The conference „Employment of temporary workers and GDPR” was carried out on March 18th 2021 organized by the Department of Labor Law and Social Policy of the Jagiellonian University and the portal GDPR.pl. Honorary patronage of the event was taken by the President of the Personal Data Protection Office (substantive support of Mrs. Monika Krasińska Director of the Case Law and Legislation Department) and the Regional Bar Association in Cracow.
The meeting was hosted by PhD Dominika Dorre-Kolasa, PhD Michał Czarnecki and counselor Tomasz Osiej.
The substantive part of the conference began with a speech of Professor Arkadiusz Sobczyk entitled „Processing of personal data and employment of temporary workers. Systemic issues”. During which Professor presented its concept of the place and role of the GDPR in the legal system. The Speaker emphasized that the GDPR, as an act of administrative law, allows to interfere with an individual’s information autonomy on the basis of the competence standards set out in the Regulation, when an entity pursues the objectives of the collective. The GDPR is therefore a part of public authority overseeing by the President of the Personal Data Protection Office.
The protection of information autonomy in non-private relations (outside the GDPR) was also discussed. Answers to questions in this regard can be found in specific (financial) legislation, established limits of powers (prohibition of the collection of personal data by the authority), defined limits of the use by the data subject, or in Article 266 of the Criminal Code.
Referring to the theme of the conference, the Professor pointed out that the temporary employment agency and the user’s employer perform their own public tasks. In the Speaker’s view, this eliminates the dilemmas of data transfer between these entities.
In a second speech entitled „Model of protection of personal data in the context of the employment of temporary agency workers in the Member States – the position of DPAs”, representatives of the portal GDPR.pl counselor Tomasz Osiej and PhD Michał Czarnecki presented the positions of the European DPAs regarding the relationship between the temporary employment agency and the user’s employer.
The portal GDPR.PL, received responses from most DPAs, which the portal shared during the conference. The answers can be divided into three groups:
- some authorities did not encounter such problem at all;
- representatives of the Icelandic, Hungarian and Bulgarian supervisory authorities referred to paragraph 66 of Guidelines No 7/2020 of the European Data Protection Board;
- several authorities, on the other hand, have sent clear positions indicating roles in the processing.
The third group included supervisory authorities from Finland, Croatia and Spain, which expressly stated that the relationship between the user’s employer and the temporary employment agency is shaped as controller – controller.
The Spanish authority also pointed the possibility of a confidentiality clause and the selection of employees. However, even in such situations, according to the Spanish, a personal data processing agreement seems superfluous.
The Finnish authority have expressed a very unequivocal view that both parties are independent controllers with the obligations set out in the GDPR, while stressing that the purposes and methods are clearly indicated in the law.
The Croatian authority also unequivocally confirmed that the two entities are separate controllers, since the user’s employer does not process the personal data of employees on behalf of the temporary employment agency. Moreover, this statement, in the view of the holders, clearly indicates that, also on domestic ground, if we look at the issue and carry out a detailed analysis of the processing operations, we will come to the conclusion that the CON-CON relationship will be appropriate.
Representative of the Polish supervisory authority the Director of the Case Law and Legislation Department of the UODO, Mrs. Monika Krasińska, presented in the section entitled „Protection of personal data in conditions of employment – position of the supervisory authority” a broader context of the issue, stressing that the system of protection of personal data creates not only the GDPR, but also acts of international law and the system of national laws. The latter should bind all solutions together at the national level. Moreover, the process of adapting these laws to the GDPR should have been completed a long time ago.
The President of the UODO delivered an opinion on the draft legislation on the employment of temporary agency workers. This law indicates the rights and obligations of the user’s employer and the temporary employment agency. However, it also raises doubts as the formation of relations between these entities can be detailed in the concluded agreement.
However, the Director has made it clear that the temporary employment agency is the controller of the data processed for the performance of the obligations set out in the law.
The temporary employment agency is the data controller for the purpose of concluding contracts relating to the employment of temporary agency workers. It also carries out a number of other tasks. Therefore its role cannot be shaped differently than from the law, including the contract with the user’s employer. On the other hand, the employer also has statutory tasks and responsibilities. Each of these entities is autonomously responsible for achieving its purposes. In accordance with the principle of legality, if an entity wanted to perform other tasks, it would have to demonstrate on what legal basis it processes that personal data.
Due to the fact that both the user’s employer and the temporary employment agency mostly carry out their own tasks and goals – their relations will be overwhelmingly developed in the system controller-controller.
Importantly, it was also point the need to review the UODO’s positions in the Guide for Employers, which seems to be a very valuable initiative, for which the entire HR market is waiting.
The first discussion panel „Who is who in the processing of personal data from the perspective of the GDPR? Data sharing, entrusting the processing in relations employment agency – user’s employer” held by PhD Dominika Dorre-Kolas with the participation of PhD Marlena Sakowska-Baryły, PhD Paweł Litwiński and PhD Krzysztof Wygoda.
PhD Paweł Litwiński presented polemic thesis to the speeches of Prof. Arkadiusz Sobczyk and Mrs. Director Monika Krasińska. At the same time, he appreciated the public-legal rooting of the protection of personal data. According to PhD Litwiński, equality between the parties cannot be achieved only by private instrumentation. Protection is not horizontal here, is derivative, it should be seen as a proactive duty.
The speaker indicated that he leans more to the thesis presented by Mrs. Director Krasińska. The status of the parties should therefore be derived from the law. He also shared previous speaker’s view on the roles of the parties and the circumstances. Although the law may determine who is the controller, but the authority over the data may result from the powers conferred.
PhD Krzysztof Wygoda argued that the entrustment of personal data may appear where we go straight beyond the law and where the legislator has not indicated what personal data can be transferred. This will be specified in the relevant agreement between the parties. It is not possible to concludes personal data processing agreements in respect of the rights and obligations set out in the law. It may be conclude only to an extent which goes beyond the law.
PhD Marlena Sakowska-Baryła, in the context of information obligations, stated that their main objective is to protect the vulnerable side of the information relationship, namely the natural person whose rights and freedoms are protected by the GDPR.
In the Speaker’s view, it is also necessary to carry out a physical inventory of the resources and who plays what role in the data processing process and what its obligations are. There is no single universal model and it is always necessary to refer to a specific relationship between actors. The conclusion of personal data processing agreements does not alter the facts existing between the parties. An incorrect assessment of the relationship may result not only in the sanctions indicated in the GDPR, but also in civil liability.
The second discussion panel „Recruitment and employment of temporary staff: legal bases for data processing, practical problems” was carried out by counselor Tomasz Osiej and PhD Michał Czarnecki, with the participation of PhD Magdalena Rycak, PhD Iwona Jaroszewska-Ignatowska, PhD Arleta Kidney and counselor Joanna Jarguz.
PhD Magdalena Rycak shared the view of the previous speakers that the relationship between the user’s employer and the temporary employment agency is the relationship between the two controllers of personal data. She also pointed out that in the recruitment process it is more difficult to assess the relationship between the entities, due to its different types. When a group of employees are recruited to several employers, the data are entrusted.
PhD Arleta Nerka discussed the problems of the legal basis in the recruitment process and the possibility of providing the user’s employer with additional information (with the consent of the employee) in the event that the user’s employer would be interested in hiring such person already on the basis of an employment contract.
PhD Iwona Jaroszewska – Ignatowska, in the context of the need to grant authorizations to process data to the employed employee, pointed out that the previous law on the protection of personal data made it clear that such authorisation was necessary. Currently, this necessary remains only in the case of processing data of a specific category, in which they are issued by the user employer.
Counselor Joanna Jarguz raised the issue of the need to obtain separate consents for each transfer of candidate data to a potential user employer during recruitment. As she pointed out, a candidate’s specific consent is needed every time. This is also relevant in determining whether a temporary agency worker is willing to work for the user’s employer at all.
During the conference, were identified and discussed problematic topics that are at the border of temporary work and the protection of personal data. Most importantly, and what we believe is the greatest success of the conference, it was possible to clearly define the leading relationship between the user’s employer and the temporary employment agency under the law as the relationship between two separate controllers of personal data.
Noteworthy is the unequivocal position of the UODO in this area, as well as the announcement of the planned update of the guide on the protection of personal data in the workplace.
On behalf of the organizers of the Jagiellonian University and the portal GDPR.pl thank you for participating in the event and we are already announcing next conferences, the topics of which will be determined by the survey sent out.
Counselor Tomasz Osiej
PhD Michal Czarnecki