The employers ask the Personal Data Protection Office if, in terms of controls done, institutes like Social Security Institute (ZUS) or the National Labour Inspectorate (PIP) can have access to personal files of employees. When statal institutions do control activities with their power, can they have access to employee’s documentation?
These powers are granted based on specific disposals. It is important to keep in mind that the GDPR is an act of general nature, so anywhere there are specific disposals, which compliance is linked to the personal data processing, they will be applied.
These juridical acts can be, for example, the National Labour Inspector Legislation or the Law on the social security system.
The bodies specified, for example, into the exercise of their statutory functions, processing data based on specific disposals, that will be reflected into the GDPR (Article 6, paragraph 1, letter c), which legalizes the processing when it takes place in relation to the implementation of obligations under the law.
It is important to note that the legal obligation indicated into the article 6, paragraph 1, letter c, can not happen spontaneously, but only in mixed form made by a law requirement that imposed the controller to fulfill this obligation.
What ZUS can see…
According to legislation of 13 October 1998 on the social security system, one of the tasks of the instruction is the control of the taxpayers. This control is used in order to assess the fulfilment of social security obligation by taxpayers.
During the inspections, the investigators ZUS has the right, among other things, to examine all the books, financial, accountables and personal documents, as well as information support related to the control area. They can also control and inventory taxpayer’s activities in a postponed way with the payment of taxes and guarantee the evidences collected.
In addition, can ask information to the taxpayer and to the policyholder, identificate people in order to establish their identity, if it is necessary for the purpose of checking.
The Inspectors can also interview
witnesses, the taxpayer and the policyholder if, caused by the lack or the exhaustion of other evidences, there are unclear circumstances related to the control procedure.
In connection with what is written above with inspection right ZUS, the taxpayers must, among the other things, make available all the books, documents and other informatic supports related to the control. This is also applicable in terms of documents or media which are stored also with third, related with the entrustment of such activities to certain persons on the basis of separate agreements. Payers must also make the assets whose examination is included in the audit available for inspection if they are in arrears with the payment of contributions. They may also be required to prepare and issue copies of documents relating to the scope of the inspection and specified by the inspector, who may also ask the payer for explanations.
The information collected in employment relationships, contained in the staff member’s personal file may enable a correct assessment to be made of the compliance of the payer of contributions with the obligations imposed on him. For example, an inspection covering the correctness of the social security application may allow ZUS to ask for, among other things, the concluded employment contract, payroll and attendance list, which are part of the employee’s personal file.
… and what data does PIP see
The tasks of the PIP include supervision and control of the observance of labour law, in particular the rules and principles of health and safety at work, as well as provisions concerning the legality of employment and other paid work.
The tasks of PIP are specified in Article 10 of the Act of 13 April 2007 on the National Labour Inspectorate (hereinafter: PIP Act). These include supervision and control of compliance with the provisions of the labour law concerning the employment relationship, remuneration for work and other benefits resulting from the employment relationship, working time, holidays, rights of employees related to parenthood, employment of young people and the disabled, compliance with health and safety rules, control of the legality of employment, including employment of foreigners, control of payment of remuneration in the amount resulting from the minimum hourly rate, prosecution of offences against employee rights.
Within the scope of control rights, PIP inspectors have, among others: the right to free access to the premises of the workplace, to inspect facilities, rooms, workstations, machines and equipment. They may also demand the presentation of documents concerning the construction, reconstruction, modernization of the workplace or the submission of personal files and all documents related to the performance of work by employees or persons performing work on a basis other than the employment relationship.
The rights do not exclude TYPE rules
Thus, when the institutions carry out their tasks on the basis of statutory powers, they cannot be refused access to the documents requested. It is worth noting at this point that inspectors carrying out inspection activities are obliged not only to keep secret the information they have obtained in the course of performing their official activities, but also the rules stemming from the TOPs. These include the principle of proportionality, as well as the principle of purpose limitation requiring that personal data be collected for specific, explicit and legally justified purposes and not further processed in a way incompatible with those purposes, and the principle of data minimization, on the basis of which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.