Processing of temporary workers’ personal data is submitted to the same legal requirements as the processing of all other employees‘ data. As a rule, the Agency as a formal employer is considered as data controller. The Agency should entrust the processing of the temporary workers’ data to a User – undertaking on the basis of a separate written agreement (Article 31 of the Act on Personal Data).
The agreement on processing of temporary workers’ data could be included in the agreement between the Agency and the User – undertaking regarding temporary employment issues. Thus, the User – undertaking would be entitled to process the temporary workers’ data as the processor.
Moreover, the User – undertaking is considered as the controller of temporary workers’ data related to the specific User – undertaking’s rights and obligations concerning temporary workers, such as working time records or health and safety working conditions.
The employee’s data may be processed only if one of the following requirements is met: (i) the data subject (the employee) has given his consent or (ii) it is necessary for the purpose of exercise of rights and duties resulting from a legal provision or (iii) it is necessary for the fulfilment of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (Article 23 point 1, 2 and 3 of the Act on Personal Data). It should be emphasized that, according to courts’ rulings and Article 29 Working Party’s opinion, the employee’s consent for the processing of his data should not be automatically considered as given freely and without coercion, as it can be given under the employer’s pressure. Therefore, in practice it is not sufficient to get the employee’s consent for his data processing.
Moreover, only the following type of data can be processed by the entitled entities/ controller and processor: (i) name and surname, (ii) names of parents, (iii) date of birth, (iv) residential address/correspondence address, (v) education, (vi) employment history, (vii) other data (e.g. children’s details), if it is necessary for an employee to enjoy benefits (including but not limited to social security benefits, family allowances and health care services) provided for in the labour law, (viii) PESEL number, (ix) other data, if it is provided for in the obligatory provisions of law, e. g. tax law (Article 221 of the Labour Code).
The general rule obliges the controller to register the personal data filing systems. However, the temporary employees’ data constitutes an exception, as a part of a filing system, and is not submitted to the obligation to register within a record of processing activities kept by the Polish Personal Data Protection Authority (Article 43 subsection 1 point 4 of the Act on Personal Data).
It is worth mentioning that the Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27th April 2016 (General Data Protection Regulation) which will enter into the effect on 25th of May 2018 does not provide for any register of the data filing system kept by the Member State’s Data Protection Authority, but it provides for a record of data processing activities maintained under the controller’s responsibility. In accordance with this Regulation the employer who employs less than 250 persons is not obliged to maintain such a record except for processing of the employees’ sensitive data (Article 30 subsection 5 of the above Regulation).
The controller is to apply all security measures (technical and organizational) to preserve data confidentiality and integrity, in particular to protect it against its unauthorized disclosure, takeover by unauthorized persons, any change, damage or destruction or processing involving the violation of the Act on Personal Data. The controller has to maintain a record of employees’ data processing activities and security measures under its responsibility (Article 36 of the Act on Personal Data). It is responsible for supervision over the following: which data, when and by whom has been entered into the filing system and to whom it is transferred (Article 38 of the Act on Personal Data). The processing of data can be performed exclusively by authorized persons whose details are properly recorded (Articles 37 and 39 of the Act on Personal Data). The controller can appoint an administrator of data security responsible for implementation and maintenance of the data security system (Articles 36a and 36c of the Act on Personal Data).
It should be emphasized that all operations related to security measures can be digitalized and performed via an information system. The technical specifications of the security measures are provided for in the Ordinance of the Minister of Home and Administration Affaires on Personal Data Processing Documentation and Technical and Organizational Requirements for the Equipment (hardware) and Information System (software) Used for Data Processing Purposes, dated 29th April 2004 (Dz.U. Nr 100, poz. 1024).