The functioning of the Company Social Benefits Fund (” CSBF”) at the workplace entails numerous benefits for both employees and the employer. However, it should not be forgotten that it also entails obligations. One such obligation is the need to review personal data on an annual basis to determine the necessity of its continued storage.
The rules governing the distribution of funds from the Company Social Benefits Fund force the employer to obtain and process the data of employees and their families. These data are subject to protection, so the employer, being the administrator of these data, is obliged to observe, in particular, the principle of minimalism. According to this principle, personal data should be adequate, i.e. allowing the purpose for which they are collected to be fulfilled, relevant and limited to what is necessary to fulfil the purpose. Data must not be collected as a 'backup’ or 'just in case’. In the case of the CSBF, the provisions of the Fund’s regulations will be key to the implementation of this principle. This is because it should contain detailed procedural regulations with an indication of the data and documents that a person applying for a benefit should provide. Moreover, the processing of personal data on the basis of the provisions of the Act on the Company Social Benefits Fund is allowed only for the period necessary to grant the benefit and determine its amount, as well as for the period necessary to assert rights or claims. In order to implement these principles, the legislator decided to introduce an obligation to review personal data to determine the necessity of their continued storage. Such a review should be carried out at least once a calendar year. The legislator did not decide to regulate detailed procedures in this respect, so it is worth introducing the principles of such a review in the rules of the Company Social Benefits Fund. Although the Act on the Company Social Fund directly indicates that there should be one review per year, it should not be forgotten that the employer is not only obliged to comply with the Act on the Company Social Fund, but also with other regulations in the area of personal data protection. Therefore, the employer should, on an ongoing basis, monitor whether personal data are processed in a manner compliant, in particular, with Article 5 of GDPR[1].
After the annual (or ad hoc) control, in the case of acknowledging the unnecessity of storing a certain range of data, the employer is obliged to delete personal data which further storage is unnecessary for the purpose for which they were collected. It is therefore obligatory to delete those data which are no longer necessary for the granting of services, benefits, subsidies or the determination of their amount from the resources of the Company Social Benefits Fund, as well as those which further processing is unnecessary from the perspective of the assertion of rights or claims.
The Act does not indicate who is to perform the review and when, so it is left to the discretion of the employer. It is therefore also permissible for the employer to entrust the annual review of the data to an external entity. However, it should be borne in mind that any person who has access to personal data should be duly authorised to process the data and should be trained in all personal data protection procedures.
It is also worth remembering that some „trace” should remain from such an audit, which will allow us to prove, if necessary, that the requirement has been met. The most practical solution is to draw up a record of the inspection in documentary form. This is important in the context of the consequences of non-compliance with this obligation, as non-compliance with the Company Social Benefits Fund Act is punishable by a fine. In addition, there also remains a general liability related to non-compliance with data protection regulations.
In conclusion, although the Company Social Benefits Fund Act requires a review of the collected data once a year, the general data protection regulations require the correct processing of personal data at all times. The topic of personal data protection in the company social benefit fund should therefore be monitored on an ongoing basis.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) Art. 5 GDPR Principles relating to processing of personal data.
Personal data shall be:
(a) | processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); |
(b) | collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); |
(c) | adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); |
(d) | accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); |
(e) | kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); |
(f) | processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). |
01.11.2024
Mogą Cię zainteresować
09.12.2024
Dyrektywa w sprawie należytej staranności: Kluczowe informacje
09.05.2024
THE PROCEDURE FOR INTERNAL NOTIFICATIONS IN THE CAPITAL GROUP