Up Again Poland: Privacy and Data

IPT

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Temperature monitoring is a controversial issue in Poland. Information collected as a result of monitoring will constitute health data, and according to the General Data Protection Regulation (GDPR), it cannot be processed unless an explicit legal basis exists.

Currently, there is no explicit legal basis imposing an obligation or giving authorisation to verifying the state of health of employees due to the COVID-19 pandemic without the prior decision or recommendation issued by the health authorities. The Polish Data Protection Authority considers measuring temperature as admissible only in very limited situations.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Any decision about such actions should be made on a case-by-case basis. Though combatting COVID-19 is a priority, such actions may be considered acceptable only if they are compliant with GDPR requirements (e.g. the principle of data minimisation or the information obligation).

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

As the employer is responsible for ensuring health and safety in the workplace, it should know about any COVID-19 cases in the workplace, so that it can take appropriate disinfection measures. Employers should provide guidelines to employees on what to do in such a case. However, requiring employees to inform the employer about having the antigen may be considered too intrusive under GDPR and an infringement of the employees’ right to privacy by the Polish Data Protection Authority.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes, employees should be informed about COVID-19 cases, but the employer should not communicate more information than absolutely necessary.

For example, if it is not necessary to do so, the personal data of the infected employee must not be disclosed to the employees either publicly or in private discussions (e.g. between co-workers or team members).

The personal data of an individual who is infected or suspected of being infected with COVID-19 should be disclosed only to an extremely small group of people.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Yes, an employer should cooperate with the health authorities (e.g. the local sanitary-epidemiological station), especially if the employee has not informed the authorities themselves.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

According to Article 9 GDPR, health data may be processed only in very limited situations. So any decision about disclosing employees’ health data to the employer’s affiliates should be taken carefully.

If one of the legal bases indicated in GDPR for personal data disclosure is met, the employer should inform the employees about the transfer pursuant to Articles 13 and 14 GDPR.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Monitoring in the workplace is possible only in a limited number of situations set out in the Polish Labour Code. One is the need to ensure the safety of employees.

Such actions may, therefore, be considered acceptable if they are compliant with GDPR and the Labour Code.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

In addition to GDPR, employers should also take into account the Polish Labour Code and any special COVID-19 related acts (e.g. the Act of 2 March 2020 on Special Measures in Connection with the Spread of the Coronavirus), and other regulations (e.g. decisions issued by the Chief Sanitary Inspector).

The employer should monitor actions taken by Parliament, the government and the health authorities.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

GDPR empowers local data protection authorities to impose fines of up to 4% of a company’s annual worldwide turnover or EUR20 million (whichever is higher).

In addition, according to the Labour Code, any person responsible for ensuring safety and hygiene in the workplace and who fails to do so may be fined from PLN1,000 up to PLN30,000.

Infringement of GDPR may also result in civil claims.

The Polish Data Protection Act provides for criminal liability in a limited number of cases where data protection regulations are breached.