Personal data processing in recruitment processes

How Can We Help?

Personal Data: Following Directive 95/46/EC, ‘personal data’ refers to any information connected to an identified or identifiable natural person (‘data subject’). This includes:

  • Name and surname,
  • PESEL/Personal Identity Number,
  • Residential address,
  • Date of birth,
  • Email address,
  • Telephone number,
  • Internet identifiers (e.g., IP address, cookie identifiers),
  • One or more specific factors that identify a person’s physical, physiological, genetic, psychological, economic, cultural, or social identity.

Sensitive Personal Data: The GDPR does not explicitly define sensitive personal data. However, Article 9 lists information subject to special protection. It encompasses data regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for the identification of a natural person, as well as data concerning health or an individual’s sexuality or sexual orientation.

Legal Basis for Processing Personal Data: Personal data may be processed based on three conditions:

  1. Legal Interest: In cases where an entity has a legitimate interest, personal data may be processed even without consent. For example, a recruiter may have a legal interest in processing a candidate’s data due to their role in recruitment.
  2. Consent: Personal data may be processed with the consent of the individual whose data is being processed. This occurs when the candidate provides explicit or implied permission.
  3. Legal Obligation: Sometimes, the law, such as the Labor Code, permits the entity to process personal data. Having one of these grounds is sufficient to process personal data legally.

Employer’s Obligations Related to GDPR:

  • The potential employer must provide the candidate with information regarding the company’s registered office name and address.
  • If a Data Protection Officer exists within the company, their name should be disclosed.
  • The purpose of data processing and the legal basis (referring to specific regulations) must be communicated.
  • Recipients of the data should be made known.
  • If personal data will be processed across borders, this should be communicated when necessary.
  • Information on how the employer will handle personal data in the long term should be disclosed.
  • The employer must also inform the candidate of their rights, including the right to access their data, the right to withdraw consent to data processing, and the right to file a complaint with the President of the UODO (Personal Data Protection Office).
  • It should be clarified whether providing data is voluntary or obligatory, along with the consequences of not providing such data.

This information should be provided in the job advertisement or promptly after receiving a job application from the candidate.

Personal Data Required During Recruitment:

As per Article 221 § 1 of the Labor Code, the employer is obliged to obtain the following personal data:

  • First name and surname,
  • Date of birth,
  • Contact details provided by the candidate (typically a phone number or email address),
  • Education,
  • Professional qualifications, which encompass experience, skills, psychophysical characteristics, and predispositions relevant to the position,
  • The candidate’s previous employment history.

These details may only be requested if they are essential for the specific role or tasks. If a particular position does not require specific qualifications or experience, the employer should refrain from collecting such information.

Documentation of Data Acquisition:

Candidates usually share their information through a statement or by including relevant details in their CV. However, the employer can request relevant documents, such as diplomas or work certificates, if necessary.

Data Storage Period:

The duration of data storage depends on the recruitment outcome. If the company does not hire the candidate, there are no grounds for further data processing, and the data should be deleted immediately, unless the candidate has consented to processing their data for future recruitment within a specified period.

Authorized Data Processing:

Employees may process applicants’ data only with the appropriate authorization for their official duties and must commit to keeping this data confidential. The confidentiality obligation usually results from the employer’s consent unless the data is sensitive, in which case, confidentiality is statutory.

Information Obligation Towards the Candidate:

The employer, as the data controller, must fulfill the information obligation towards each candidate as outlined in Article 13 of the GDPR. This information should be provided whenever personal data is collected, typically alongside the job advertisement or in response to the candidate’s application.

Future Use of Candidate Data:

The employer can only use candidate data from a specific recruitment process for future recruitment if the candidate provides explicit consent.

“Hidden” Recruitment:

Recruitment via internet portals that do not disclose the identity of the entity collecting data is not compliant with data protection provisions. Candidates must be aware of who is collecting their data and how to exercise their rights.

Penalties for GDPR Violations:

Penalties for GDPR violations are imposed by the President of the Office for Personal Data Protection (UODO). These penalties aim to deter data processing misconduct. Penalties can include administrative fines, warnings, or restrictions on data processing. Criminal and civil liabilities are also possible for individuals involved in violations.

Administrative Fines: Administrative fines for GDPR violations can reach up to EUR 20,000,000 or 4% of the company’s total annual worldwide turnover, depending on the nature and severity of the violation.

Criminal Liability: Criminal liability for GDPR violations applies to individuals, such as employees, managers, or officials, and not to organizations.

Civil Liability: Data subjects who suffer damage due to GDPR violations have the right to seek compensation from both data processors and data controllers.

Factors Considered in Penalties: Various factors are taken into account when determining the penalty, including the nature and duration of the violation, attempts to minimize harm, degree of responsibility, behavior after the violation, categories of personal data affected, and other mitigating or aggravating factors.

Types of Infringements: GDPR penalties can be imposed for a range of infringements, including violations of data processing principles, non-compliance with information obligations, and breaches related to data transfers outside the EEA.

Legal bases: 

Regulation 2016/679 of the European Parliament and of the EU Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data Protection Act of 10 May 2018 (from now on: GDPR)

Unions Help Refugees