes.
Executive Summary
Regardless of upcoming legislative changes, it is important to remember that data protection is a dynamic process that tends to evolve with the organisation. It therefore requires regular updates. In addition, we must not forget the constant technical and technological developments that affect data security and the safeguards that can be put in place. Potential data breaches can result in employee claims, regulatory sanctions and possible reputational damage. Because of these negative consequences, we encourage you to review the procedures and documentation in place and to review the personal data processed for accuracy, timeliness and processing purposes.
If you have any questions or doubts, please contact our law firm.
Authors:
Maria Aleksiejak, trainee attorney-at-law (PL)
Krzysztof Łakomski LL.M., attorney at law (PL)