TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | An overview of Polish authorities' conflicting guidance Related reading: Poland's DPA issues its first GDPR fine

rss_feed

Based on a request from Poland's Small and Medium Enterprises (Rzecznik Małych i Średnich Przedsiębiorstw), the Polish Ministry of Digitalisation published clarifications regarding “the further collection of Personal Data of individuals applying for a job, after completion of the recruitment process.” In it, the document attempts to clear up uncertainties regarding the processing of recruitment documentation in cases where there are currently no ongoing recruitments or where such a recruitment process has just been completed and the individual in question has not been selected.

For the first instance, in which a person would provide their CV specifically asking to be taken into account for any future job openings, the Ministry of Digitalisation confirms that keeping this kind of data for possible future recruitment processes can be based on consent, as long as the conditions of Article 4(11) of the EU General Data Protection Regulation are met (consent needs to be “freely given, specific, informed and unambiguous”). The ministry, however, also stated that should the company decide to keep the data and therefore determine the purpose of processing, it would still be responsible as the data controller and have to fulfill their responsibilities in that regard. This would include the duty to inform in accordance with Article 13 of the GDPR, as well as evaluating the provided documentation for its relevance by ensuring the provided information does not exceed the purpose of the processing. They also advise consent be properly documented and deleting all the data if the provided documentation makes it clear that the candidate will not be taken into consideration. Regarding the retention period, the ministry advised that should the processing be based on consent, the data could be retained until such consent is revoked.

For the second instance, when the personal data is collected as part of a specific recruitment process but the candidate in the end not chosen for the position, the ministry sets out different purposes of processing for each of those phases. According to the ministry's clarifications, the processing during the recruitment process should be based on Article 6(1)(b) of the GDPR as being a necessary part of the activities performed prior to entering into a contract. This justification should, however, no longer apply if after another candidate is chosen, and data should not be retained unless the candidate specifically requested that their data be kept for future job openings.

The ministry also points out that after the completion of the recruitment process, the documentation of unsuccessful candidates can be kept “for the purpose of protection against possible claims, which might rise in connection with the previous recruitment.” The basis for this being Article 6(1)(f) of the GDPR, as it would lie in the legitimate interest of the would-be employer to protect itself against possible claims of the unsuccessful candidate.

The ministry argues that:

  1.  There is a relevant and appropriate relationship between the data subject and the controller in accordance to Recital 47 of the GDPR, since a legal relationship between the candidate and the potential employer is being created at the time of submitting the job application and that “the candidate can not only suspect, but should assume that his data will be stored after the recruitment process, as well.”
  2. The purpose of the processing is compatible with the purpose for which the personal data was initially collected in accordance with Recital 50 of the GDPR, as the initial purpose was the recruitment of a new employee and the new and compatible purpose the protection again possible future claims of such an individual that might arise as a result of that recruitment process.

This, however, goes completely against the guidance provided by Poland's data protection authority, the Urząd Ochrony Danych Osobowych. In its handbook for employers, the UODO clearly states that the personal data of a candidate, who has not been selected for a position, should be permanently deleted by either destroying it or sending it back to the candidate immediately after finishing the recruitment process, unless there are other grounds for further processing. The UODO emphasizes that retaining the application documentation for a longer period of time would require a special justification and should only be seen as an exception, whereas the general rule would still be the immediate deletion of the data.

What is interesting is that the ministry's sheer announcement of a news conference, during which it would present its guidance, already caused a very firm reaction by the DPA. The day before the conference, UODO President Edyta Bielak published an official announcement voicing surprise with the ministry and stated the following: “This is to kindly remind of the fact that in Poland the only appropriate and specialised authority with regards to issues concerning data protection is the President of the UODO, who has the status and the competences of a supervisory authority as defined by the GDPR. For this reason, it lies with the President of the UODO to provide the official interpretation of the law in this area. According to the GDPR, this is in the sole competence of the supervisory authorities and the European Data Protection Board. Therefore, UODO is the only organ [that] is legally empowered to provide guidance on the interpretation of legal provisions.” Bielak also stated that according to EU law, the president of the UODO is not bound by any legal clarifications regarding the interpretation of the GDPR, and an appeal “not to undertake any action which might expose Polish enterprises to negative consequences and in the longer perspective disrupt their operations and as a result of that raise the question of possible accountability of the state treasurer for such damages.”

Considering these conflicting recommendations, the question occurs about what employers should do with old applications. On one hand, it's worth mentioning that the very restrictive views of the UODO have been criticized by many practitioners in the past. Also, the recommendations provided by the Ministry of Digitalisation seem to be more in line with those provided by other European data protection authorities, such as the U.K. Information Commissioner’s Office and the German Bundesbeauftragte für den Datenschutz und die Informationsfreiheit.

The ICO only asks employers to“[e]nsure that no recruitment record is held beyond the statutory period in which a claim arising from the recruitment process may be brought” and the BfDI also specifically recognizes the right of the employer to retain documentation from the recruitment process in order to defend itself against breaches of anti-discrimination law.

One should take into account that any sort of fines or other limitations would in the end be imposed by Poland’s data protection authority, and not the ministry, since proceedings regarding the infringement of data protection law would be led by the President of the UODO. It is more likely that they would choose the interpretation from the official employee handbook, rather than the ministry's guidance.

Until the UODO revises its recommendations, it would be advisable for companies to severely limit the instances in which the applicant's documentation is being retained to cases where a concrete suspicion that legal action might be taken afterward exists, such as instances with two very similar applications or where the applicant is known for claiming damages with other companies in the past.

Photo by Kamil Gliwiński on Unsplash

Comments

If you want to comment on this post, you need to login.