ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
GDPR at Work

What will be the GDPR legal basis for public administration bodies in the case of competency or psychological tests?

ANSWER

Given the lack of a clear UODO position on the possibility of conducting psychological/personality tests, we would recommend that employers exercise considerable caution in using them in the recruitment process (as well as already during employment), as information obtained in such tests may constitute special category data referred to in Article 9 GDPR. Processing of such data cannot then be based on the legitimate interests of the controller, as there is no such ground in Article 9(2) GDPR, which applies to the processing of sensitive data.

If employers nevertheless decide to conduct tests in the recruitment process that provide special category data, such as health information, processing of such data should be considered on the basis of the explicit consent of the data subject. However, obtaining such consent may be problematic in recruitments subject to the Labour Code, in view of Article 221b of the Labour Code. Under its wording, "the consent of a person applying for employment or an employee may constitute the basis for processing by the employer of personal data referred to in Article 9(1) of Regulation 2016/679 only where the provision of such personal data takes place on the initiative of the person applying for employment or the employee." It would be difficult in such a situation to prove that consent was in fact obtained on the candidate's initiative.

As regards competency tests, which serve to confirm a candidate's knowledge in a specific area, and personality tests that will not reveal special category data, in particular health information, conducting them is not associated with risk. In connection with conducting these tests, only so-called ordinary data are processed. The legal basis for processing data in connection with conducting the tests in question (also for public bodies) may be both the legitimate interests of the controller (Article 6(1)(f) GDPR) and the candidate's consent (Article 6(1)(a) GDPR).

Show all
PreviousNext

Read also:

12 March 2026

Jak wdrożyć UKSC / NIS2 - poradnik dla firm

12 March 2026

Jak wdrożyć KSC / NIS2 - poradnik dla firm

03 February 2026

Ocena skutków dla ochrony danych (DPIA) – praktyczny przewodnik + wzór formularza

Dr RODO - aplikacja do audytu i ryzyka

Diagnozuj zgodność i dbaj o odporność organizacji

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Processing data in competency tests — GDPR | ODO 24 | ODO 24