The way to the right for employee sobriety checks – Polish perspective
Sobriety vs the “personal data” definition
It is beyond any doubt that sobriety test results fall within the scope of the definition of personal data pursuant to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
There have also been discussions about whether sobriety data are sensitive data or not. As for my opinion, I share the views expressed by the vast majority of experts that, in the current legislative status resulting from GDPR, the information on alcohol consumption does not fall within the scope of the “sensitive data” definition. Unlike Directive 95/46/EC, GDPR does not treat data on addictions as a special category of personal data. What is more, it is difficult to automatically consider any information about alcohol consumption as disclosing a person’s health status or a potential addiction.
Legal basis for data protection
As it follows from the announcement of the Polish Personal Data Protection Office of 27 June 2019, “in the opinion of our Office, there is no legal basis authorising employers to conduct alcohol breathalyser tests among their employees on their own”. Furthermore, the Office emphasised in the context of this case that sobriety checks are permitted only with the consent of the employee concerned. This view is in contradiction to the Office’s previous comments. In fact, the Office has claimed many times that the requirement of an employee’s consent has a legal defect since an employee is not free in making such statement of intent due to the unequal status of the two parties to the employment relation. On the other hand, employers often decide to process such data in the current legal status, claiming the basis set out in Article 6(1)(c) GDPR, i.e., the controller’s compliance with a legal obligation to which it is subject under the labour law (safe working conditions), which should be reflected in corporate workplace rules and regulations. Although the Polish personal data protection authority has not found legal basis for processing data on addictions, it has been consistently claiming to be aware of the need for enabling the employers to check the sobriety of their employees in some industries. However, the authority has emphasised that any such initiatives must be analysed in terms of ensuring the right of privacy and dignity for employees.
Legislative process
Both the abovementioned opinions and the growing number of accidents caused by intoxicated employees have contributed to the increased mobilisation of actions and formalisation of further steps. And so, in its response to the abovementioned announcement of the personal data protection authority, the Ombudsman for Small and Medium-sized Enterprises requested the Minister of Labour and Social Policy to provide legal clarification of Article 17 of the Act of 26 October 1982 on upbringing in sobriety and counteracting alcoholism and Article 221b of the Act of 26 June 1974 – the Labour Code. In its request, the Ombudsman has also enquired “whether an employee’s sobriety data are personal data on health status and, consequently, whether such data may be transferred only upon the initiative of the employee concerned”. Simultaneously, the Working Team for workplace sobriety checks was appointed at the Board of Entrepreneurs. What is important, the main objective was to adopt the legal basis specifying the workplace sobriety check procedure applicable irrespectively of the entity which takes the initiative to conduct such check.
New regulations
As a consequence of these actions, a new bill (UD211) was put on the list of legislative and programme works of the Council of Ministers. Pursuant to the bill, amendments are to be made to the Polish Labour Code and the Act on upbringing in sobriety and counteracting alcoholism. They are to include providing the legal basis for employers to conduct random checks for presence of alcohol and/or other substances having similar effects among their employees due to the objective stipulated by the law as well as the terms and conditions for conducting such checks. The new regulations are also expected to lay down the basis for conducting tests for the presence of alcohol or other substances having similar effects by competent public order protection authorities. Moreover, they are to ensure that such rules may be equally applied by employers with respect to employees who work under legal regime other than the labour law (e.g., under a B2B contract). Furthermore, the new regulations are to govern in detail the issue of prohibiting an employee from performing work, specifically to impose on employers the obligation to do so in the case of a justified suspicion that an employee reported to work after drinking alcohol or where preventive sobriety check reveals alcohol content in their body.
Summary
The bill confirms that the lawmakers have noticed the shortcomings of the existing legal regulations and intend to amend them. What is more, in this case almost all parties concerned seem to believe that the processing of relevant data is legitimate. However, while some experts claim this is possible under the regulations currently in effect, others (supporting the standpoint of the personal data protection authority) are of the opinion that such processing is not permitted in the current legislative status. If the new law is effectively adopted, employers will become entitled to test their employees not only for being under the influence of alcohol but also under the influence of substances having effects similar to alcohol, such as psychotropic substances. One can feel that such change is awaited not only by the employer community but also by the personal data protection authority itself.
Article provided by: Justyna Matuszak-Lesny (e|s|b Legal, Poland)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database