GDPR-Compliant Recruitment: A Comprehensive Guide to Sourcing & Candidate Verification

GDPR in Recruitment - About the Guide

This guide is a compilation of responses to the most common questions that recruiters ask regarding GDPR-related matters in recruitment.

Designed to aid in the processing of the personal data of candidates, the guide has been put together utilizing the expertise of recruitment professionals and personal data protection experts. The topics outlined in the GDPR recruitment guide were covered in webinars, held in collaboration with lawyers and GDPR and recruitment experts from the Creativa.Legal law firm. The guide also offers links to webinar recordings.

Table of Contents

Key terms related to GDPR

Processing of Personal Data – The processing of personal data involves any actions taken on such data, including recording, copying, editing, or transmitting, regardless of where the data is stored (e.g., in a notebook, on Excel, in the recruitment system, on the LinkedIn platform, or a mobile phone).

The legal bases for the processing of personal data are:

  • legal interest,
  • consent, or
  • legal obligation.

Personal data may be processed only if one of these three grounds is present.
Consent of the individual whose data is being processed is the most straightforward situation whereby the candidate has given direct or implicit permission for their data to be processed.

Legal interest refers to a situation where the entity may process personal data without consent due to a legitimate interest. For instance, the recruiter has a legal interest and as such, the candidate has given their direct or implicit permission for their data to be processed.

Legal obligation – a circumstance in which the law, for example, the Labour Code, permits the processing of personal data.

To comply with the law, it is sufficient to have one of the above reasons for processing personal data. There is no need for consent from a candidate (or any other individual in various types of activities) if there is a legal interest.

Frequently Asked Questions

Is it possible to process a candidate's personal data without their consent?

Yes, it is permissible to process the personal data of the candidate without their consent, provided we have one of the two other legal grounds- legal interest or a legal obligation.
It is noteworthy that the candidate’s consent can be expressed implicitly through their conduct, which affirms their desire to participate in the recruitment process.
This primarily applies to actions like sending a CV, arranging an interview appointment, or conducting a recruitment interview via LinkedIn messages. Such conduct implies consent to participate in the recruitment process and allows the company to process the candidate’s personal data, including adding the candidate to the recruitment system or notebook.

Apart from one of the three legal bases, is there any other obligation that the employer must fulfil to process candidates' personal data?

Yes. Besides having a lawful basis for processing personal data, there is an extra requirement enforced by regulations, which is informing the candidate about the processing of their data. This obligation is also referred to as the duty to provide information.

The information obligation requires the provision of several pieces of information to candidates as indicated in Articles 13 and 14 of the GDPR. This pertains principally to the personal data processing entity’s information and data processing principles.

Best practice involves creating an “Information Obligation” document, which incorporates all the elements detailed in Articles 13 and 14 of the GDPR and furnishing this document to candidates as a means of fulfilling the information obligation.

By what date must the information obligation be fulfilled?

The information obligation must be implemented as soon as the processing of the candidate’s personal data begins. What does this mean in practice? Here are some examples:

  1. A candidate who is interviewed on Linkedin, but whose data is not yet stored outside the portal, is not subject to the information obligation because his/her data is only processed on this portal, so the employer does not hold his/her data. In this case, only the Linkedin portal’s terms and conditions apply, which regulate who (the Linkedin portal) and under what conditions (indicated in the terms and conditions) processes the data.
  2. A candidate who is interviewed on the Linkedin portal and their data is saved outside the portal (e.g. in an ATS system that allows you to manage sourcing/direct searches like the Element system). In this case, there is a requirement to comply with the information obligation, i.e. to provide him/her with the information indicated in Articles 13 and 14 of the GDPR. In addition, of course, there must be a basis for processing the personal data (e.g. the candidate’s consent or legal interest).


  3. The candidate has sent his/her CV by applying for a recruitment advertisement. In this case, it is best to add a statement to the application form from the candidate that he/she has read the information obligation and include or link this obligation in the form.

Can the information obligation be hidden behind a web link or must the candidate receive the entire content of the obligation straight away?

Yes, there is no need to include the entire content of the information obligation on the application form or in the message to the candidate. It is sufficient to provide the candidate with a link to a document, e.g. to a website that contains all the information required by the Act, or a link to a document (e.g. a pdf) that can be displayed or downloaded and read.

Can I send a link to the information obligation in a message on Linkedin?

Yes. We will answer your next question on what such a message might look like.

How can the duty of information be most easily fulfilled in daily communication with the candidate? How not to scare the candidate with legal complexities?

On the one hand, the law requires that the duty of information must be fulfilled as soon as the processing of a candidate’s personal data begins, but on the other hand, this is a very impractical task from the point of view of a recruiter who is just establishing a relationship with a candidate and every message, not to say every word, sent to a candidate should encourage that candidate into that relationship. Raising legal issues in the first messages sent to candidates can certainly make it difficult to build trust. So how do we deal with this problem?

Well, we regret to admit that the law is not tailor-made for the recruiter in this aspect and we do not have a miracle solution for you. All solutions, legal solutions, seem to be lousy, and of the lousy ones in my opinion the best is the following:

  1. We make contact with the candidate on Linkedin and interview them on Linkedin.
  2. We add the candidate to our list of candidates in a recruitment system, excel or other place we use to manage sourcing / direct search activities (we start processing personal data outside Linkedin and an information obligation arises).
  3. In response to one of the candidate’s messages, we send them a message like this, for example: “I want to stay in touch with you and I am saving your contact details for this purpose. The GDPR requires me to provide you with information on who stores your data and on what basis, so I am sending you a link to our personal data processing rules: link 🙂 Greetings and stay in touch 🙂

This is an example showing one way of weaving the information obligation into a conversation with a candidate. This or other similar wording is worth having in your notepad to use with ctrl+c ctrl+v. Of course, the link is the address of the file or website with the content of the information obligation.

There is also an alternative scenario that is worth using when the candidate has already agreed to send their CV. In this case, the best option is to ask the candidate not to send his/her CV via a message on Linkedin or via email, but to send his/her CV via an application form (e.g. a form generated by the ATS Element system), on which he/she will immediately mark his/her GDPR consents and where he/she will be able to read the information under the information obligation.

There will be more on how to prepare the consents on the application form later in this guide. Here, however, is an example of the message to the candidate in the scenario discussed:

If you can, please send your CV via the application link: link. This way you will immediately appear in my recruitment system and at the same time we will have your GDPR consents and you will not have to add or manually send these consents anywhere 🙂 “

Does it matter where it obtains candidate data from? (LinkedIn vs Facebook and other portals)

The rules for processing candidates’ personal data outside of these portals (i.e. when we save this data in our own resources, such as a recruitment system or notepad) are exactly the same whether we obtain the data from Linkedin or Facebook or any other source. We must always:

  1. Have a legal basis for the processing (one of the three: consent, interest, obligation)
  2. Fulfil the information obligation.

However, there is one important difference between LinkedIn and other social networks such as Facebook or Github. The difference is that by creating their accounts on LinkedIn, users accept LinkedIn’s terms and conditions, which clearly indicate that the portal is for business relationships and job searches:

Our services allow the user to discover career opportunities, evaluate educational opportunities, be found or find new professional opportunities. Your profile can be found by people who want to hire you (for a job or a specific task) or who want to be hired by you. We use your data to recommend job opportunities or people looking for a mentor, to show you and others relevant business contacts (e.g. who works in a particular company, industry, position or location, or has relevant skills and contacts).

Acceptance of LinkedIn’s terms and conditions means that, from a legal perspective, it is not necessary to ask the LinkedIn user for consent to send a business proposal or job offer. Generally, such consent is required under Article 172 of the Polish Telecommunications Law. However, since the user has accepted the terms and conditions of the portal for receiving such offers, such consent has already been automatically given. This does not mean, however, that from the point of view of the effectiveness of communication and good manners, it is not worthwhile to additionally obtain such consent – by all means it is.

How long can a candidate's personal data be processed?

Unfortunately, there is no clear answer to this question because the GDPR does not state a specific time limit. The law states that you can process personal data for no longer than is necessary for the purposes for which the data are processed.

What does time necessary for the purposes of the processing mean? Each case is worth considering individually. There is some practice which states that the time limit of 14 days after the end of the recruitment process (for administrative purposes), does not exceed this limit.

Update 10.09.2022 – there has been a court decision which overturned the decision of the President of Polish UODO and which suggests that a candidate’s CV can be retained by the employer for 3 years after the end of the recruitment process. More in my article which describes the above ruling.

In my personal opinion, which should, however, be taken only as my opinion and not as legal advice, the necessary time lasts as long as there is a real chance that the candidate will be hired.

In the event of litigation, we must demonstrate that indeed all candidates whose data we process are realistically considered for employment in the position for which they applied.

However, we need to separate the candidate’s consent to participate in a specific recruitment process from consent for future processes.

In the case of consent for a specific recruitment process, we can certainly process the candidate’s personal data until the end of that process and for a short (e.g. the aforementioned 14 days) period after the end of that process. However, what if this recruitment process does not end at all because we are continuously looking for candidates for a specific job position? What if the candidate applying for such a position is not the first choice candidate and is kept in this process in case a more suitable candidate cannot be found? The process has not been closed, it is still ongoing, at the same time we do not make a final decision on the candidate in this process and we process the data of this candidate for e.g. 12 months after this candidate has applied and we have already hired 10 other candidates along the way. How would such an action be interpreted by a court? Unfortunately, it is difficult to say and we have to wait for specific rulings that will determine the direction of interpretation of the legislation.

Maciej Michalewski comments: In the case of consent for future recruitment processes, there is also no specific guidance in the GDPR. I implement Element’s recruitment system in more companies each month and I see that in most cases these companies use 12 and 24 months’ consent for future recruitment processes. However, I have also come across some companies that treat consent for future recruitment processes as indefinite, until revoked by the candidate. Again, there is no single, clear and uncontested ruling here.

Lawyer Arkadiusz Szczudło’s comment: data for future recruitment should be processed for as long as the CV is of value to the employer – but this will usually be 6-12 months. CV data can become outdated quickly.

Can only one general consent for all recruitment processes be included in the application form for a specific job vacancy, together with an information obligation?

You cannot on the basis that consent for future recruitment processes cannot be required if the candidate is applying for a specific job position within a specific recruitment advertisement. It is therefore best to allow the candidate to tick two consents:

  1. Obligatory consent. For a specific recruitment process with a link to the information obligation.
  2. Not obligatory consent. For future recruitment processes. Here we no longer repeat the information “clicked” obligatorily in the first consent, in particular we do not need to include the link to the information obligation again.

Can consent for future recruitment processes be required?

It cannot, unless we are dealing with a so-called spontaneous application, i.e. a case where the candidate does not apply for a specific position but sends a CV just for use in future recruitment. Such consent can be used, for example, in the case of an application form, which we attach to the “Leave a CV” button. We can place such a button, for example, on the career tab. Any candidate can then upload his or her CV, even when we are not recruiting.

In the case of activities on Linkedin, we can talk to a potential candidate whom we want to have in our candidate database for future recruitment processes. In this case, we either provide a special application form where there is only consent for future recruitment processes, or we ask them to send their CV in another form (by email, via a message on Linkedin) and if we have informed the candidate that we will keep their CV for use in future recruitments, we treat the fact that they send us their CV as an implicit consent to participate in future processes. In this case, we no longer need to collect formal consent, but we do need to fulfil the information obligation. We have already discussed how to do this earlier (link to relevant paragraph).

Can the mere fact of sending a CV, be considered as consenting to the processing of personal data?

Yes. Any behaviour of the candidate that can be interpreted as a willingness to participate in the recruitment process is at the same time expressing the candidate’s consent to the processing of his/her personal data as part of that recruitment process. It is not necessary in this case to obtain formal consent, i.e. a statement from the candidate provided to us in the form of a clause added to the CV, sent in a message or marked on the application form.

Does such implied consent extend to future recruitment processes? It depends.

If the candidate sends a CV because we are talking to the candidate about a specific recruitment process, then the answer is no. In this case, only consent for a specific recruitment process can be presumed.

Similarly, if a candidate sends a CV via an application form for a specific position and the form does not have any clauses for the candidate to tick, then we only presume consent to a recruitment process for a specific position within a specific advertisement.

However, if we talk to a candidate about the fact that we would be happy to see their CV in our candidate database because we have various projects currently or in the future and the candidate sends a CV, or if the candidate sends a CV via a general application form that does not apply to any specific recruitment process, then we treat such behaviour by the candidate as consent to participate in future recruitment processes. It is always a good idea to prepare a model feedback message with an information obligation and a request for consent for future recruitment.

Is it possible to process the personal data of a candidate who has expressly stated his or her consent but has not received information under the duty to inform?

According to the Polish law, the information obligation cannot be waived, so the answer is no.

What is the difference between the situation of an employer where the duty of information has been fulfilled but we do not have the candidate's consent to process personal data and the situation where we do have such an explicit statement?

It depends on whether we have a legal basis for processing the candidate’s personal data.

As a reminder, consent is one of the three grounds for processing candidate data (link to discussion of grounds). The absence of consent does not exclude that we have a legal interest or obligation to process the data. Therefore, if we have a legal interest, for example, then the situation for the two employers is exactly the same – both employers have complied with their duty to inform and have a legal basis for processing personal data. However, if the employer does not have a legal basis, then the employer must obtain one, e.g. by obtaining the candidate’s consent.

We want to extend the validity of the candidate's consent to process his/her personal data. Is it sufficient for us to fulfil the information obligation again, or do we need to obtain explicit consent once more for future recruitment?

We should obtain the candidate’s consent once again. The fulfilment of the information obligation does not affect the extension of the time limit accepted by the employer for the processing of personal data. However, it seems that it is possible to send, for example, a message to the candidate like this:

Good afternoon, due to the protracted recruitment process, and new projects coming up, we would like to extend the deadline for storing your CV in our candidate database for another 12 months. If you agree, please click on the link and our system will automatically extend the deadline.

Thank you in advance!

The above-mentioned link would be, for example, a link to the application form, where the candidate sees again the content of the consents and a link to the information obligation.

Can the principle be accepted that we always have to comply with the duty of information if we record a candidate's data anywhere other than Linkedin, but that we do not have to obtain the candidate's consent if the candidate's behaviour shows an interest in the recruitment process?

Yes. We always have to comply with the duty to inform, whereas we do not always have to obtain explicit consent because consent can be implied, and furthermore there does not have to be consent at all if we have an interest or a legal obligation.

With whom can I share candidate personal data?

Within the same employer with all employees who are authorised to process the candidate’s personal data and under entrustment agreements.

If you want to share personal data with others, in particular with persons outside the employer’s organisation, it is necessary to inform the candidate in the information obligation about who else will process his/her personal data and on what terms, and to obtain the candidate’s consent to share the data with others (sharing, unless we are talking about entrustment of processing).

For example, covert recruitment: during the interview with the candidate, we inform him that we are a recruiter working for various clients and we want him to participate in the recruitment. We do not yet indicate which employer the recruitment relates to. We make the selection ourselves or send anonymised data to the employer. If we want to pass on a complete CV with personal data, we need to obtain consent to share the data with employer X, and this employer should comply with the information obligation under Article 14 of the GDPR.

Are there any known court decisions of cases related to the processing of personal data of job applicants?

So far, there has not been any widely known court ruling regarding the processing of job applicants’ personal data, while at least one case has been addressed by the President of the Office for Personal Data Protection (PUODO). It concerned a recruitment conducted by one of Poland’s customs and tax offices, which published the data of the participating candidates on its website.

The case was interesting in that the publication itself complied with the law, which, however, did not specify how long the data should remain on the website. The PUODO dealing with the case (which received a complaint from one of the candidates) concluded that the data had been made public for too long (unjustified from the point of view of the purposes of processing) and ordered their deletion. This demonstrates the importance of keeping an eye on the duration of data processing, which must not go beyond the purpose and basis of processing.

Questions from readers and webinar participants

What if a candidate sends a CV by email or mms, but does not indicate which position he or she is applying for and the CV does not contain consent?

The best thing to do is to ask the candidate for which position and which employer they are applying to. If you have problems getting a response from the candidate, such consent can be considered as implied consent for future recruitment processes.

Can a company use employees' personal data by trading their personal data?

The sale of personal data is only possible with the express consent of the data subject to do so. In the case of recruitment processes, such consents are usually not used by employers, in which case the employer may not pass on the marketing of the candidates’ personal data.

Is it possible to add to the ATS the CV of a person who applied on a job portal and left their CV there?

If the application was for a position with an employer who uses this ATS system and we have the relevant legal basis, it is perfectly possible to add such a CV to the recruitment system.

Can I add the LinkedIn profiles of people I sourcce to the ATS Element system as a candidate without consent? (e.g. I don't yet have the formal consent of the people I sourcce on LinkedIn - I've hooked them up and we're talking for now, but I want to have them inventoried in the ATS so I don't get lost).

If this is the case, you should definitely provide the candidate with information about how your personal data will be processed. It is best to do this in a “soft” way, i.e. in a properly drafted message with a link to the information obligation. We have provided an example of such a message above (link)

What about candidates who have not agreed to participate in later recruitment processes. The Candidate is on the database and we would like to involve him/her in a new project. Can we contact the candidate and how?

If the candidate has given their consent to be processed as part of the current process, we cannot contact them on this legal basis. One possible exception could be the legal interest of the controller, but it should be determined on a case-by-case basis whether this exception is possible.

If I now have more than 500 candidates whose data I have enlisted without their consent, do I now have to inform them? Are I and my company at risk of something from the legal side e.g. a lawsuit from the party?

According to the letter of the law, an information obligation should be fulfilled towards all these candidates. Failure to comply with this obligation could be caught by an audit and this raises the risk of consequences as set out in the GDPR. How high is the risk of an audit appearing? This is difficult to determine, it seems that such a risk is mainly real in the event of a complaint from some disgruntled candidate.

The database and the circumstances in which the data was obtained should also be examined, it is possible that a separate consent will be required for this.

How do I navigate work-related groups on FB? What if there are no specific guidelines in Facebook's terms and conditions?

The rule of thumb will be exactly the same as on Linkedin – if we want to save data anywhere in our own resources (notepad, excel, Element recruitment system), then we are obliged to have a basis for processing a specific person’s data (e.g. obtaining their explicit or implicit consent) and to fulfil the information obligation towards that person.

What about e.g. meetUp, Github?

Exactly the same as for Linkedin and Facebook.

Can an email address found on Github be used to contact a candidate for recruitment purposes?

If it is an address found on a candidate’s profile, it should be considered as an email provided for contact. In this case, you may contact the candidate using this address. However, it is not possible to offer services or products in the first message to the candidate (this is prohibited by Article 172 of the Telecommunications Act).

Therefore, consent must be obtained in the first message to pass on the offer in subsequent messages. Sending a message to the candidate in order to obtain consent is done on the basis of the administrator’s own interest (Art. 6(1)(f) GDPR).

Whenever I see potential in a candidate for future recruitment, I always ask them after the recruitment process to tick their consents for the future. It hasn't happened to me that someone has said they don't want to 😉 .

It’s not a question, but a valuable comment that we decided to publish 🙂

Should a candidate's data be deleted if the recruitment process is ongoing? i.e. always open?

I assume that this is a situation where the candidate has only given consent for a specific process. In my opinion, we can process this candidate’s data as long as we can demonstrate before a possible inspection that we have indeed considered this candidate for this specific position and the CV is still of value to the employer (no obsolescence).

Can I ask for a summary if I only save the data: first name, last name + link to the profile in excel sheets - should I send information about data processing when contacting the candidate?

The first name and surname alone does not constitute personal data as it does not identify a specific person. The exception is if the name is so unique that such indisputable identification is actually possible. Therefore, if we save the first and last name alone in excel, it can be assumed that there is no processing of personal data and no information obligation would arise.

However, if we also save a link to the Linkedin profile, this data and the link make it possible to indisputably identify a specific person and therefore, together with the name, constitutes the processing of personal data. Similarly, the recording of the first and last name together with the PESEL number or residential address also constitutes the processing of personal data. In this situation, the information obligation must be fulfilled – leaving aside, of course, that we must have a legal basis for the processing.

What about the processing of data by entities related to the recruiter, should these controllers be identified? Is the wording 'and related entities' sufficient?

To begin with, it should be pointed out that the controller of the personal data collected during the recruitment process is the entity that wishes to employ the candidate in question with it, i.e. the employer. If the employer decides to outsource the recruitment to a specialised agency, it will still act as the controller, while the agency will act as the processor (processor). In such a case, the information obligation should contain the employer’s data (as controller) and the information that the recruitment agency (as processor) will be the recipient of the candidates’ data, without mentioning the name and other details of the agency (thus, an indication of the type of processor is sufficient).

The above does not apply to the candidate’s HR service contract or covert recruitment, where the agency will be the controller.

If, on the other hand, the employer wishes to make the candidate’s personal data available to entities that will not process them for the purposes specified by the employer, but for their own purposes (e.g. business partners), these entities will be separate controllers. Furthermore, it is possible that data are processed by controllers who cooperate with each other (in this case, there is co-management of personal data).

Regardless of whether we are dealing with several controllers acting independently or with cooperating joint controllers, the information obligation must contain the identification data of all these controllers/co-controllers (the limitation to the wording ‘related entities’ is therefore not allowed). It is not without reason that telecoms and large organisations indicate partnerships.

If we are a processor (processor), can we, for the controller (recruitment contracting company), collect consent to participate in recruitment, future processes, etc.? (consents that in principle should be collected by the administrator)?

Yes, the agency can collect consents for the administrator regarding both current and future recruitments. It only needs to be clearly indicated (e.g. in the information obligation/checkbox) that the addressee of the consent provided is the administrator and not the agency.

I would be the one to ask for an example of consent, if, as a freelancer, you are recruiting a candidate for one particular company (an individual on a freelance contract), who should be indicated in this consent?

As pointed out in one of the previous questions, the addressee of the candidate’s consent should always be the employer (even if they outsource the recruitment to a freelancer/agency).

Should a client receiving candidates from an agency have its own consent from the candidate and should the client fulfill its own information obligation?

According to the provisions of the polish GDPR, the entity responsible for carrying out the information obligation and obtaining the candidate’s consent (if obtaining it is necessary in a given case) is the administrator = the employer. Thus, if it decides to entrust an agency with recruiting, it can also delegate to the agency the provision of information and collection of consent from candidates (for this purpose, it can provide it with, for example, its own templates for information obligations and consents).

Alterantively, after the agency has provided the candidate’s contact information, the employer can send the information obligation to the candidate himself and ask for consent (which, however, is not very convenient). Above all, it should be remembered that liability for any failure to fulfill these obligations will be raised by the employer, not the agency – in the first instance. 

Software agency hires a candidate. Candidate's data is passed on by the software agency to its client because ultimately the candidate will do work for that client. Who is who here? Who is the administrator? Who is the processor? Who has what responsibilities?

The question does not apply to recruitment. In the case described, both Software Agency and the client will be separate controllers of personal data, as each of them will independently determine the purposes and means of their processing. Since we are not dealing here with the processing of personal data on behalf of the other party, there is no relationship of entrustment of personal data processing.

In order for Software Agency to share an employee’s personal data with its client, it needs an appropriate basis for doing so. It is most often assumed that such a basis is the legitimate interest of the controller, which is the basis for processing by the client as well (this should therefore be adequately described in the information obligation to the employee).

Given that both parties to the cooperation (Software Agency and the client) will share employee contact information with each other, each party should perform an information obligation to the other party’s employees. To this end, at the beginning of the cooperation, the parties can exchange their GDPR clauses and undertake to provide them to their own employees delegated to perform tasks for the other party.

Is the processing of candidate data in the ATS system profiling?

I have no doubt that in such ATS systems as Element, there is no question of qualified profiling (which requires separate consent from the candidate). Doesn’t ordinary profiling occur, however?

In my opinion, it all depends on the interpretation of the word “analysis,” which is included in the definition of profiling in Polish GDPR. If we assume that analysis is also the recording and display of information, then ordinary profiling is taking place. However, if analysis is the drawing of any conclusions from the recorded data, then in my opinion, ordinary profiling does not occur.

Is the processing of candidate data in the ATS system profiling?

I have no doubt that in such ATS systems as Element, there is no qualified profiling (which requires separate consent from the candidate). Doesn’t ordinary profiling occur, however?

In my opinion, it all depends on the interpretation of the word “analysis,” which is included in the definition of profiling in Polish GDPR. If we assume that analysis is also the recording and display of information, then ordinary profiling is taking place. However, if analysis is the drawing of any conclusions from the recorded data, then in my opinion, ordinary profiling does not occur.

Candidate vetting in recruitment vs. GDPR - a guide for HR departments

GDPR makes it harder to vet candidates

The entry into force of the GDPR regulations has changed the legal reality in many areas of recruitment, including the ability to verify a candidate’s professional history, references and testing a candidate’s suitability for a job.

Prior to May 25, 2018. (the day the GDPR regulations took effect in Poland), there was basically no discussion about whether employment history could be verified, whether a candidate’s previous jobs could be called, or, finally, what a candidate could be asked about as part of testing. Those who wanted to verified and tested did so, and did not fear penalties.

Since the provisions of GDPR came into force, the situation has changed dramatically, mainly due to the high penalties provided by the new and at the same time vague regulations, and the lack of specific court rulings indicating how to interpret these vague regulations.

So, can one legally verify the employment history of candidates and obtain their references from previous jobs? Is it possible to legally test candidates and make recruitment decisions based on test results?

To answer these questions, we organized a webinar in which an expert, Personal Data Protection Inspector Anna Zmijewska, answered my questions and those of our guests.

This article is a transcript of that webinar with an addendum, in which you will find the answers to the above questions.

Trzy narzędzia weryfikacji kandydatów

Many different tools can be used to verify a candidate’s relevancy to a job. During the webinar, we focused on three tools that, in my current opinion, are very valuable, yet whose use has become somewhat questionable after the GDPR regulations came into effect. I am referring to:

  1. verifying a candidate’s employment history;
  2. obtaining candidate references from previous jobs;
  3. recruitment tests.

Verifying a candidate’s employment history is an effort to determine whether the employment history provided by the candidate, most often in his or her resume, is true and does not contain gaps.

Obtaining a candidate’s references from previous jobs is an effort to have the candidate provide contact information for people at his or her previous places of employment who can share their opinions about how the candidate performed. Alternatively, the candidate can also provide an already documented (e.g., on paper or Linkedin profile) opinion of a previous employer. Here, however, it is worth noting that pre-prepared references, however, may not be sufficient from the point of view of the person who conducts the recruitment process. This is because such references do not necessarily contain answers to the questions that the recruiter would like to ask the candidate’s previous employer.

Candidate testing is the activity of verifying a candidate’s relevance to a job by testing his knowledge or personality traits through knowledge tests, or psychometric tests.

Weryfikacja historii zatrudnienia kandydatów

Trzy narzędzia weryfikacji kandydatów

An employer may request information about a candidate’s past employment record if it is necessary to assess the candidate’s fitness for the job. This is stated in Article 22′ of the Polish Labor Code.

At the same time, par. 5 of this article states that the employer may demand documentation of this history in order to confirm it. The Labor Code does not state what documents are to confirm the candidate’s history, so it should be considered that they can be any documents that are sufficient for this purpose, while at the same time the information contained in these documents does not exceed this purpose. A certificate of employment, or any other type of written confirmation of the candidate’s employment at a previous workplace, seems to be an appropriate method of documenting employment history.

However, the above article does not answer the question of whether an employer can verify a candidate’s employment history in any other way than by requesting relevant documents from the candidate. In particular, the Labor Code does not state whether an employer can, for example, contact a previous employer himself, or have his employment history verified by a company that specializes in doing so.

In the opinion of our expert, Anna Zmijewska, an independent verification of a candidate’s employment history (or carried out with the help of another entity) can only be performed with the candidate’s consent, and for evidentiary purposes, this consent should be given in a documented form, such as an email confirmation or information recorded in the recruitment system that the candidate clicked the relevant consent on the application form. If employment history verification is outsourced to another company, the candidate’s consent can also be obtained by that company.

We also note that the official guidance from Polish Data Protection Officer Handbook states that an employer can use information available on Linkedin to confirm a candidate’s employment history. However, this is an exception based on the fact that the purpose of the Linkedin portal is to share information about employment history and work experience. Obtaining personal data about a job candidate from other portals, such as Facebook, is no longer permissible.

In addition, the Polish Data Protection Officer states that a recruitment decision still has to be made on the basis of the candidate’s statements, and not on the basis of what is found on Linkedin.

Sensitive data can be sent from the candidate only of their own free will. Sensitive data includes data on ethnicity, world views, health data, faith, etc. In addition, for the processing of such data by the employer, it is worthwhile to have documented explicit consent from the candidate.

As an aside, it is worth pointing out that according to our expert Anna Zmijewska, who has experience in dealing with international entities, other European countries have a much less restrictive approach to GDPR regulations than Poland.

To summarize:

  • An employer may request documents from a candidate to confirm employment history (e.g., an employment certificate).
  • An employer can verify employment history on Linkedin, but not on Facebook.
  • The employer may, with the candidate’s consent, outsource verification of employment history to another company.

References from the candidate's previous jobs

Can a candidate's previous employer be contacted for feedback on their work?

In accordance with current regulations and their common interpretation, contact with a candidate’s previous employer can only be made with the candidate’s consent.

The candidate’s consent can be given in any way, but we nevertheless recommend that it be documented for evidentiary purposes, e.g. in the form of an e-mail from the candidate or in the form of a saved application form in which the candidate has indicated such consent. It may happen that in the event of a negative recruitment decision, the candidate changes his or her mind and states that he or she did not consent to being contacted by his or her previous employer. In this case, proof of such consent will be very useful.

If you use application forms with GDPR consents, then make sure that the consents given by candidates through the forms are recorded and stored in such a way that, in the event of an audit, it will be easy to show that the candidate gave the required consent. To this end, modern ATS systems automatically keep a record of each applicant’s GDPR consents.

Can the opinion of a candidate's previous employer be the basis for rejecting a candidate in the recruitment process?

According to Anna Zmijewska, our expert, the Personal Data Protection Office could challenge a recruitment decision (e.g., rejection of a candidate) based on a negative review from a previous employer.

I admit that it is indeed difficult to say how the Personal Data Protection Office would assess such a situation. However, if it turned out that one’s decision could not be based on an opinion obtained from the candidate’s previous employer, this would mean that there would be little point in obtaining such opinions.

Of course, it should be taken into account that opinions obtained from previous jobs may be unfair to the candidate. However, it is the role of the recruiter to interview the previous employer as reliably as possible and assess the extent to which the obtained evaluation is objective and useful.

Do I need permission to process the data of the person representing the candidate's previous employer?

If a candidate has given us the data of a person representing a previous employer, it is likely that he or she has given us his or her personal data (name, phone or email). How does the law look at the processing of this data?

In the case described above, we do not need to have consent to process personal data received from the candidate. This is because we have a legal interest for such processing. The legal interest is an intrinsic and sufficient basis for processing personal data. You can learn more about what a legal interest is in the context of personal data processing from the summary of our previous webinar, which was just about personal data processing in recruitment processes. Feel free to read the text summary or the recording of the webinar.

However, despite having a legal interest, you still have to fulfill the information obligation to that person, which in my opinion is a very impractical rule (I hope that either the legislator will modify the regulations accordingly, or the courts will consolidate the friendly daily jurisprudence in this regard).

The simplest way to comply with the obligation to provide information to the person whose personal data the candidate has given us is to send an email, in the footer of which there will be a link to the document containing the information covered by the information obligation.

To summarize:

  • According to the regulations, we can only obtain references from previous jobs with the candidate’s consent.
  • The candidate can provide contact information for a person representing his current or previous employer, or references already prepared, such as in writing.
  • For the purpose of a possible check, it is useful to have the candidate’s documented consent to obtain references. Such consent can be automatically collected and stored, for example, by an ATS system.
  • According to our expert, a reference from a candidate’s previous workplace cannot be the basis for a recruitment decision against that candidate.
  • When obtaining contact information from a candidate to a person representing a previous employer, we do not have to have that person’s consent, but we do have to fulfill an information obligation to that person.

Candidate references vs. GDPR - the result of a survey on Linkedin

A month ago, I published a survey on Linkedin on how to deal with obtaining feedback on a job candidate in a way that does not comply with GDPR regulations. I prepared the survey as part of the collection of materials for an article on the use of candidate vetting tools after GDPR regulations came into effect.

Below is the question presented in the survey, the results, and my commentary at the end.

Candidate references and GDPR regulations - a survey

Imagine that you are in the following situation ⬇️⬇️⬇️

You are conducting a recruitment process for a managerial position. The person you hire will manage a group of several dozen employees. A promising candidate has passed the final stage, but does not yet know your decision on whether to make an offer.

Yesterday you met a friend who works at another company. This is a person whose opinion you can rely on, and you often consult with him on difficult professional and personal decisions. By complete coincidence, it turned out that your candidate worked at your friend’s company. The friend informed you about the candidate’s very disturbing behaviors that demotivated employees and broke up the team. Among these behaviors were rudely addressing team members, mocking the mistakes of others, and turning some team members against others. Your friend strongly advised you against hiring this person.

During the hiring process, the candidate did not seem like a person who could display such behavior. During the interviews, he spoke of excellent team management skills and great performance. He seemed credible.

The law says that the recruitment process must be based on information provided by the candidate. If the candidate has not consented to be contacted by the previous workplace, the employer does not have the right to do so and cannot use the information obtained in this way in the recruitment process. What do you do? Answer by choosing one of the three options in the survey below.

What do you do?

Hire a candidate and knowingly expose the company and team to the manager’s harmful behavior? Do you reject the candidate?

A. Reject

B. Hire

C. Not sure, I have to think about it.

Ps. The above case came up during a webinar I hosted on June 23 on the legal aspects of verifying the employment history of candidates. The data protection officer who attended the webinar as an expert confirmed that recruitment decisions cannot be made on the basis of information obtained from previous jobs without the candidate’s consent.

According to the Linkedin report, the survey primarily reached (position and number of people):

  1. Recruitment Specialist 191
  2. Human Resources Business Partner 186
  3. Human Resources Manager 163
  4. Chief Executive Officer 148
  5. Recruiter 136
  6. Human Resources Specialist 129
  7. Owner 113
  8. Talent Acquisition Specialist 90

199 people responded

Survey result:

Reject: 45%

Hire: 17%

Not sure, I have to think about it: 38%

A discussion of dozens of comments appeared under the survey. In the discussion we went into the details of various situations. I also clarified the doubts of several commenters.

Candidate references and GDPR regulations - a comment on the survey results

As you can see, most people gave an answer that contradicts the common interpretation of the GDPR regulations. This is because the regulations state that the acquisition of a candidate’s opinion from his or her previous workplace, can only be done with the candidate’s consent.

In addition, experts say that the opinion of a previous employer, even if obtained with the candidate’s consent, should not form the basis for recruitment decisions (more on this in another article currently in preparation).

Why would most people go against the GDPR regulations? In my opinion, the answer is simple – the regulations do not meet the requirements of recruitment processes.

Shortly after the survey was published, the owner of one of the recruitment companies called me and cited a real-life example, which I present below.

Managers and executives of companies in the same industry are often in contact with each other. These companies know whether a candidate moving from one company to another is an attractive candidate. Information about candidates travels from company to company. In addition, it is also sometimes the case that a manager working today at company X previously worked with a candidate at company Y and already has an opinion about that candidate.


What are the types of tests used in recruitment processes?

We generally use two types of tests in recruitment processes:

  • psychometric tests
  • other test

A psychometric test is, according to The Institute of Psychometric Coaching, “Psychometric tests are a standard and scientific method used to measure individuals’ mental capabilities and behavioural style.” 

Psychometric tests should be prepared and evaluated by people qualified in this field.

Among other tests, there are primarily:

  • competency tests, which can test, for example, a candidate’s knowledge of job-related issues;
  • analytical tests, which examine the candidate’s ability to perform specific analytical tasks, e.g. calculation, text analysis, logical thinking;
  • language tests, which examine a candidate’s ability to speak foreign languages.

What tests can candidates be subjected to during the recruitment process?

In the course of the recruitment process, tests may be used that examine the candidate’s ability to perform a specific job. A contrario, we should not, as part of the tests, examine those areas that do not affect the performance of the job for which the recruitment process applies.

It is also a very important principle that psychometric tests must not examine a candidate’s mental health. For this reason, it is recommended that psychometric tests be prepared by professionals who will ensure that they do not test what is not necessary in the recruitment process.

Are there any requirements as to who should conduct a recruitment test or evaluate the result of such a test?

In Poland, in the case of psychometric tests, the preparation and evaluation of the test results should be carried out by people who are competent to do so. However, it is not the case that any psychometric test can only be performed by a certified psychologist. The regulations of the Psychological Testing Laboratory of the Polish Psychological Association read:

Some goods available in the Bookstore can be sold only to certified psychologists. Such restrictions result from the Act of June 8, 2001 on the profession of psychologist and the professional self-government of psychologists (Journal of Laws No. 73, item 763, as amended).

Products available only to psychologists bear the description ‘Psychologist only’, and a Buyer who does not have verified status as a psychologist cannot purchase them (add them to the cart).

Therefore, it should be determined in each case whether a particular test can be taken by a person without the relevant training.

Similarly, test lab points out:

It is not true that only a master’s degree in psychology entitles us to use commercially available tests. There are many such tools that do not require it, and they are also sold by the Psychological Testing Laboratory of the Polish Psychological Association. What does it mainly depend on?

On the recommendation of the author(s) whether a particular test is available only to psychologists.
On the consequences of using a given test for the person being tested. The bigger they are, i.e. life-changing implications (e.g., jurisprudence, opinions that have legal consequences), the more qualifications are necessary.
Another is the knowledge of the area being diagnosed and the knowledge of psychometrics (the branch of psychology that deals with the theory and practice of using psychological tests) that the efficient and proper use of a given test requires.
It should also be noted that there are different levels of difficulty in using the tools (sometimes reading the instructions is enough, other times skills acquired through training are needed).

As for other tests – there is no indication of who can prepare recruitment tests and evaluate their results. What is clear, however, is that it should be a person proficient within the area that the test examines.

Is the candidate's consent needed to conduct recruitment tests?

For psychometric testing, we recommend obtaining the candidate’s explicit consent, which will be documented electronically (e.g., by email) or in writing.

Our expert Anna Zmijewska advises that, in this case, the candidate’s consent should not be taken in the form of unchecking the consent on the candidate’s application form.

As far as my personal opinion is concerned, I would consider consent on the application form acceptable, as long as it is a separate consent, not combined with other consents.

In the case of other recruitment tests, we agree that there is no need for explicit consent. The mere fact that a candidate takes the test will be considered implied consent from the candidate, and such consent is sufficient for such tests.

Can the result of the test determine the candidate's further fate in the recruitment process?

According to Anna Zmijewska, negative results of non-psychometric tests can be a self-consistent basis for rejecting a candidate.

In the case of psychometric tests, our expert argues that we should not reject a candidate solely on the basis of the results of such tests.

In this case, I again feel that the legislation, or the likely interpretation of it by the Personal Data Protection Office, does not meet the needs of recruitment processes. After all, it’s not why an employer devotes resources to conducting psychometric tests, so that later their results cannot be the basis for recruitment decisions. Here it is worth recalling once again that Anna Zmijewska pointed out during the webinar that in other European countries the rules in this regard are not as strict as in Poland.

Is the testing of candidates profiling?

Let’s start with the legal definition of profiling.

Article 4(4) of the Polish GDPR states:

Profiling means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyze or predict aspects relating to that individual’s performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

The key passage is “automated processing of personal data,” which, unfortunately, is not defined by the regulations, but makes it clear that it refers to automated activities, that is, in practice, using computer algorithms.

Another important issue is the division of profiling into ordinary and qualified profiling. This division is important from the point of view of recruitment processes, since only qualified profiling requires obtaining separate consent from the candidate.

Qualified profiling is profiling in which:

  1. We rely exclusively on automated decision-making, i.e. without the involvement of the human factor.
  2. The process produces legal effects with respect to the profiled person or otherwise materially affects the profiled person.

In light of the above definitions, can’t the administration of the test be considered automated decision-making with respect to the candidate? No, because the candidate independently answers the test questions, a human being (not an algorithm) evaluates the result of this test and based on it (possibly based on other factors as well) makes a decision in relation to the candidate.

Can a candidate's test score be shared with another employer?

In our opinion, a candidate cannot share test results with other employers without the consent of the employer who conducted the test.

This is due to, among others, from the fact that the test itself may constitute the employer’s intellectual property, which is legally protected. Please note that the test was likely purchased or created by your employer. Due to this, the employer has certain rights regarding this test (ownership, license, copyright), which protect the employer.

To summarize the issue of tests in the context of GDPR regulations:

  • The tests should only examine what is necessary to perform work in the position covered by the recruitment process.
  • There is no need to obtain explicit consent to perform regular tests. A candidate’s participation in the test constitutes his or her implied consent.
  • To perform psychometric tests, we recommend obtaining the candidate’s explicit consent.
  • The results of psychometric tests should not be the only factor taken into account when making recruitment decisions for a candidate.
  • In the case of psychometric tests, special attention should be paid not to examine the candidate’s health condition unless it is expressly required by law.
  • The results of other (non-psychometric) tests may constitute an independent basis for making a recruitment decision regarding a candidate.
  • Conducting tests, the results of which are assessed by a human and based on these results, a human makes decisions about the candidate, is not profiling.
  • The candidate has no right to share test results or test content with other people unless he or she has obtained the express consent of the employer who administered the test.

Do the GDPR rules discussed above also apply to candidates "hired" on B2B?

In the case of candidates with whom cooperation is planned on B2B contract, the provisions of the Labor Code do not apply. However, the principle of data minimization, which is imposed by the provisions of the GDPR, still applies.

Therefore, we recommend that, also in the case of candidates employed on a B2B basis, only the data necessary for recruitment purposes be collected and that candidates’ consent to the processing of this data be obtained.

We would like to point out that there are still no court decisions resolving many questionable issues related to the application of the GDPR provisions. There is therefore legal uncertainty which we recommend proceeding with caution. Such a cautious approach is to apply similar rules regardless of the legal form we use to cooperate with the candidate.


Fast, agile and user-friendly ATS created by recruiters for recruiters
Picture of Maciej Michalewski

Maciej Michalewski

CEO @ Element. Recruitment Automation Software


Recent posts:

How do I navigate work-related groups on FB? What if there are no specific guidelines in Facebook's terms and conditions?