Skip to main content

Polish Supreme Administrative Court Upholds Employers' Right to Retain Rejected Applicants' Data for Defense Against Potential Discrimination Claims

|

The Polish Supreme Administrative Court issued a landmark ruling on February 20, 2024 case no III OSK 2700/22, affirming that employers can lawfully retain personal data of rejected job applicants based on their legitimate interest in defending against potential discrimination claims. This decision provides significant guidance on the interpretation of Article 6(1)(f) of the General Data Protection Regulation (GDPR) concerning the lawful grounds for processing personal data after the conclusion of a recruitment process.

Background

The case originated from a complaint filed by Ms. M.K. to the President of the Personal Data Protection Office (further: the Polish Data Protection Authority, Polish DPA). Ms. M.K. alleged that A.D.C.P. Sp. z o.o., a company based in G., unlawfully processed her personal data by failing to delete it after the recruitment process concluded and her application was rejected. She also claimed that the company had improperly fulfilled its information obligations under Articles 13 and 15 of the GDPR during the recruitment process.

In January 2022, the Polish DPA issued a decision reprimanding the company for violating GDPR provisions. The authority held that the company had no legal basis to retain Ms. M.K.'s data after the recruitment process ended, stating that data should be deleted immediately unless another legal ground justifies further processing. The Polish DPA argued that the company's reference to potential legal claims was insufficient, as it did not specify any concrete claims or legal proceedings that would necessitate retaining the data.

The company appealed the Polish DPA's decision to the Voivodeship Administrative Court in Warsaw. The court overturned the Polish DPA's decision, holding that the company had a legitimate interest in retaining the data to defend against potential claims of discrimination under the Polish Labour Code. The court emphasized that the limitation period for such claims, as specified in Article 291 in conjunction with Articles 183b and 183d of the Labour Code, provided a lawful basis for data retention.

 

The Polish Supreme Administrative Court’s judgement

The Polish DPA appealed the judgment to the Supreme Administrative Court. The Court upheld the decision of the Voivodeship Administrative Court in Warsaw and provided a detailed analysis of the legal grounds under the GDPR for retaining personal data after a recruitment process.

The Court examined whether the retention of the applicant's data was justified under Article 6(1)(f) of the GDPR, which allows processing when it is necessary for the legitimate interests pursued by the controller, except where overridden by the interests or fundamental rights and freedoms of the data subject.

The Court noted that employers have a legitimate interest in retaining data to defend against possible future claims of employment discrimination, as provided for under Polish law. The Labour Code grants candidates the right to seek redress for discriminatory recruitment practices, and employers may need to provide evidence to defend against such claims. The Court emphasized that the employer's legitimate interest must be balanced against the data subject's rights and freedoms. In this case, the Court found that retaining the data for the duration of the statutory limitation period did not disproportionately infringe upon the applicant's rights. The data retention was limited in scope and time and served a specific legal purpose.

 

Criticism of the Polish DPA's Position

The Court criticized the Polish DPA for not adequately considering the legal framework and for failing to conduct a proper assessment of the legitimate interests involved. The Court pointed out that the Polish DPA did not address the company's arguments regarding the applicable Labour Code provisions and the need to retain data to defend against potential claims. Thus the Court rejected the Polish DPA's assertion that data cannot be processed "just in case" or for hypothetical future claims. The Court clarified that the potential for legal claims is inherent in the employer-applicant relationship, and retaining data for such purposes is recognized under the GDPR when properly justified.

 

Commentary

This ruling provides important clarification for employers regarding the lawful basis for retaining personal data of unsuccessful job applicants. Employers can rely on their legitimate interests under Article 6(1)(f) of the GDPR to retain such data for the purpose of defending against potential legal claims, particularly those related to discrimination in hiring practices.

However, the retention must be proportionate, limited to what is necessary, and confined to the duration of the statutory limitation period for such claims. Employers should also ensure compliance with other GDPR principles, such as transparency, data minimization, and informing applicants about data retention policies.

Data protection authorities should note that legitimate interests can include the need to retain data to defend against potential claims, even if such claims have not yet materialized. The ruling encourages a more balanced approach that respects both the rights of data subjects and the legitimate needs of controllers.

Supporting this perspective, the French data protection authority (CNIL) also acknowledges that employers may retain personal data of rejected candidates to defend against potential legal claims. CNIL suggests that while the primary purpose of processing ends after recruitment, data necessary to demonstrate the fairness of the recruitment process can be retained temporarily for evidentiary purposes.

The Court's reasoning is also worth placing in the broader context of the recent CJEU case law. , In its judgmenet regarding the case C 621/22, Koninklijke Nederlandse Lawn Tennisbond, the CJEU held that a legitimate interest under Article 6(1)(f) of the GDPR must be lawful but does not need to be determined by law. The CJEU clarified that commercial interests could constitute legitimate interests, expanding the scope of what may be considered valid grounds for data processing.

Juxtaposing the CJEU's judgment with the Polish Supreme Administrative Court's ruling, both courts recognize a broad interpretation of "legitimate interest" under the GDPR. While the CJEU acknowledged that commercial interests might justify data processing, the Polish Court affirmed that employers' need to retain data to defend against potential legal claims is a legitimate interest. However, both courts also highlight that the processing must be necessary and proportionate. In the CJEU case, the Court stressed that the processing should be limited to what is absolutely necessary and that data subjects' rights should not be outweighed by the controller's interests. Similarly, the Polish Court emphasized that data retention must be confined to what is necessary for the specific legal purpose and limited in time.

 

Article provided by INPLP members: Xawery Konarski and Mateusz Kupiec (Traple Konarski Podrecki & Partners, Poland)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}