At the beginning of October, the Polish Office for the Protection of Personal Data (the “UODO”) published a long-awaited document – “Protection of personal data at the workplace. A guide for employers” (the “Guide”). It contains information for employers on how to handle the personal data of employees and candidates for employment. These guidelines, although formally non-binding, are of paramount importance, especially for HR departments. They show the regulator’s approach to the requirements of the General Data Protection Regulation (the “GDPR”) in this key area for businesses. The Guide is not limited to employment on the basis of an employment relationship. It also includes other, increasingly popular forms of employment, such as civil law contracts.
The practical nature of the Guide means that many questions, including those that are particularly relevant to employers, are answered very briefly and in a way that may cause uncertainty. Worse still, in several places, the national authority’s approach appears to be a step backwards compared to the position of the EU advisory body (Article 29 Working Party) expressed in the June 2017 opinion on data processing at work (Working Document WP 249). As a result, the Guide may hinder the application of the GDPR in the context of employment as well as employers’ specific processes, especially recruitment processes.
The following are the most important issues for employers:
- the Guide pretty categorically bans so-called “blind recruitment”, where the potential employer is not known to the candidate at the beginning of the recruitment process;
- the Guide questions the admissibility of obtaining information on candidate employees’ criminal records, except in cases expressly provided for in specific provisions. In the authority’s opinion, the employer may not process such data even with a candidate’s consent;
- contacting the candidate’s previous employer is only allowed with the candidate’s consent. As the UODO unequivocally put it: “During the recruitment process, candidates themselves should be the source of information concerning their professional careers”;
- potential employers may not try to confirm the authenticity of a university degree (even with the candidate’s consent). However, if an employer has been doing this and thinks a document (e.g. a diploma) is a forgery, the authority advises them to notify the competent authorities;
- as a rule, the regulator even questions data processing in order to secure against possible claims from candidate employees;
- the Guide generally prohibits the use of candidates’ data for future recruitments, except with a candidate’s express consent. In the absence of such consent, the candidate’s personal data must be deleted ‘immediately’ after the end of the recruitment process, i.e. once the employment contract has been signed with the newly recruited employee;
- the national authority’s negative attitude to the current common practice of obtaining information about candidates from social media is also worth quoting: “It is true that the development of the information society allows potential candidates to ‘build’ their on-line image, including for the eyes of future employers, by posting information about themselves on the Internet, but this does not mean that this information may be used in the recruitment process.”
Domestic employers may also face specific challenges at the employment stage. In particular, the authority confirmed in the Guide that the current negative position regarding the use of biometrics for the purpose of recording working time remains valid under the GDPR. Care should also be taken with regard to the use of employees’ images. In particular, in the opinion of the UODO, including photographs of employees on ID badges requires their consent. On the other hand, the exception in the GDPR that allows the processing and exchange of employees’ data within capital groups for “internal administrative purposes” has been clarified. According to the Guide, it will be allowed, for example, in relation to the centralisation of certain HR and payroll processes.
Significantly, the UODO’s Guide was published before the completion of work on adapting the Labour Code to the requirements of the GDPR. The adaptations concern several important issues, such as the grounds (in particular consent) for processing the data of candidate employees and employees, and the permissible scope of the data processed at the recruitment stage and at the workplace. Therefore, it cannot be ruled out that in the near future the Guide will need amending, especially in terms of adapting its provisions to the new Labour Code. However, it should still be carefully read by those responsible in companies for the recruitment process and employment.