Labor law
Personal data
The personal data of employees – including job applicants, current employees and former employees – is a particularly sensitive area for every employer. Data processing during the recruitment process, during employment and after its termination requires compliance not only with the GDPR, but also with the provisions of the Labour Code, industry laws and internal regulations.
We support employers in designing processes that comply with personal data protection principles, implementing appropriate contract clauses, procedures and policies, as well as responding to incidents, inspections and employees’ requests. We help to create documentation that is legally compliant, organisationally effective and understandable to its recipients – employees, HR and the compliance department.
Designing a GDPR-compliant recruitment and onboarding process
We create complete sets of information clauses and consents tailored to all stages of recruitment.
Processing personal data in the employer-employee relationship
We assist in the proper development of personal data processing rules throughout the entire employment cycle – when concluding contracts, recording work time, medical examinations, benefits, monitoring (CCTV, e-mail, GPS), remote work, bonus systems and periodic employee assessments. We take into account the obligations arising from the Labour Code and industry specific legal regulations.
Implementation of GDPR-compliant policies and clauses
We develop personal data processing policies, internal procedures for reporting breaches, employee rights and document templates, including information clauses, consent to monitoring, and information obligations when sharing data with contractors, business partners or public entities.
Support in the event of breaches and inspections
We advise in cases of data breach, e.g. disclosure of HR data, loss of employees documents, incorrect transmission of information or unauthorised access to data. We help you decide whether to report the breach to the regulator and develop communication to employees. We support entrepreneurs during regulator’s inspections and investigations.
Assistance in handling employee requests regarding their data
We assist in handling employee requests for access to data, rectification, erasure or restriction of processing – also in contentious situations, e.g. for the purposes of court proceedings or in the context of dismissals. We support clients in preparing legally compliant and logical responses to employee requests.
Cooperation with HR, IT and compliance departments
We support teams responsible for human resources, information security and audits in their daily work with personal data. We help build a transparent structure of responsibility and data management policy within the organisation – especially in the case of large-scale recruitment or remote work.
Opinions on existing and implemented data processing models
We prepare legal opinions on the legality of existing personal data processing models, as well as at the design stage of such models in order to implement the ‘protection by design’ directive.
Experience
Reparation of GDPR documentation
We have extensive experience in preparing comprehensive documentation – including employment-related documentation – necessary for the processing of personal data by entities from various industries. We have developed numerous policies related to personal data protection, dedicated consents and documents enabling the fulfilment of information obligations. Among other things, we have developed comprehensive documentation related to the protection of patient data – including children – for a non-public medical facility dealing with mental health and psychiatric care. We have also developed common rules for the processing of personal data by companies affiliated with a capital fund in connection with the implementation of obligations under whistleblower protection regulations and the implementation of a uniform platform for whistleblower reporting.
Practical support in sensitive industries
We advised on personal data protection in entities from the financial sector, healthcare and state-owned companies – where personal data processing is associated with a high level of regulation and operational risk. We helped to implement GDPR compliant data processing mechanisms in international structures. We participated in the development and implementation of personal data protection rules related to the obligations arising from whistleblower protection regulations in a key state-owned company. We prepared legal opinions for a bank on cooperation with a chain of stores offering instalment sales in the area of processing the personal data of customers of such a chain. We supported a foreign entity from outside the EEA in the process of acquiring employees of a Polish company and the lawful transfer of their data abroad as part of the transaction.
Crisis management – response to incidents, inspections and proceedings by the Personal Data Protection Office (UODO)
We advised employers in cases where the President of the Personal Data Protection Office (UODO) carried out inspections, both planned and ad hoc. We helped prepare organisations for inspections, respond to UODO requests and implement corrective measures. We participated in the assessment of incidents related to the risk of personal data disclosure by an IT company and assessed the need to notify the UODO. We prepared responses to inquiries from the UODO and individuals whose personal data was processed by a company conducting statistical research on very large groups of respondents, based on the PESEL database.
Contract drafting and negotiation
We negotiated personal data processing agreements for companies in the IT and energy industries and for a retail chain, including agreements related to the mutual disclosure of employee data. Among other things, we prepared comprehensive documentation for a gaming company regarding the outsourcing of employee data processing to an entity outside the EEA.
We drafted clauses concerning the processing of personal data in commercial contracts, including contracts with creators and production crew members of film and TV series production, contracts for companies in the energy sector and for retail chains.
Adaptation to hybrid and remote working models
We supported clients in securing personal data in the new reality of employment – remote access to systems, use private devices, monitoring of employee activity, and the use of SaaS and cloud tools. We participated in the creation of privacy policies in hybrid employment structures.
Training
We have developed and conducted a series of training courses on the principles of personal data processing, including for employees of a key state -owned company dealing with data protection and handling whistleblower reports.
Experts
