In this article, we ask some questions which may worry the employer, especially during a pandemic, when switching to home office carries with it the risk of violating the principles of personal data processing.
Online recruitment versus personal data processing
What data can you require from a potential employee?
When starting the recruitment process, remember that the scope of data you may require from a job applicant is different from the catalogue of data collected from an employee. The key provision you should follow when collecting data is Article 221 of the labour code.
According to this regulation, as an employer you may request from a job candidate the following information:
• date of birth
• contact details
• education, qualifications and the course of previous employment, but only if this is necessary for the job
Only when deciding to employ a candidate – that is when concluding an employment contract, the data catalogue extends to the following categories:
• address of residence
• PESEL number or the type and number of the identity document
• other personal data about an employee and his family, if it’s necessary for the purposes of exercising specific rights under labour law
• education and employment history, if there was no basis for it in the recruitment process
• bank account number
If the regulations require additional information about the employee (such as confirmation of specific qualifications), you can also request it on this basis.
You should remember that Article 221 of the labour code is not the only basis for processing data of candidates and employees. Other categories of data can be obtained with their consent or on their initiative. This means that if a job applicant includes in their CV information about certificates obtained during the course of employment, you can accept this data. The sole initiative of the job applicant or employee is a basis to collect the biometric data and the specific categories of data referred to in Article 9 section 1 of the GDPR (e.g. racial or ethnic origin, political opinions, trade union membership). The only exception is information on convictions and criminal offences which cannot be obtained from employees and job applicants unless specific provisions require no criminal record for the performance of the job.
If a candidate has to give their consent, its absence or withdrawal cannot have negative consequences, especially in the form of refusal of employment, termination of employment contract or its termination by the employer.
Can a potential employer obtain candidate’ data from social media?
It is unacceptable for employers and recruitment agencies to collect information posted by job applicants on social media and other public sources during the recruitment process.
Can the employer monitor the employee’s mailbox?
The answer to that question is yes, if the criteria of the labour code and the GDPR are met.
Monitoring employees’ emails is allowed when it is necessary to ensure:
• work organisation that enables full use of working time,
• proper usage of work tools.
Such criteria may include verification of the proper division of duties, control of the use of official equipment for private or non-duty purposes.
At the same time, while controlling emails, the employer should act with due diligence so as to not violate the regulations of:
• the confidentiality of the employee’s correspondence,
• or their other personal rights.
This may cause doubts in case of control of the employee’s mail as the employer may not open or read correspondence which designation or initial content proves its private character.
A solution that minimises the risk of violating the confidentiality of correspondence, but also of using email for private purposes is to include an appropriate clause informing about the conditions of using email in the work regulations or to offer employees a separate wifi network, which will not be monitored.
The methods, scope and purpose of employee control generally does not require the employee’s consent, but prior notification is necessary.
.Project execution in the capital group – is it possible to transfer employee data between the companies within the group?
If due to Covid-19 you want to delegate an employee to work in another company in the capital group, pay attention to contradictions on the basis of GDPR.
In companies group, the concept of control within GDPR is not the same as of corporate control on the basis of commercial law. According to GDPR, the controlling company exercises a dominant influence over other companies, because of ownership structure, financial participation or the power to prescribe the implementation of personal data protection rules. This means that, contrary to the rules of commercial law, the parent company can exercise control (as defined by the processing of personal data) and not only the subsidiary can be controlled. The choice of the Personal Data Administrator (that is, the company in the group) depends on the decision of the group of companies (Article 37 section 2 of GDPR).
Administrators of personal data have a legitimate interest in the transfer of employees' personal data within a group for internal administrative purposes, such as delegating an employee to another company to carry out a specific project. However, fundamental rights and freedoms of the employee whose data is processed in case of conflict with the interests of the employer are always prioritised.
The administrators performing their function in each company in the group may associate on the basis of co-administration. Within such cooperation, the administrators establish common purposes and methods of data processing, which eliminates the processes of entrusting and sharing data, as they process them jointly in accordance with established purpose.
Authors: Aleksandra Hajdukiewicz, Oliwia Kruczyńska, Justyna Tofil from Kołecka Law Firm