we care for your business

we help swiftly and professionally

Recruitment in IT - personal data

Conducting a recruitment process includes the processing of several candidates’ personal data - and this is regardless of whether we are talking about recruiting candidates for being an employee or associates employed under a contract of mandate, or under b2b contract. In this post, we will focus on discussing the most important aspects, to which one should pay attention when conducting recruitment in the IT industry, including, in particular, the provisions of the General Data Protection Regulation ("GDPR") and the Labor Code ("LC").

When recruiting an IT specialist one should keep in mind the following matters related to the processing of candidates' personal data:

  • when hiring a candidate for an employee, we are bound by the provisions contained in Articles 221 - 221b of the Labor Code.
  • Generally, only the personal data indicated in Article 221 §1 of the LC may be collected from an employee candidate, unless a specific provision of the law authorizes or obligates us to collect other data as well (Article 221 §4 of the LC), or the candidate gives a consent to process their other personal data in accordance with Articles 221a and 221b of the LC.
  • We should remember that, based on the consent of the candidate, criminal record data cannot be processed (Article 221b §1 of the Labor Code), and the processing of personal data of special categories (e.g. concerning the candidate's health) may be carried out only if the candidate discloses them on their initiative - disclosure of such data should be neither required nor even suggested in any way - consent to the processing of such data should be clear, and hence documented following the principle of accountability (Article 5(2) of the GDPR);
  • Even though the aforementioned regulations are directly binding only on the recruitment of employee candidates, it is good practice to apply them suitably to other recruitment as well. Since the legislator has recognized the above-mentioned rules as proper for conducting the recruitment process, wherever possible we should apply the principle of minimizing the processing of personal data (Article 5(1)(c) of the GDPR) and not go beyond the aforesaid rules also in the case of recruiting candidates for associates (even if they are self-employed). It should be taken into account, especially in the case of personal data of special categories and criminal record data (Articles 9 and 10 of the GDPR, respectively);
  • we should always remember about the principle of minimizing the processing of candidates' personal data (Article 5(1)(c) of the GDPR). In particular, we should collect only the personal data that are essential for the recruitment process, process them only for the purpose strictly specified and communicated to the candidate, and only for as long as it is needed for the completion of the defined purpose of the processing;
  • we are always obliged to determine the role in which we appear when processing a candidate's personal data. In principle, we will take the role of either data controller or data processor. Simply put, we are a data controller if we have our own legal basis for processing the candidate's personal data for the purposes that we have specified. Then again, we are a data processor when we process the candidate's personal data for the purposes specified by another entity - based on a data processing agreement with that entity;
  • if we process the candidate's personal data as a data controller, we must fulfill the candidate's information obligation under Article 13 or 14 of the GDPR - including informing the candidate of the legal basis on which we process their personal data, the purposes for which we process their data, and the intended length of the processing of their data;
  • if we process a candidate's personal data as a data processor, we are obliged to conclude a data processing agreement with the controller of such data before obtaining it - as this will be the only basis legitimizing our processing of such data;
  • one should be careful with selecting sources for obtaining information about candidates - particularly, social media. Especially, the use of professional profile sites - such as LinkedIn - is considered acceptable, while the use of private profile sites - in particular Facebook or Instagram - is considered unacceptable;
  • one should be cautious when it comes to setting a data retention period. If we process a candidate's personal data only for a specific recruitment, we should remove it from our resources promptly after the recruitment process ends. If we have obtained the candidate's consent to process their data for future recruitment and we want to process them for this purpose as well, we should renew such consent once in a while - we recommend doing so once a year. Regardless of the acquired consent, we are obliged to delete the candidate's data if it is no longer relevant to us;
  • if we are a recruitment agency, we should be cautious when it comes to the requirements of clients (especially the foreign ones) concerning the scope of the candidate's personal data we are supposed to obtain; particularly, frequently it will be prohibited or severely restricted to conduct so-called background screening of the candidate - verifying their criminal record, place of residence, calling their former workplaces or educational facilities to make sure that they have given us authentic data on their education and work experience. The expectations of some customers are highly inflated and impossible to reconcile with the principles of processing personal data throughout the recruitment process that apply in Poland;
  • generally, we avoid processing candidates' personal data using service providers located outside the European Economic Area (EEA). In a situation that requires the use of a provider’s service outside the EEA, we must consider using standard contractual clauses - which is, a special instrument developed by the European Commission for legalizing the transfer of data outside the EEA .

In brief, proper regulation of the principles of personal data processing during the recruitment process is significant for the legal security of the parties involved. This task should be approached meticulously and with proper attention - so as not to expose oneself to administrative (or even criminal) sanctions, or civil law sanctions resulting from lawsuits brought by candidates who have questioned the processing of their personal data.

Related articles:

IT services outsourcing

Outsourcing of IT personnel

Confidentiality protection in IT

Managed service vs body leasing

Nearshoring vs offshoring in IT

Legal services in IT - tasks

Entrepreneur test in IT

Fees in IT recruitment

Publication date: 07.10.2021.

Contact us

Borek Doliński Radcowie Prawni spółka jawna

Grunwaldzka 224b/9, 60-166 Poznań, Poland

office@bdrp.pl

[0048] 530 001 500 // 510 551 991

About us

We specialize in business law and provide legal support mainly for IT.

We offer the highest quality of legal service, great responsiveness and managing partners' personal dedication.