Committee on equality and non-discrimination: It was not a breach of the Anti-Discrimination Act when a complainant was not offered a vacant position, because he refused to present a copy of his passport to the company. But it may fall foul of the personal data protection act?    

If a company has employees without a work permit, the company may be imposed penalties and possibly lose its fast track certification. Therefore, there are many reasons for making sure that the employees are allowed to work in Denmark.

In an attempt to avoid penalties for hiring employees without work permits, companies have implemented a practice in connection with hiring, according to which all applicants, including Danish citizens, are requested to present a copy of their passport when applying for a position in the company.

In a specific case, the Committee on equality and non-discrimination decided on such practice in relation to a company that, as a matter of routine, required a copy of the passport from applicants for vacant positions.

An applicant of Slovak origin was rejected from a position in the company, because he refused to present a copy of his passport. The applicant complained to the Committee on equality and non-discrimination, as he believed that the employment requirement was illegal, and that the company practice did not comply with the ban on differential treatment due to ethnicity and nationality according to the Anti-Discrimination Act.

In its decision, the Committee on equality and non-discrimination emphasised that all applicants were required to present a copy of their passports, and that the company practice was implemented according to the guidelines of the authorities, and that the purpose was to avoid hiring illegal alien labour. Based on this, the committee determined that the company’s actions were not in breach of the Anti-Discrimination Act.

Personal data

It is not within the competence of the Committee on equality and non-discrimination to determine whether requiring a passport copy from applicants is or may be a breach of the rules of the personal data protection act.

In the personal data protection act – and in the data protection act, which enters into force on 25 May 2018 – there is a distinction between ordinary and sensitive personal data. As a concept, citizenship is closely connected to ethnicity and race, which, according to Section 7 of the personal data protection act and Article 9 of the general data protection regulation, constitute sensitive information. The rules for handling such information have been tightened. Thus, one needs to be careful in relation to handling information on ethnicity and race when hiring new employees.

However, information on citizenship is not sensitive, seen in isolation. This also applies, when the new data protection act enters into force. Therefore, the company may factually handle information on the citizenship and residence and work permit, if any, of the applicant, among other things if the company needs to ensure that the employee is allowed to work in Denmark.

However, it is not recommended for the company to request copies of passports from all applicants, as a matter of routine – among other things considering that the company should only process the data necessary (data minimisation), cf. Article 5 (C) of the general data protection regulation. Therefore, the company could wait asking for a copy of the passport to document whether or not a residence and work permit is required, until the last round of recruitment, where only a few applicants are left.  

It is noted that a residence and work permit is given on the basis of a specific employment with a specific employer. Even though an employee already has a residence and work permit in Denmark, a change of jobs means that the employee must apply for new permits. Therefore, the company must ensure that the new application for residence and work permit is submitted on the day on which the employee begins his or her new job, at the latest. 

Proposal for the data protection act section 12

Subsection 1. Handling of personal data in relation to employment relation comprised by Article 6 (1) and Article 9 (1) in the general data protection regulation may take place if handling the data is necessary in relation to the industrial obligations or rights of the data controller or the registered as laid down in other laws or collective agreements.

Subsection 2. Handling of data mentioned in subsection 1 may also take place if handling the data is necessary for the data controller or a third party to pursue legitimate interests, which originate from other laws (…)