46 (141) 2020
Download PDF-version

Managing human resources through the pandemic


By Aleksandra Hajdukiewicz, Oliwia Kruczyńska, Justyna Tofil from Kołecka Law Firm
Header aleksandra hajdukiewicz  002


The Covid-19 pandemic has significantly accelerated the development of new technologies and is contributing to the digitalisation of the labour market. Firms should pay particular attention to protection of their employees' personal data, especially information which is collected electronically.

In this article, we ask some questions which may worry the employer, especially during a pandemic, when switching to home office carries with it the risk of violating the principles of personal data processing.

Online recruitment versus personal data processing

What data can you require from a potential employee?

When starting the recruitment process, remember that the scope of data you may require from a job applicant is different from the catalogue of data collected from an employee. The key provision you should follow when collecting data is Article 221 of the labour code.

According to this regulation, as an employer you may request from a job candidate the following information:

•    name

•    date of birth

•    contact details

•    education, qualifications and the course of previous employment, but only if this is necessary for the job

Only when deciding to employ a candidate – that is when concluding an employment contract, the data catalogue extends to the following categories:

•    address of residence

•    PESEL number or the type and number of the identity document

•    other personal data about an employee and his family, if it’s necessary for the purposes of exercising specific rights under labour law

•    education and employment history, if there was no basis for it in the recruitment process

•    bank account number

If the regulations require additional information about the employee (such as confirmation of specific qualifications), you can also request it on this basis.

You should remember that Article 221 of the labour code is not the only basis for processing data of candidates and employees. Other categories of data can be obtained with their consent or on their initiative. This means that if a job applicant includes in their CV information about certificates obtained during the course of employment, you can accept this data. The sole initiative of the job applicant or employee is a basis to collect the biometric data and the specific categories of data referred to in Article 9 section 1 of the GDPR (e.g. racial or ethnic origin, political opinions, trade union membership). The only exception is information on convictions and criminal offences which cannot be obtained from employees and job applicants unless specific provisions require no criminal record for the performance of the job.

If a candidate has to give their consent, its absence or withdrawal cannot have negative consequences, especially in the form of refusal of employment, termination of employment contract or its termination by the employer.

Can a potential employer obtain candidate’ data from social media?

It is unacceptable for employers and recruitment agencies to collect information posted by job applicants on social media and other public sources during the recruitment process.

The situation is slightly different when the candidate is verified by the employer through a portal created for job searching (e.g. LinkedIn), whose regulations or privacy policy require consent for processing personal data (Article 6 of GDPR). Before potential candidates start using such portals, they must ‘accept’ their regulations and privacy policies and provide some personal information, otherwise, it will not be possible to set up an account and the data submitted will not be shared with potential employers. In this case, the employer may obtain, collect and share the data of portal users/candidates.

Can the employer monitor the employee’s mailbox?

The answer to that question is yes, if the criteria of the labour code and the GDPR are met.
Monitoring employees’ emails is allowed when it is necessary to ensure:

•    work organisation that enables full use of working time,

•    proper usage of work tools.

Such criteria may include verification of the proper division of duties, control of the use of official equipment for private or non-duty purposes.
At the same time, while controlling emails, the employer should act with due diligence so as to not violate the regulations of:

•    the confidentiality of the employee’s correspondence,

•    or their other personal rights.

This may cause doubts in case of control of the employee’s mail as the employer may not open or read correspondence which designation or initial content proves its private character.

A solution that minimises the risk of violating the confidentiality of correspondence, but also of using email for private purposes is to include an appropriate clause informing about the conditions of using email in the work regulations or to offer employees a separate wifi network, which will not be monitored.
The methods, scope and purpose of employee control generally does not require the employee’s consent, but prior notification is necessary.

.Project execution in the capital group – is it possible to transfer employee data between the companies within the group?

If due to Covid-19 you want to delegate an employee to work in another company in the capital group, pay attention to contradictions on the basis of GDPR.

In companies group, the concept of control within GDPR is not the same as of corporate control on the basis of commercial law. According to GDPR, the controlling company exercises a dominant influence over other companies, because of ownership structure, financial participation or the power to prescribe the implementation of personal data protection rules. This means that, contrary to the rules of commercial law, the parent company can exercise control (as defined by the processing of personal data) and not only the subsidiary can be controlled. The choice of the Personal Data Administrator (that is, the company in the group) depends on the decision of the group of companies (Article 37 section 2 of GDPR).

Administrators of personal data have a legitimate interest in the transfer of employees' personal data within a group for internal administrative purposes, such as delegating an employee to another company to carry out a specific project. However, fundamental rights and freedoms of the employee whose data is processed in case of conflict with the interests of the employer are always prioritised.

The administrators performing their function in each company in the group may associate on the basis of co-administration. Within such cooperation, the administrators establish common purposes and methods of data processing, which eliminates the processes of entrusting and sharing data, as they process them jointly in accordance with established purpose.

Authors: Aleksandra Hajdukiewicz, Oliwia Kruczyńska, Justyna Tofil from Kołecka Law Firm

More in Managing human resources through the pandemic :

Leading people in agility

By Anna Trochim, country HR manager, Cushman & Wakefield


For most organisations in Poland, the last nine months have been a period of great uncertainty, continuous analyses, development of future scenarios, and reformulation of the way they think and operate. Leaders and managers – albeit seemingly less visible and hidden behind computer screens – are now stepping into the spotlight on a much larger arena. Each decision they make, each word they utter and each action they take is instantly evaluated by their employees, business partners, friends or strangers – in the offline and online realm alike. Will leadership skills in the ‘new normal’ have to differ from those that were desirable in the pre-Covid-19 environment?

There’s never been a better time to hire temp workers through an agency

by Dariusz Ronka, communication specialist, KS Service


This has been an extremely difficult year for entrepreneurs, business leaders and entire national economies. Since Covid-19 was recognised as a pandemic by the WHO on 11 March 11, there have been 65 million cases of infection across 190 countries, and over 1.5 million deaths.

The perseverance of resilient leadership: Sustaining impact on the road to Thrive

By John Guziak, partner, human capital leader, Deloitte Poland / source:Deloitte Insights


Building trust with courageous leadership

Healthy future at any age

Healthy future at any age, which took place online on 12 November 2020 was an exceptional meeting of international representatives of science and academia, business, regulators and investors, focusing on the development of healthy longevity agenda in our region and beyond.