GDPR in HR — Employee Monitoring, Recruitment, Personnel Files, and Remote Work

The HR department is one of the most data-intensive areas of any organisation. From the moment a job advertisement is published, through the entire period of employment, to the archiving of records after the employment relationship ends — HR handles the personal data of employees, candidates, and contractors on a daily basis.

At the same time, HR is one of the areas most frequently audited by the Polish Data Protection Authority (UODO) and generates a significant share of data subject complaints. Mistakes in processing employee data can result not only in administrative fines but also in employee claims and a loss of trust within the team.

This article covers the key issues relating to GDPR compliance in HR — with references to the Polish Labour Code, UODO positions, and EDPB guidelines.

Recruitment — What Data Can You Collect from Candidates?

The scope of data that an employer may request from a job candidate is strictly defined in Article 22¹ § 1 of the Polish Labour Code. At the recruitment stage, the employer may collect: first name(s) and surname, date of birth, contact details provided by the candidate, education, professional qualifications, and employment history.

Additional data (e.g., home address, national ID number (PESEL), health information) may only be requested after the employment relationship has been established — and only to the extent required by law.

Most common recruitment mistakes:

Requiring a photo in the CV — the GDPR does not prohibit a candidate from voluntarily attaching a photo, but the employer may not require it. If the candidate includes a photo of their own accord, it constitutes personal data and is subject to protection.

Questions about marital status, pregnancy, or family plans — inadmissible. These constitute not only a GDPR violation but also discrimination under the Labour Code.

Collecting data “just in case” — e.g., requesting a national ID number, home address, or criminal record certificate at the recruitment stage without a legal basis.

No privacy notice — the candidate must receive a privacy notice (Article 13 GDPR) no later than at the time of data collection, i.e., when submitting their application. This applies to both online and paper-based recruitment.

Legal basis for processing data in recruitment:

Data required by the Labour Code — Article 6(1)(c) GDPR (legal obligation) in conjunction with Article 22¹ of the Labour Code.

Additional data voluntarily provided by the candidate (e.g., photo, hobbies, references) — Article 6(1)(a) GDPR (consent). Consent must be explicit and freely given.

Candidate Consent for Future Recruitment

A common practice is asking candidates to consent to the processing of their data for future recruitment. This is permissible but requires several conditions to be met:

Consent must be freely given — it cannot be a condition for participation in the current recruitment process.

Consent must be specific — it should indicate that it relates to future recruitment processes with this employer.

A retention period must be defined — e.g., 12 months from the end of the current recruitment.

The candidate must be able to withdraw consent at any time.

After recruitment has concluded, the data of candidates who were not hired and did not consent to future recruitment should be promptly deleted.

Employee Personal Data — Scope and Legal Bases

Once the employment relationship is established, the scope of data the employer may process expands. Article 22¹ § 3 of the Labour Code specifies additional data the employer may request from the employee: home address, PESEL number (or the type and number of an identity document), bank account numbers, data about children (if necessary for granting benefits), and other data if the obligation to provide it arises from separate regulations.

Legal bases for processing employee data:

Performance of the employment contract — Article 6(1)(b) GDPR.

Employer’s legal obligations — Article 6(1)(c) GDPR (Labour Code, tax regulations, social security, health and safety).

Employer’s legitimate interest — Article 6(1)(f) GDPR (e.g., pursuing claims, organising work).

Employee consent — Article 6(1)(a) GDPR (only for data processed on the basis of voluntary consent, e.g., publishing a photo on the company website). Note: employee consent is controversial due to the imbalance of power in the employer-employee relationship. The EDPB and UODO stress that employee consent will rarely be considered fully voluntary — therefore, wherever possible, a different legal basis should be used.

Employee Monitoring — Rules Under the Labour Code and GDPR

Workplace monitoring is one of the most sensitive topics at the intersection of employment law and data protection. The Polish Labour Code (Articles 22² and 22³) regulates two types of monitoring:

CCTV Monitoring (Article 22² of the Labour Code)

When is it permissible? Only for four purposes: ensuring employee safety, protecting property, controlling production, and safeguarding confidential information.

Location restrictions: Monitoring may not cover sanitary facilities, changing rooms, canteens, smoking rooms, or trade union premises — unless it is necessary to achieve one of the permitted purposes and does not violate employee dignity (e.g., image anonymisation techniques are applied).

Recording retention period: A maximum of 3 months from the date of recording — unless the recordings constitute evidence in proceedings, in which case they may be retained until the proceedings are concluded.

Employer’s obligations:

Define the purposes, scope, and method of monitoring in a collective agreement, work regulations, or a notice.

Inform employees about monitoring in writing — before they start work (new employees) or at least 2 weeks before monitoring begins (existing employees).

Visibly mark monitored areas and premises — with information signs.

Prepare a GDPR privacy notice for CCTV monitoring (Article 13 GDPR).

Conduct a DPIA if monitoring covers a large number of people or publicly accessible areas.

Email Monitoring (Article 22³ of the Labour Code)

When is it permissible? If it is necessary to ensure work organisation that enables full use of working time or proper use of work tools provided to the employee.

Key limitation: Email monitoring must not violate the secrecy of correspondence or other personal rights of the employee. This means the employer should not access the content of the employee’s private messages.

Employer’s obligations are analogous to CCTV monitoring — work regulations/notice, written notification to employees, privacy notice.

Other Forms of Monitoring

The Labour Code provides that the email monitoring rules apply mutatis mutandis to other forms of monitoring, if their use is necessary to achieve the same purposes. This includes: GPS tracking of company vehicles, computer activity monitoring (logins, websites visited), access control (magnetic cards, fingerprint readers), and telephone call monitoring.

Each form requires analysis from a GDPR perspective — in particular, an assessment of proportionality, determination of the legal basis, and preparation of documentation.

Remote Work and the GDPR

The widespread adoption of remote work after the COVID-19 pandemic created new challenges for personal data protection. The amendment to the Polish Labour Code (effective from April 2023) regulated the rules for remote work, including the issue of monitoring remote employees.

Key GDPR issues in remote work:

Data security outside the office — the employer must implement data protection procedures for remote work (device encryption, VPN, rules for using home networks, screen lock, paper document storage).

Remote work monitoring — the employer may monitor a remote employee but must respect the principle of proportionality. Installing tracking software (keyloggers, screen recording, mouse movement tracking) requires particularly careful assessment from a GDPR perspective — in many cases it will be disproportionate and violate employee dignity.

Data protection procedure for remote work — the employer is required to define data protection procedures for remote work and conduct training. The employee must confirm they have reviewed the procedures.

Security incidents — the remote employee must know how to report a data breach (e.g., theft of a work laptop, unauthorised access to documents).

Personnel Files and the GDPR

Maintaining employee personnel files is a legal obligation of the employer under Article 94(9a) of the Labour Code. The Regulation of the Minister of Family, Labour and Social Policy of 10 December 2018 sets out detailed rules for maintaining and storing employee documentation.

Key principles from a GDPR perspective:

Data minimisation — personnel files should only contain documents required by law or necessary for employment purposes. Excessive copies of documents should not be accumulated.

Retention period — personnel files of employees hired from 1 January 2019 must be retained for 10 years from the end of the calendar year in which the employment relationship was terminated. For employees hired earlier — 50 years (unless information reports have been submitted to ZUS).

Security — personnel files must be stored in conditions that prevent destruction or damage, with protection against unauthorised access. This applies to both paper and electronic forms.

Digitalisation — since 2019, the employer may maintain personnel files in electronic form. Transitioning from paper to electronic form requires compliance with the regulation’s requirements (including creating digital reproductions and applying a qualified electronic signature).

Processing Special Category Data in HR

In the HR context, special category data (Article 9 GDPR) is frequently processed, including:

Health data — medical certificates, disability certificates, sick leave notifications.

Trade union membership data — if the employee is a union member and benefits from union protection.

Biometric data — if the employer uses fingerprint or facial recognition-based access control.

Processing such data requires a specific legal basis under Article 9(2) GDPR — most commonly the fulfilment of obligations under employment and social security law (Article 9(2)(b)) or the employee’s explicit consent (Article 9(2)(a)).

Article 22¹b of the Labour Code provides that an employee’s biometric data may be processed solely for the purpose of controlling access to premises requiring special protection or to information requiring special protection — and only with the employee’s consent given in written or electronic form.

Employee Rights as Data Subjects

Employees have full rights under the GDPR — the right of access, rectification, erasure, restriction of processing, data portability, and objection. The employer must provide a mechanism for exercising these rights.

Most common situations in practice:

Right of access (Article 15 GDPR) — the employee has the right to obtain a copy of their data processed by the employer. This includes personnel files, data in HR and payroll systems, email correspondence concerning the employee, and CCTV recordings. The employer has one month to fulfil the request.

Right to erasure — limited in the HR context, as the employer has a legal obligation to retain many categories of data for specified periods. The employer may refuse erasure, citing Article 17(3)(b) GDPR (legal obligation).

Right to object — the employee may object to processing based on the employer’s legitimate interest (Article 21 GDPR). The employer must then demonstrate that there are compelling legitimate grounds that override the employee’s interests.

GDPR in HR Checklist — What Every Company Should Do

1. Prepare privacy notices for candidates, employees, and contractors (separate notices for each group).
2. Determine the legal bases for processing for each HR process (recruitment, employment, training, benefits, monitoring, records).
3. Develop a GDPR-compliant recruitment procedure — define the scope of data collected, the form for collecting consent, and the rules for deleting data after recruitment ends.
4. Regulate monitoring in work regulations or a notice — define the purposes, scope, method, and recording retention period.
5. Implement a remote work procedure that addresses data protection — security rules, monitoring controls, and incident response.
6. Train HR staff — on the GDPR, handling employee requests, and breach procedures.
7. Review data processing agreements — with providers of HR systems, payroll services, benefits, and training platforms.
8. Set data retention periods — for each category of employee data, in accordance with the Labour Code and sector-specific regulations.
9. Conduct a DPIA — if you use monitoring, employee evaluation systems, HR profiling, or process biometric data.
10. Schedule regular audits of HR processes — at least once a year.

Need GDPR Support for Your HR Department?

HR is an area where GDPR mistakes have direct consequences — for employees, for the employer, and for the company’s reputation. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies achieve comprehensive GDPR compliance in their HR processes — from auditing personnel documentation, through implementing monitoring and remote work procedures, to training HR departments and management teams.n language.