GDPR in Temporary Employment Agency

GDPR in Temporary Employment Agency
Jakub Chajdas

Jakub Chajdas

Partner / Attorney-at-law

General Data Protection Regulation (GDPR) is a very important issue for every company, including temporary employment agencies. Implementation of GDPR provisions is mandatory for every entity that processes personal data. When it comes to temporary employment agency, it is necessary to analyze the issue of employing temporary workers and the role of the agency and user employer in the context of personal data protection in accordance with two regulations. The first one is the Act on Temporary Employment of 9 July 2003 (Journal of Laws 2019, item 1563 consolidated text). The second one is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. The latter concerns the protection of natural persons with regard to the processing of personal data and their free movement. It takes into account the role of the agency in processing personal data of its employees and clients.

Table of Contents

What is a temporary employment agency?

A temporary employment agency is an entity that acts as an intermediary between employers and employees. It hires workers who are then lent to other companies in need of additional workforce. This can be done for a specified or unspecified period of time. Thus, a temporary employment agency processes a lot of personal data. This includes data of its employees, clients, and business partners.

Compliance with GDPR is essential for a temporary employment agency. It allows to avoid serious financial sanctions. But, above all, it is crucial to protect the privacy of personal data of its employees and contractors. The agency should apply relevant security measures and procedures to reduce the risk of violating GDPR.

Protection of personal data of job candidates and the role of temporary employment agency in the recruitment process

According to the Act, a temporary employment agency deals with hiring temporary workers. As part of the contract with the user employer, such an agency plays the role of data controller. This means that it decides about the purposes and ways of processing personal data of candidates for temporary workers. This refers to the ones who are sourced by the agency or are already in its database. Moreover, it also concerns those who participate in the agency’s recruitment process. In this way, a temporary employment agency meets the definition of a data controller defined in Art. 4(7) of the GDPR, according to which:

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Recruitment and obligations of a temporary employment agency

As controller of personal data, temporary employment agency must comply with certain requirements.  It must inform candidates about processing of their data in accordance with Art. 13 or 14 of the GDPR. The applicable article depends on the source from which the data was obtained. The agency processes personal data for the purpose of recruitment and selection of suitable temporary workers for user employers. Therefore, the agency must ensure the proper processing of personal data. Moreover, it must destroy application documents of remaining candidates after the recruitment process.

Temporary employment agency provides personal data of the selected workers to user employers. Thanks to that the latter can fulfill their duties as employers. Such exchange of data between the agency and the user employer results from agreements between them. Based on these agreements, the necessary data of the workers are transferred to user employers. This allows them to carry out their tasks and obligations as employers properly.

Do you need help in adapting your business to the GDPR requirements?

You can rely on the knowledge, experience, and support of our specialists. By working with us, your company can avoid the consequences of neglecting personal data protection rules.

User employer

A temporary employment agency is the data controller in the case of concluding employment contracts of temporary workers. It is also responsible for many other tasks. Its role is strictly defined by law and the agreement with the user employer. Similarly, the user employer has specific tasks and obligations resulting from legal regulations. Both temporary employment agency and user employer are responsible for achieving their goals. Moreover, they are obliged to demonstrate the legal basis for processing personal data if necessary. Therefore, the relationship between the temporary employment agency and the user employer is usually based on the classic controller-controller model.

According to the Act on temporary employment, the user employer has a number of obligations related to processing of personal data of temporary workers. Among them, there is:

  • ensuring safe and hygienic working conditions,
  • keeping records of working time,
  • keeping records of temporary workers, and others.

To fulfil these obligations, the user employer must take specific actions. For example, he must conduct occupational health and safety trainings. He is also responsible for preparing work accident reports and issuing access cards. Another obligation of user employer is establishing work schedules, and providing lists of employed workers to labor unions. All these activities involve processing the personal data of temporary workers.

In addition, after selecting candidates for work, the user employer becomes the controller of their personal data.  Thus, he must follow an information obligation resulting from Article 14 of the GDPR. This obligation must be fulfilled at the first contact with the person whose data is being processed.

It is important for both the temporary employment agency and the user employer to properly identify their roles. This will allow them to fulfill their respective obligations towards temporary workers in accordance with data protection regulations.

What is a Non-Disclosure Agreement (NDA)? Learn more from this article.

What are the risks of non-compliance with GDPR in a temporary employment agency?

The most important threats are identified below.

  • Violation of the privacy of employees and clients. A temporary employment agency processes large amounts of personal data. These include name, surname, address, PESEL number, ID card number, as well as data on professional qualifications. Insufficient protection of this data may lead to its unauthorized use or disclosure.
  • Financial penalty. If a temporary employment agency does not comply with GDPR regulations, it may be subject to a high financial penalty. It can amount to 20 million EUR or 4% of the company’s annual turnover.
  • Loss of reputation. Violation of the privacy of personal data of employees and clients can lead to loss of trust and reputation. In the long term, it may result in loss of clients and profits.

Therefore, a temporary employment agency should use appropriate procedures and safeguard measures. Such entities should pay attention to employee training, security policies, and periodic audits. Moreover, they should monitor and verify the internal process of personal data processing.

If you find the above article interesting and want to know more about the topic, we invite you to cooperate with us. Our legal experts in Lodz and Warsaw are at your disposal. Contact us today and let us help you.

Contact us

    CGO Legal

    CGO Legal
    Justyna Sączawa
    Administration specialist
    CGO Legal
    Anna Ślusarek
    Administration specialist