Limitations of the GDPR in the recruitment

In connection with a number of legal changes accompanying the implementation of the GDPR[1] into our legal system, and thus the amendment to the Labour Code of 4 May 2019, there have been changed, among others, the rules for recruitment of employee candidates. Thus, the hitherto commonly used business practices, accompanying the employment process, should be verified.

It is important to note the far-reaching consequences of the amended wording of Article 221 § 5 of the Labour Code, according to which “Making personal data available to the employer takes place in the form of a statement of the data subject. The employer may demand that the personal data of the persons referred to in § 1 and 3 be documented, to the extent necessary to confirm it”.

Until now, an employee candidate, when submitting a CV to a new employer, had to take into account the fact that the potential employer will want to verify the information provided therein. Most often it was connected with e.g.: establishing contact with the current or former employer indicated in the CV so as to obtain information on the course of cooperation with the employee.

It should be pointed out that now, such action (without the employee’s prior consent, preferably expressed in writing in accordance with the principle of accountability) will be unlawful. This position has also been confirmed by the Personal Data Protection Office (UODO), thus the submission by the employee candidate of the so-called references does not entitle the employer to contact the entity which issued them in order to obtain additional information about the candidate.

It should be remembered that personal data is provided to the employer in the form of a statement made by the person concerned. Thus, a potential employer cannot ask the former employer for information about the tasks performed by the candidate, or about the former employer’s opinion on the employee candidate. During the recruitment process, the source of information concerning the course of professional work should be the candidate themselves.

Another practice used by the employers was to address e.g. universities, asking for confirmation of studies or trainings completed the employee candidate. Due to the change of regulations, the employer lost the right to verify the diplomas, certificates etc. submitted by the employee candidate. Referring to the above mentioned provision of the Labour Code, it should be noted that personal data is made available to the employer in the form of a statement of the person to whom they refer, and as a consequence, the practice of additional verification of information obtained from the candidate would violate the rights and freedoms of the person concerned. Should doubts arise as to the authenticity of documents submitted by an employee (at the employer’s request), the employer may submit a notification of the possibility of committing a crime of forgery set out in in Article 270 of the Criminal Code.

In large companies with capital ties, one could observe the phenomenon of keeping the so-called “blacklists” of former employees – persons with whom the employment relationship was terminated, for reasons attributable to the employee. These were most often aimed at preventing the employment of such blacklisted employees by any subsidiary or other equity-related company. Keeping such “lists” is against the law because there is no legal basis for exchanging information between the employers about the employees. Additionally, the creation of such personal data files may lead to discrimination against an employee and, consequently, to a possible court claim.

Equally often, the employers are confronted with the phenomenon of receiving CVs, despite the fact that no recruitment has been undertaken. The most common practice among employers was to leave such an application in a separate binder or in an e-mail box for possible later use. It should be noted that if the employer does not intend to conduct recruitment, they should remove the candidate’s data from their file. It is also acceptable to contact the candidate in order to obtain consent for the processing of their personal data for the purposes of future recruitment.

Taking into account the number of changes in the regulations, we recommend that you consult us before making any business decisions in order to minimize legal risks. If you have any questions, we are at your disposal. Mateusz Pergałowski ( will provide you with more information on labour law.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).