The amended Labour Code poses a challenge to personal data protection

The amended legislation also brings new personal data protection obligations for all employers. 

With effect from 21 March 2023 Polish employers have been authorised to conduct preventive tests for presence of alcohol and similarily intoxicating substances among their employees.

The admissibility of such tests must be written down in a collective labour agreement, the work rules or an in-house communication. Those documents must describe the group of employees subject to testing, the testing method and the testing frequency.

An employer, who is the data controller in respect of his employees, has to inform them about the testing at least 2 weeks before it begins. As regards new employees, they will have to be informed before they are allowed to work.

The legal basis for processing of information about sobriety is Article 9(2)(b) of the GDPR (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject). 

The purpose of this kind of data processing is set in Article 221c(1) of the Labour Code, i.e. protection of the life and health of employees or other persons, and protection of property.

The testing involves processing of, among others, the following personal data of employees:

The employer should inform the employee about the processing of his/her personal data in connection with the test, and give written authorisations to process the data to the testers on his behalf. 

Personal data protection is particularly important here because the processed data belong to special data categories. 

Due to the special nature of the processed data, the lawmakers require the employer not to violate the employees’ dignity or other personal rights.

Following the data retention rules, details of the tests should be kept for maximum one year of the their collection, and details of the employee who has been punished for a positive test result by admonition, reprimand or fine – until the punishment is considered null and void (i.e. after one year of impeccable work history). 

The Labour Code now includes comprehensive provisions on remote work. The lawmakers have decided to replace the obsolete provisions on telework with the more up-to-date remote work rules. 

The new rules apply from 7 April 2023 and define remote work as work carried out wholly or partly at a place indicated by the employee and agreed each time with the employer, including at the employee's home address, in particular by means of direct remote communication (Article 6718 of the Labour Code).

Accordingly, remote work may be permanent (full time), hybrid (alternating with work from office), and occasional. 

Furthermore, the amended legislation says that employers should provide their employees with tools and supplies necessary for the remote work and cover the expenses triggered by such work. 

Remote work may be foreseen at the time of contract signing or implemented later during the employment period. In the latter case, the remote work may be introduced by the employer’s order under specific circumstances referred to in Article 6719(3) of the Labour Code. 

The parties to an employment relationship may also mutually agree on working remotely during the employment relationship. In such a case, the initiative may come from either the employer or the employee who submits a relevant request to the employer in hard copy or in electronic format (Article 6719(1)–(2) of the Labour Code).

Protection of personal data processed by remote employees is crucial. Remote work requires employers to develop personal data protection procedures specifically for remote work purposes. 

The employees are obliged to acknowledge that they are familiar with the procedures on paper or in electronic format, and pledge to follow them (Article 6726(1) and (2) of the Labour Code). 

Every employer should take care of proper safeguards for the company’s hardware and implement the best practices for accessing, working on, storing and circulating data in hard or soft copy. 

As far as necessary, employers should also issue instructions and train their employees in personal data protection in order to make their employees sensitive to data security issues in the remote work setup.  

Also, remote employees are not exempt from the obligation to follow the general in-house personal data protection rules.