Employee Referral Programs and GDPR Compliance

In today’s world, effective and efficient recruitment requires the implementation of appropriate solutions at both the organizational and legal levels. It is important to remember that clearly defining goals, setting candidate expectations, and transparent communication with candidates can not only help reach the right individuals in the job market but also help build a favorable image of the hiring company or organization.

One way to streamline recruitment processes and harness the potential among prospective candidates is by implementing employee referral programs within organizations.

What legal issues should we remember when launching and managing employee referral programs in a company?

1. Procedure Preparation: Implementing an employee referral system usually involves adopting a procedure that regulates the rights and obligations of the employer and the referrers (including, for example, receiving compensation for a referral that leads to employment). It should be noted that during the application of the procedure, the process organizer processes the data of both the referrers and the referred individuals. Therefore, appropriate organizational and technical measures must be applied to secure the data of both categories of participants. These issues can be reflected in the applicable documents regulating data processing for HR purposes or informational clauses.
2. Basis for Processing: Consent: In the case of employee referrals, where applications are submitted indirectly, it is necessary to determine the appropriate basis for data processing. The scope of personal data contained in standard job applications (CVs or cover letters) often exceeds that resulting from Article 22(1) of the Labor Code. Therefore, employers process this data based on the candidate’s consent, which, according to the definition in Article 4(11) of the GDPR, may also involve “a clear affirmative action” by the applicant (e.g., in the case of applications submitted by email). In the case of a referral, it is often difficult to determine whether the candidate has unequivocally consented to being considered in the recruitment process. Therefore, it may be necessary to prepare an appropriate consent form that the candidate should provide to the employer, for example, through the referrer.
3. Informational Obligation: An important element of proper recruitment from a GDPR perspective is providing accurate information about the processing of personal data (known as informational clauses). Documents containing this information should comply with Articles 13 and 14 of the GDPR and specify, among other things, the identity of the data controller, the purposes of processing, the legal bases for processing, and the recipients of the data. This obligation should not be underestimated, as it can be crucial in determining whether a given recruitment process is organized in accordance with the Labor Code or data protection regulations.
4. Communication with Candidates: Information about processing must be communicated transparently to job candidates. Communication can be done traditionally or electronically (which is most common with current recruitment tools). Candidates should be able to access the information provided above during the application process. In the case of referrals, information should be sent or provided to candidates even when data is not collected directly from the data subject (e.g., by sending informational clauses via email after receiving an application from the referrer, along with contact details for the candidate). Additionally, relevant clauses can be placed on the recruiting organization’s website, ensuring that these documents meet the criteria of Article 12 of the GDPR, i.e., they are concise, transparent, intelligible, and easily accessible, using clear and plain language and including information about the source of the collected data if applications are submitted by the referrer (in accordance with Article 14(2)(f) of the GDPR).
5. Internal Recruitment: When conducting recruitment involving current employees (e.g., for a possible position change or promotion), it should be noted that the employer is already the data controller for the participants. This means that processing the data of current employees in connection with their promotion or transfer to another position may align with the original purpose of processing. Depending on the circumstances of the case, the data controller’s obligations related to the launch of an internal referral system may not be as numerous. However, attention should be paid to the situation of changing the employing entity (another company within the capital group), which involves issues such as data transfer outside the EEA (and the related requirement to implement a data transfer legalizing instrument) or changing the scope of personal data processed in internal processes. It is also possible that companies within the capital group to which recruitment is conducted may act as joint controllers under Article 26 of the GDPR, necessitating the establishment of “joint controller arrangements” specifying, in particular, how to fulfill information obligations to employees or job candidates and the procedure for exercising data subject rights under Articles 15-22 of the GDPR (which, according to the regulations, may be exercised with any of the controllers).
6. Local Regulations and Global Policies: Implementing proper recruitment practices, including employee referrals, often requires considering the specifics of local data protection regulations. This means detailing global processing rules to comply with, for example, the Polish Labor Code (applicable to companies operating in Poland). It is also important to note that special category data may only be obtained by the employer when the provision of such personal data is initiated by the job applicant or employee. Additionally, authorization to process data must be granted to managers or HR specialists, as required not only by GDPR regulations but also by Article 22(1b) § 3 of the Labor Code (in cases of processing special category data under Article 9, written authorization is required). Furthermore, policies, informational clauses, or procedures should respect the guidelines of the Polish supervisory authority, the President of the Personal Data Protection Office, and be formulated in Polish.
7. Data Retention: An essential aspect of recruitment processes, including those based on referrals, is respecting the principle of data retention limitation. Employers may retain data from recruitment processes for defense against claims (e.g., discrimination allegations). Recent case law suggests that data in such cases may be retained for up to three years. This means organizations do not have to delete data immediately after the recruitment process ends (or if consent for future recruitment has been given, after the retention period covered by that consent). However, this does not mean that data can be processed for any purpose during this period, as the principle of purpose limitation must be applied, meaning data can only be processed for specific, explicit, and legitimate purposes.
8. Other Obligations of the Data Controller: When preparing a process that involves personal data processing, every employer should adhere to the principles of Article 25 of the GDPR, which requires data protection by design and by default. Therefore, proper data security and data protection principles should be “built-in” and thoughtfully considered. If automated processing methods, including profiling, are to be used, candidates must be given the opportunity to object if the process is not based on consent. These issues should be reflected in a risk assessment conducted before implementing a new recruitment procedure, including one based on employee referrals. This will help identify potential processing risks early on and ensure appropriate measures are taken to secure data and comply with GDPR regulations. Additionally, when using IT service providers for recruitment, appropriate agreements should be made under Article 28 of the GDPR if the provider stores data collected for purposes we specify, and relevant information about processing should be provided or verified to ensure compliance with current regulations and guidelines.