An integral part of the labor market today is the temporary employment agency. The GDPR has introduced new obligations for their operations. In this article, we will discuss how temporary employment agencies should operate to meet the requirements of the GDPR and what steps are worth taking to minimize the risk of non-compliance.
Table of Contents
- What is a temporary employment agency?
- Protection of personal data of job candidates and the role of temporary employment agency in the recruitment process
- Recruitment and obligations of a temporary employment agency
- User employer
- What are the risks of non-compliance with GDPR in a temporary employment agency?
What is a temporary employment agency?
A temporary employment agency is an entity that acts as an intermediary between employers and employees. It hires workers who are then lent to other companies in need of additional workforce. This can be done for a specified or unspecified period of time. Thus, a temporary employment agency processes a lot of personal data. This includes data of its employees, clients, and business partners.
Compliance with GDPR is essential for a temporary employment agency. It allows to avoid serious financial sanctions. But, above all, it is crucial to protect the privacy of personal data of its employees and contractors. The agency should apply relevant security measures and procedures to reduce the risk of violating GDPR.
Protection of personal data of job candidates and the role of temporary employment agency in the recruitment process
According to the Act, a temporary employment agency deals with hiring temporary workers. As part of the contract with the user employer, such an agency plays the role of data controller. This means that it decides about the purposes and ways of processing personal data of candidates for temporary workers. This refers to the ones who are sourced by the agency or are already in its database. Moreover, it also concerns those who participate in the agency’s recruitment process. In this way, a temporary employment agency meets the definition of a data controller defined in Art. 4(7) of the GDPR, according to which:
“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Recruitment and obligations of a temporary employment agency
As controller of personal data, temporary employment agency must comply with certain requirements. It must inform candidates about processing of their data in accordance with Art. 13 or 14 of the GDPR. The applicable article depends on the source from which the data was obtained. The agency processes personal data for the purpose of recruitment and selection of suitable temporary workers for user employers. Therefore, the agency must ensure the proper processing of personal data. Moreover, it must destroy application documents of remaining candidates after the recruitment process.
Temporary employment agency provides personal data of the selected workers to user employers. Thanks to that the latter can fulfill their duties as employers. Such exchange of data between the agency and the user employer results from agreements between them. Based on these agreements, the necessary data of the workers are transferred to user employers. This allows them to carry out their tasks and obligations as employers properly.
A temporary employment agency is the data controller in the case of concluding employment contracts of temporary workers. It is also responsible for many other tasks. Its role is strictly defined by law and the agreement with the user employer. Similarly, the user employer has specific tasks and obligations resulting from legal regulations. Both temporary employment agency and user employer are responsible for achieving their goals. Moreover, they are obliged to demonstrate the legal basis for processing personal data if necessary. Therefore, the relationship between the temporary employment agency and the user employer is usually based on the classic controller-controller model.
According to the Act on temporary employment, the user employer has a number of obligations related to processing of personal data of temporary workers. Among them, there is:
- ensuring safe and hygienic working conditions,
- keeping records of working time,
- keeping records of temporary workers, and others.
To fulfil these obligations, the user employer must take specific actions. For example, he must conduct occupational health and safety trainings. He is also responsible for preparing work accident reports and issuing access cards. Another obligation of user employer is establishing work schedules, and providing lists of employed workers to labor unions. All these activities involve processing the personal data of temporary workers.
In addition, after selecting candidates for work, the user employer becomes the controller of their personal data. Thus, he must follow an information obligation resulting from Article 14 of the GDPR. This obligation must be fulfilled at the first contact with the person whose data is being processed.
It is important for both the temporary employment agency and the user employer to properly identify their roles. This will allow them to fulfill their respective obligations towards temporary workers in accordance with data protection regulations.
What are the risks of non-compliance with GDPR in a temporary employment agency?
The most important threats are identified below.
- Violation of the privacy of employees and clients. A temporary employment agency processes large amounts of personal data. These include name, surname, address, PESEL number, ID card number, as well as data on professional qualifications. Insufficient protection of this data may lead to its unauthorized use or disclosure.
- Financial penalty. If a temporary employment agency does not comply with GDPR regulations, it may be subject to a high financial penalty. It can amount to 20 million EUR or 4% of the company’s annual turnover.
- Loss of reputation. Violation of the privacy of personal data of employees and clients can lead to loss of trust and reputation. In the long term, it may result in loss of clients and profits.
Therefore, a temporary employment agency should use appropriate procedures and safeguard measures. Such entities should pay attention to employee training, security policies, and periodic audits. Moreover, they should monitor and verify the internal process of personal data processing.
Are you looking for an accountant in Poland or a payroll services provider in Poland? Specialists from our accounting firm in Poland, Warsaw will be happy to help. If you are interested in company formation in Poland visit our dedicated landing page.