Reviewing personal data of employees with disabilities.
May 4, 2024 is the deadline for employers who perform tasks under the Law on Vocational and Social Rehabilitation and Employment of Persons with Disabilities to perform the first review of personal data. Such reviews should be carried out every 5 years.
Deadline for the initial review of personal data
According to the provisions of the Law on Vocational and Social Rehabilitation and Employment of Persons with Disabilities (“the Rehabilitation Law”), amended in 2019, it is necessary to regularly review personal data processed for the purposes of the Law. Therefore, employers who employ people with disabilities – and consequently process their data (e.g., for the purpose of payments to the State Fund for the Rehabilitation of the Disabled (PFRON), reimbursement of social security contributions, reimbursement of additional employment costs, etc.) are required to review the data they collect. Such processes generally require collecting a significant amount of documentation which may be dispersed and fixed in various forms, which can make it difficult to comply with this obligation.
Employers are required to review the personal data processed to perform the tasks under the Rehabilitation Act at least once every five years, and the obligation to review the personal data includes data processed for the purposes of the Law concerning:
- current employees,
- former employees,
- recruitment candidates,
- family members of former and current employees.
The first such review must be carried out by May 4, 2024, which is the fifth anniversary of the effective date of this provision.
How to carry out the review?
In our opinion, for the review to be performed efficiently and in conformity with the objectives of the Rehabilitation Law, it is necessary to appoint a committee having several members who would review the collected data and take a decision on their potential removal. It is important that the review committee members are authorized to process personal data, as Article 2b(6) of the Rehabilitation Law requires that only persons who have written authorization to process personal data and are obligated in writing to keep the data confidential may be allowed to process personal data on behalf of entities performing the tasks in question.
- The first step in the review should be to determine what data is processed by the employer in connection with the implementation of the Rehabilitation Law and where the data is located. In case the process of processing such data has not been properly prepared beforehand, determination of the scope of such data will be time consuming.
- Next, it is necessary to analyze what data retention periods apply to the various documents and data collected in the process, and select the data that should be deleted because their retention period has expired or they are no longer needed for the employer.
- After deleting the data and completing the review, the committee should prepare a protocol to document the conduct of the review and the fact that the data was deleted (for example, by indicating that data of a specific number of people was deleted).
Please note that both the deletion of electronic files and the destruction of paper documents should be done in a safe and secure way by destroying paper documents in shredders and by using dedicated programs to permanently delete files.
KONTAKT
E: magdalena.patryas@pl.Andersen.com
T: +48 32 731 68 84
M: +48 502 392 419