A decision was made to optimise cost by consolidating HR and payroll functions in a capital group of 16 companies, each with its own employees and a separate HR and payroll function. Available options: outsourcing vs centralised HR/Payroll function in one of the subsidiaries. A cost and benefit analysis was conducted to compare the options. Both options include data protection aspects. Certain conditions must be met before an external service provider or a centralised unit can access and process employee personal data in all subsidiaries:
- Subsidiaries must enter into mutual written agreements that will specify the terms and conditions of access to personal data and provide an authorisation to handle such data1. A data processing agreement must indicate the purpose and scope of data processing. The authorised entity will collect and process data and it must ensure compliance with all relevant rules and processes that ensure data security. Data may only be processed by individuals duly authorised by the data controller.
- The person whose data are processed must be duly notified under Article 24 of the Law. The data controller must disclose the following information to data subjects: address of corporate headquarters, full name, purpose of data collection, right to access/modify your own personal data, the voluntary or mandatory nature of data disclosure and a legal basis for obligatory disclose, if appropriate.
- In case data are to be transferred to another country assurance must be given that data will be kept secure2. Adeqaute safeguards must be considered in all aspects of the data tranfer process with a particular focus on the type of data, purpose and duration of processing, country of origin and country of destination, and the laws and regulations, both general and industry-specific, that apply in a third country and safeguards used in that third country. Furthermore, in case personal data are to be processed by entities incorporated/domiciled in a third country the data controller must appoint its representative in the Republic of Poland.
Liability for Non-Compliance
Any employer that fails to meet the requirements regarding the protection and storage of the personal data of its employees shall be liable:
- Pursuant to Article 51 Para. 1 of the Personal Data Protection Law, anyone who controls a personal data set or is obliged to protect personal data discloses or allows access to such data to unauthorised persons shall be liable for a fine, restriction of freedom or imprisonment for up to 2 years.