Poland: UODO issues statement on GDPR and company social benefit funds
The Polish data protection authority ('UODO') released, on 6 February 2020, a statement ('the Statement') on the responsibilities of the employer regarding data processing, if they operate a company social benefit fund. In particular, UODO stated that while the employer is entitled to assess the life and financial situation of the employee and their family members, they must only process the data that is necessary to attain the purpose for which the data was obtained. Furthermore, UODO highlighted that the employer must review what data they are processing, at least once a year, and must comply with the purpose limitation principle under Article 5(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), by deleting personal data which no longer needs to be retained.
You can read the Statement, only available in Polish, here.