international employment law firm alliance L&E Global
Poland

Poland: Conflicting interpretations by Polish state authorities regarding the period of storage of personal data of job candidates

According to the Ministry of Digitalization’s opinion, the employer has the right to retain, after the end of the recruitment process, the recruitment documents of persons who have not been employed, for the purposes of protection against any claims that may arise in connection with the conducted recruitment. In this case, the basis for the processing of personal data will be art. 6 item 1 letter f) of the GDPR, i.e. a legitimate interest. Additionally, according to the Ministry, processing based on art. 6 item 1 letter f) of the GDPR should be accompanied by a prior risk analysis of such claims being raised. As the Ministry’s opinion indicates, the employer should conduct such tests, taking into account the course of the recruitment process and the possibility of appearance of such claims. The retention period of the recruitment documents of rejected candidates should, however, be as short as possible, and no longer than a few months.

The aforementioned opinion is contrary to the view presented by the Polish Office of Personal Data Protection. The Office clearly indicates that the personal data of the rejected candidates should be deleted at the moment of ending of the recruitment process, by which the Office understands the moment of signing an employment contract with the selected candidate. Moreover, the Office claims that it is unacceptable to process recruitment data only in order to protect against possible future and uncertain claims. Furthermore, the Polish Office of Personal Data Protection has expressed its strong disagreement with the content of the Ministry of digitalization’s opinion.

The aforementioned contrary opinions of two state authorities are confusing for the entities conducting recruitment processes. However, although the Ministry’s opinion may be viewed as more favourable for recruiters, it must be remembered that it is the Office that performs audits and controls within the scope of personal data protection.