Training of the RODO in modern HR

Yes, after completion of the training each participant receives a personalised certificate confirming their participation in the training.

Yes, it is even recommended. 😊 When conducting our training, we do not want it to be an ex cathedra lecture. We favour a workshop-based approach to prepare our trainees as best as possible for the challenges posed by personal data protection.

Due to the workshop format of our courses we endeavour to keep groups to no more than 12 participants.

If the training is financed at least 70% by public funds, this provides a basis for exemption from VAT. In such a case, in the registration form in the third step (Invoice) we ask you to select the option: "I declare that the training is financed at least 70% by public funds. Consequently, I request exemption from VAT".

In accordance with the regulations of our training courses, the selected service must be paid for no later than two days before the training.

Yes, in such a case please provide this information in the fourth step of our form, in the "Additional remarks" field.

This is not necessary. We conduct online training via the Microsoft Teams application, which also allows us to send a link that can be opened in a web browser.

This is not necessary; however, to facilitate asking questions and exchanging experiences, we recommend using a headset with a microphone.

Yes, in such a case please provide this information in the fourth step of our form, in the "Additional remarks" field.

In most cases we confirm the training course one week before the scheduled start date. We want to ensure that participants in our training courses have the opportunity to familiarise themselves with the materials in advance.

As soon as the training has concluded, the books will be sent by courier to the address provided in the registration.

We are aware that certain documents can sometimes present difficulties, so we will gladly help with completing them. In such cases, please contact our training coordinator.

Our training coordinator is available at the e-mail address: [email protected].

We also invite you to contact us by telephone at: 22 740 99 99 or +48 690 004 852

The personal data of candidates for the purpose of future recruitment may only be processed if the employer has obtained the appropriate consent to process the data for that purpose. The retention period for data for future recruitment processes should be set by the employer taking into account the specifics of its operations, in particular the number of ongoing recruitments, turnover in specific positions, and the availability of candidates on the market for a given sector. Of course, the period of processing personal data, in accordance with the principle of storage limitation set out in RODO, should be as short as possible.

Translating the above into concrete figures, it should be stated that personal data, as a rule, should not be processed for the discussed purpose for longer than two years from the date of their collection.

No, an employer may request a certificate of no criminal record from a job applicant only when required by law, when, under the rules governing employment for the specific position for which the candidate is applying, it is necessary to meet the requirement of having no criminal convictions. From the perspective of personal data protection such a certificate should be classified as data concerning criminal convictions, offences or related security measures, which, according to Article 10 RODO, are subject to special processing rules.

LinkedIn is a platform dedicated to business relationships. As the President of the UODO indicates in his guide for employers, portals of this type, by enabling mutual contact between job applicants and employers, facilitate an effective search for a job or an employee. Usually, users of such portals (jobseekers), before they start using the services offered by the portals, must read and accept the terms of service and privacy policies. If the ability to use such a portal is associated with an obligation to provide data (to create an account and so that the data from that account can be made available to potential employers), the portal must have legal grounds for this. The legal basis enabling the collection, storage and sharing of users' data (job applicants) will be the consent of the data subject or the necessity for the performance of a contract (or possibly taking steps at the request of the data subject prior to entering into a contract). Hence there is no need to obtain a separate consent from candidates for contact via LinkedIn.

As for the possibility of the employer contacting (and therefore processing the data of) a candidate in another form, e.g. by email (outside the portal where the initial contact occurred), there is also no need to obtain consent, because contacting for these purposes constitutes the employer’s legitimate interest and is based on Article 6(1)(f) RODO. A person who makes their contact details available on LinkedIn can expect to be contacted by recruiters. It is worth noting, however, the functionality provided by LinkedIn, namely the option for a user to indicate that they are open to recruitment offers and to direct job/collaboration offers to people who have indicated such openness in their profile.

No, pursuant to Article 22¹ of the Labour Code, an employer requests an applicant to provide personal data concerning their education only where it is necessary for the performance of work of a particular type or in a specific position. Therefore a preliminary assessment should be carried out of the types of work and offered positions for which requesting education data during recruitment will be justified, and recruitment should then be conducted in accordance with that assessment.

Yes, if these are business‑professional social networking sites such as LinkedIn. The legal basis for processing such data will then be the employer’s legitimate interest (Article 6(1)(f) RODO). An employer should not verify a candidate on sites of a private nature, e.g. Facebook, Instagram.

A recruitment agency, when providing recruitment services, as a rule acts as a separate data controller in respect of the personal data of job candidates. The role and obligations of the agency arise in particular from the Act on the Promotion of Employment and should be understood as the provision of employment mediation services consisting, inter alia, of organising contacts between persons seeking suitable employment and employers, as well as providing employers with information about job candidates and personnel consultancy services.

Consequently, as a rule the employer is not obliged to conclude a data processing agreement with the agency. Nevertheless, the employer should remember that by receiving a candidate's data from the agency they become a separate controller of that data and, as such, are subject to the obligations arising from RODO, in particular the need to fulfil the information obligation referred to in Article 14 RODO, vis‑à‑vis the candidate.

We recommend conducting training regularly, that is at least once a year, for all persons within the organisation who take part in the processing of personal data. It is also advisable to ensure the ability to demonstrate that an individual attended the training (e.g., by downloading the list of participants for an online training) and to provide an evaluation of the training (e.g., in the form of tests at the end of the course).

They are AI systems that can affect the rights of employees or candidates, e.g. through automated assessment, selection or taking HR decisions. In HR these include, among others, recruitment systems and performance evaluation systems. Their use requires particular caution; therefore it is necessary, inter alia, to check the reliability of the system provider, carry out a data protection impact assessment (DPIA), ensure meaningful human oversight of the AI’s operation and clearly inform the individuals whose data are processed about how the system works and about their rights.

The Standards for the Protection of Minors, arising inter alia from the so‑called "Kamilka" Act, should be an important element of the documentation and practices of every organisation whose staff have contact with children. They should be reflected primarily in internal procedures describing the rules for vetting candidates and/or persons employed to work with minors and in training on child protection. Additionally, the processing of personal data related to the implementation of these Standards should be reflected in RODO documentation – in particular in the Register of Processing Activities and in information clauses.

Yes. The employer is obliged to inform the employee that decisions are being made with the involvement of AI systems – particularly if they affect performance evaluation, promotions or the results of internal recruitment. The employer should also explain the principles of the system’s operation in a manner understandable to the employee (AI literacy) and guarantee the possibility of objecting to automated decision‑making.