Third-country workers, i.e. those from outside the European Union (EU) and the European Economic Area (EEA), are increasingly working in various European countries. As a result, companies are forced to process their personal data in accordance with the provisions of RODO (General Data Protection Regulation).
Scope of application of the RODO in the context of employment
The provisions of the General Data Protection Regulation (RODO) have a territorial scope of application. It is defined so that it applies to the processing of personal data that takes place within the EU/EEA. It also applies to the processing of data of persons residing in the area. Thus, if an employee does not have citizenship of any member country, but is in Poland in connection with his employment, the processing of his data by the controller – the employer – is subject to the RODO. The processing of personal data of employees from third countries is therefore subject to the same rules as the processing of data of EU/EEA employees.
Employment of a foreigner – legal basis for data processing
Employers must first of all meet the condition of legality of data processing. This means that the processing of personal data of third-country employees is allowed only if there is an appropriate legal basis. The most common basis for processing personal data of third-country employees is the conclusion of an employment or professional contract. If the employee is employed under a contract, then the processing of his personal data is necessary for the performance of the contract. In addition, the processing of third-country employee data may be necessary to meet other legal obligations of the employer, such as tax settlements or filing reports to state institutions.
Rules for processing data of foreign employees
It is also important for employers to follow data protection principles, such as the principle of data minimization. This means that data processing should be limited only to the necessary information needed for employment purposes. The processing of personal data of third-country employees must also meet data security requirements. Employers are responsible for securing employee data against unauthorized access, loss or damage.
The employer should also ensure that foreign employees are able to exercise their rights under the RODO, such as the right to access and rectify their data and to object to processing in certain situations. It is also necessary to implement the information obligations set forth in Articles 13 and 14 of the RODO (information clauses).
Obligations under RODO – language barrier
Information on data processing by the controller – the employer – should be made available to the employee in a clear and understandable form, which also applies to the language of communication. If the employee does not speak Polish, it is permissible to communicate the message in another language, such as English. This does not have to be the employee’s native language, while it is important that the employee understands the content that is communicated to him.