Each year the Dutch Data Protection Authority [“DPA”], taking its limited capacity into account, sets out a number of key objectives on which it will focus. The protection of privacy in the employment relationship has been one of the priority areas over the last two years. Having regard to the financial dependence between employee and employer and the increasing pressure on the employees as a result of the economic crisis, the employee is in a vulnerable position in terms of protecting its privacy. The DPA received various signals that employment agencies appeared to be violating the privacy of temporary workers. In a temporary employment relationship the agency acts as the employer of the temporary worker [“temp”]. For these reasons, the DPA decided to carry out an investigation in respect of two large employment agencies regarding their compliance with the Dutch Data Protection Act [“DDPA”].
Processing of copies of ID cards
According to the DPA, the investigations confirmed that the employment agencies are violating data protection laws on various points. For example, copies of ID cards are made as soon as the temp signs up at an employment agency and these copies are being shared with potential clients. Making a copy of an ID is only permitted if there is a legal basis, for example under the Wages and Salaries Tax Act or the Foreign National Employment Act, or when it is necessary in connection with the performance of the contract with the data subject. The reason behind this is that the copies of ID cards left lying around can easily lead to identity fraud. ‘ID copies’ also contain information about race and nationality, and the sharing of this information [at an early stage] can lead to discrimination. In addition, this means that the Social Security Number [“SSN”] of the temp is also being processed without any legal basis. As long as an individual has not actually started working for the agency, the aforementioned exceptions cannot be invoked. The legal obligations to process a copy of an ID or SSN only exist when someone actually starts working for the agency. As a result, it will only be necessary to process the information at that stage in order to be able to perform the temporary employment contract with the temp.
The necessary monitoring of a person’s identity by the agencies during the selection process can be effected in a lawful manner by letting the temp show its ID and allowing the intermediary to check it without making a copy. The employment agencies do not agree with this point of view of the DPA: they find the method impractical and are afraid of mistaken identities or mix-ups, particularly because temps often speak to multiple agencies.
The DPA also noted that both employment agencies process too much data on temps who are ill. The agencies list the nature and cause of the illness, which is not allowed. In line with the previous investigations into processing data of ill employers by absenteeism agencies and occupational health and safety services, the DPA holds that the agencies are only allowed to record that someone is ill and to what extent he/she is incapacitated. Furthermore, this is only permitted when it is necessary for the re-integration or the guidance for the employee as a result of illness or incapacity or to meet legal objectives.
Employment agencies want to be able to screen people for their criminal past for certain positions. The processing of criminal information is, however, prohibited under the DDPA, unless one of the legal exceptions can be invoked. In practice, use of the certificate of good conduct is often made. This does not contain information about a person’s previous convictions or on-going criminal proceedings. Because an application for a certificate can take some time, the agencies usually ask a temp to fill out a statement, in which they indicate if they have or have not committed any criminal offences. If the temps report criminal facts through the statement, processing of criminal information takes place. Furthermore, this statement is also shared with clients of the employment agency. The agencies are of the opinion that this is allowed because they have received consent for the processing thereof from the temps. However, according to the DPA, this consent cannot be relied on: a successful appeal to base the processing of personal data on the justification ground of ‘consent’ can only exist if the consent is given freely. In this case consent is not given freely because of the imbalance in the relationship between the temp and the employment agency.
One of the employment agencies occasionally recorded that a temp was wearing a headscarf. In principle, processing such information is forbidden precisely because this can lead to discrimination based on religion or belief. There is no legal exception in place that allows the employment agencies to process such data.
Retention period and follow up
Personal data cannot be held for longer than necessary in order to fulfil the purposes for which they were collected, unless the retention is necessary to meet legal retention obligations. However, in some cases the data were retained longer: one agency even retained the data for 24 [!] years.
The practical implementation of the obligations of the DDPA which companies and business must comply with still remains an obstacle. In early 2014, therefore, the DPA published various do’s and don’ts in which a straightforward explanation was given on how to handle the privacy of the employee in the workplace. Useful guidelines regarding the processing of copies of IDs have also been published.
The investigated employment agencies have promised to improve and have adapted or started to adapt their way of working. The DPA will keep a close eye on the matter: the DPA can order enforcement measures, for example imposing an order subject to a penalty, if the violations continue.