Following the outbreak of COVID-19 and its development into a global pandemic, organizations have been implementing exceptional measures to safeguard the health of employees, customers and others. Organizations are also endeavouring to maintain "business as usual" to the extent allowed by their particular circumstances.
As part of White & Case's ongoing legal updates on COVID-19-related issues affecting our clients' businesses around the world, this article discusses the resulting data protection compliance obligations under Polish law.
Introduction and background
Following the outbreak of the novel coronavirus,1 businesses have been struggling to maintain continuity of their operations and, most importantly, protect their employees, business partners, and customers from COVID-19. In practice, such efforts require the collection and further processing of health-related personal data. Typically, businesses want to monitor the physiological state of individuals entering their premises (e.g., body temperature) or health status of employees (or members of their household). However, such information usually falls within special categories of personal data ,the collection and further processing of which is subject to a stricter regulatory framework under Article 9 of the General Data Protection Regulation ("GDPR"). This creates additional compliance obligations and regulatory challenges that businesses must address in these difficult times.2
In Poland, the processing of personal data by businesses is mainly regulated by the GDPR, the Act of 10 May 2018 on the Protection of Personal Data and a number of other legal acts, which were amended to align Polish law with the GDPR.3 As far as Polish national law is concerned, the Polish Labor Code includes comprehensive regulations governing the processing of personal data in employment.
On 19 March 2020, the European Data Protection Board ("EDBP") stated4 that it is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against them. However, the EDPB stated that personal data must still be processed in a lawful manner, the principle of minimization must be observed, and the processed personal data must be properly secured. The EDPB confirmed that, in line with Recital 46 of the GDPR (which expressly refers to the monitoring of epidemics), the collection and further processing of health-related data might serve both the public interest in the area of public health and protect the vital interests of data subjects. Still, the specific legal basis for such processing is mostly a matter of national law, especially in the context of employment.
Workplace control and monitoring
The Polish Data Protection Authority ("DPA") has publicly stated that data protection laws cannot impair the measures taken to counteract the spread of the novel coronavirus.5 However, one of the key compliance concerns that Polish businesses have been dealing with since the beginning of the COVID-19 pandemic is the legal basis for the collecting and further processing of health-related personal data of employees, clients, visitors, business partners, and other persons present on a company's premises (e.g., service personnel). Article 9 of the GDPR is relatively restrictive and neither the GDPR nor Polish law provides for any special, more liberal regime that would apply in the context of a pandemic.
Consent for health monitoring
Reliance on consent for the processing of personal data does not seem adequate in tackling the present threat. Carriers of the disease could be more likely to refuse consent, and the goal is to test everyone, since even one carrier could infect a sizeable portion of a company's staff. Additionally, consent has always been a controversial basis for processing personal data in employment relationships. The established case law of the Polish courts (predating the GDPR) confirms that consent is not usually a valid basis for employers to process employees' personal data.6 Additionally, with respect to the processing of special categories of personal data on the basis of the employee's consent, Article 221b of the Polish Labor Code establishes an additional requirement that the data must be provided to the employer on the employee's own initiative. The latter requirement can be difficult to satisfy even in regular circumstances and would pose particular problems in the present situation.
Employment Health and Safety
Article 207 of the Polish Labor Code specifies a set of general obligations of the employer with regard to securing health and safety in the workplace. These obligations might theoretically serve as a basis for the processing of health-related personal data in light of Article 9.2.b of the GDPR – especially since Article 207, § 2, item 3) of the Polish Labor Code expressly states that the employer must actively adjust the means used to protect the health and safety of employees and adapt to changing conditions. However, the collection and further processing of health-related personal data in the context of the COVID-19 pandemic under Article 207 of the Polish Labor Code seems controversial for the following reasons:
- No express reference to the pandemic: The obligations provided for in Article 207 of the Polish Labor Code do not specifically address monitoring or fighting against communicable diseases. The wording of the relevant provisions is rather general, but their main purpose is to prevent work accidents and occupational diseases,7 not the spread of a pandemic, which does not have to relate to occupational hazards and working conditions.
- Monitoring concerns: The Polish Labor Code expressly indicates the kinds of workplace monitoring that can be implemented by the employer, namely, visual monitoring8 and email monitoring.9 Body temperature monitoring is not listed. Other kinds of monitoring (besides visual and email) may be used, but only for the same reasons as email monitoring.10 These reasons include worktime management and supervising the use of tools (e.g., computers and business phones), but not improving employment health and safety. Additionally, the introduction of any other workplace monitoring requires two weeks' notice.11Waiting two weeks would likely defeat the purpose of emergency measures such as body temperature monitoring.
- No official guidelines for employers: The Polish DPA has not issued any guidelines or official position on the scope of data processing activities that would be justified by the maintenance of employment health and safety. In particular, it is not certain whether obligations relating to workplace management could serve as a legal basis for collecting and further processing information not directly tied to a situation in the workplace (e.g., collecting information on the health status of an employee's family or cohabitants or recent holiday destinations).
Public health and private businesses
Pursuant to the so-called "COVID-19 Acts", namely, the Act of 2 March 202012 and the subsequent Act of 31 March 2020,13 the General Sanitary Inspector and other sanitary authorities may order private businesses to undertake specific preventive and control activities aimed at counteracting the spread of COVID-19.14 Typical measures, such as monitoring and collecting information on health and measuring the body temperature of persons entering the premises, may constitute such "preventive and control activities" ordered by the sanitary authority. The Polish DPA implies that such orders constitute a basis for the employer to process special categories of personal data of both employees and other relevant individuals, as provided in Article 9.2.i) of the GDPR.15 However, even though a business might apply for such an order, waiting for it may delay the introduction of necessary measures and, ultimately, reduce their efficiency. The details of the application itself may also pose certain difficulties. Organizations may indicate what preventive and control measures should be imposed and why they are necessary from the perspective of a particular business (e.g., because, despite observing other business activity restrictions, it still has many customers on its premises and tends to become crowded).16 However, it is uncertain whether the authorities would approve of the requested measures since – in line with the Polish DPA's positions – authorities should observe the basic principles established in the GDPR, especially the data minimization principle.17
In addition to individual decisions, the General Sanitary Inspector can issue general guidelines recommending specific monitoring or control measures. So far, only relatively brief recommendations approving of body temperature monitoring in manufacturing plants have been adopted.18
The above "COVID-19 Acts" also authorize the Prime Minister and Minister of Health to order any business to undertake specific measures to counteract the spread of COVID-19.19 In theory, observing such an order could also be treated as a valid basis for collecting and processing health-related personal data. However, the same concerns arise.
1 The World Health Organization declared the coronavirus disease (COVID-19) outbreak a pandemic on 11 March 2020; in Poland, an epidemic state was announced by a Regulation of the Ministry of Health dated 20 March 2020 (Journal of Laws 2020, item 491).
2 For more information on the key issues for organizations to consider during the coronavirus crisis, from an EU data protection compliance perspective, please see our general guidance on COVID-19 and Data Protection Compliance.
3 For details, please see GDPR Guide to National Implementation: Poland.
4 See the Statement of the EDPB on the processing of personal data in the context of the COVID-19 outbreak.
5 Please see the Polish DPA Statement regarding the coronavirus dated 12 March 2020 ("Oświadczenie Prezesa UODO w sprawie koronawirusa").
6 See, e.g., the Judgment of the Supreme Administrative Court dated 1 December 2009, Case File No. I OSK 249/09.
7 See, e.g., the Judgment of the Supreme Administrative Court dated 19 January 2011, Case File No. II OSK 58/10; the Judgment of the Supreme Court dated 14 September 2000, Case File No. II UKN 207/00.
8 See Article 222 of the Polish Labor Code.
9 See Article 223 of the Polish Labor Code.
10 See Article 223 § 4 of the Polish Labor Code.
11 See Article 222 § 7 in relation to Article 223 § 3 and § 4 of the Polish Labor Code.
12 See Article 17 of the Act of 2 March 2020 on the Special Measures Related to Preventing, Counteracting and Fighting COVID-19, Other Infectious Diseases and Crisis Situations Caused by Them (Ustawa z dnia 2 marca 2020 roku o szczególnych rozwiązaniach związanych z zapobieganiem, przeciwdziałaniem i zwalczaniem COVID-19, innych chorób zakaźnych oraz wywołanych nimi sytuacji kryzysowych), Journal of Laws 2020, item 374.
13 See Article 1, point 1 of the Act of 31 March 2020 on the Amendment of Certain Legal Acts Relating to the Health Care System in Connection with Preventing, Counteracting and Fighting COVID-19 (Ustawa z dnia 31 marca 2020 roku o zmianie niektórych ustaw w zakresie systemu ochrony zdrowia związanych z zapobieganiem, przeciwdziałaniem i zwalczaniem covid-19), Journal of Laws 2020, item 567).
14 See Article 8a, section 5 of the Act of 14 March 1985 on the National Sanitary Inspection (Ustawa z dnia 14 marca 1985 roku o Państwowej Inspekcji Sanitarnej), Journal of Laws no. 12, item 49, with subsequent changes.
15 See the Polish DPA Statement regarding the coronavirus dated 27 March 2020 ("Szerokie uprawnienia GIS przy przetwarzaniu danych w związku z koronawirusem").
16 See the Report "Coronavirus and Law" dated 6 April 2020, www.mustreadmedia.pl, pages 192 – 193.
17 See the Polish DPA Statement regarding the coronavirus dated 27 March 2020 ("Szerokie uprawnienia GIS przy przetwarzaniu danych w związku z koronawirusem").
18 See the Guidelines dated 22 April 2020 of the General Sanitary Inspector ("Wytyczne dla funkcjonowania zakładów przemysłowych w trakcie epidemii COVID-19 w Polsce").
19 See Article 11 of the Act of 2 March 2020 on the Special Measures Related to Preventing, Counteracting and Fighting COVID-19, Other Infectious Diseases and Crisis Situations Caused by Them (Ustawa z dnia 2 marca 2020 roku o szczególnych rozwiązaniach związanych z zapobieganiem, przeciwdziałaniem i zwalczaniem COVID-19, innych chorób zakaźnych oraz wywołanych nimi sytuacji kryzysowych), Journal of Laws 2020, item 374.