Terms of conducting the so-called “Background check” for candidates for employment in the IT services sector.

Can a background check be conducted in accordance with the law in Poland? What are the limitations and possibilities under Polish law for checking candidates for employment in the IT sector? What information about the candidate can the recruiter verify?

Background screening

Background screening (also referred to as a Background check) is the verification of candidate data, including information regarding the candidate’s professional history, conducted during the recruitment process. Services related to conducting such checks are increasingly offered by external companies operating in various European Union member states and other countries worldwide. However, it is worth noting that countries, especially those outside the EU, may have entirely different legal standards regarding personal data protection (GDPR).

Background screening can take various forms, including confirmation of academic qualifications, checking the candidate’s financial (credit) history, verifying personal data contained in the candidate’s identity document (for remote recruitment processes), and often also (due to client requirements) checking the candidate’s criminal record (by obtaining certificates of no criminal record from the job applicant). Of course, in its traditional sense, “background check” pertains to verifying information contained in the CV and resume that the candidate provides to the potential employer during the recruitment stage.

Therefore, when outsourcing such activities, it is advisable to ensure that the services offered by entities operating in the market comply with GDPR principles and labor law regarding the protection of personal data.

It should also be noted that internal verification of a candidate’s financial credibility (do they have debts? Have they been convicted?) may be significant for IT companies providing IT outsourcing services to banks (due to access to data covered by banking secrecy). In this regard, contractors may especially require IT specialists providing services to present appropriate certificates of no criminal record.

What does Polish law and regulations concerning the protection of personal data in recruitment say about conducting background checks or verifying information provided by job candidates?

1. The catalog of personal data that an employer may process in accordance with labor law requirements is limited and includes: first name(s) and surname; date of birth; contact details provided by the job candidate. However, data concerning education, professional qualifications, and previous employment may be processed when necessary for performing work of a specific type or in a specific position. This is a closed catalog, although the employer may request other personal data than those specified above when necessary to exercise a right or fulfill an obligation arising from a legal provision.
2. There is therefore no explicit legal basis in the labor code for processing data collected to check a candidate’s background or, for example, their credit history (for positions involving responsibility for entrusted property), or the accuracy of information provided in their CV.
3. In the above situation, processing data based on candidates’ consent can be considered (labor law allows for this), but there are also limitations, as the lack of consent from an employee or its withdrawal cannot be the basis for treating the person seeking employment or an employee unfavorably, nor can it result in any negative consequences for them, especially it cannot constitute grounds justifying refusal of employment, termination of an employment contract, or its termination without notice by the employer.
4. This would mean that if an employer intends to conduct a background check based on candidates’ consent, they should treat candidates for employment who, for example, refuse to give consent to conduct a background check, or who withdraw their consent to processing their personal data during recruitment (which is the right of every individual), equally.
5. Consequently, information obtained during the verification of candidates may prove to be useless because the employer, although having obtained certain information about the candidates, cannot take it into account (e.g., due to withdrawal of consent). It is worth noting, therefore, that also due to positions presented by the Office for Personal Data Protection, the verification of the accuracy of data provided by candidates, or their past, is often difficult under Polish law.
6. Does this mean that, for example, a company to which a bank has entrusted, by written agreement, the provision of IT services (e.g., development of a banking application) cannot verify the criminal record of a candidate who will have access to confidential data (e.g., information about the finances of bank clients covered by banking secrecy)? It should be noted that the basis for obtaining a certificate of no criminal record can be found in the provisions of the Act of April 12, 2018, on the principles of obtaining information on the criminal record of persons applying for employment and persons employed in entities of the financial sector. The Act’s provisions provide for the possibility of conducting a “criminal check” by entities of the financial sector listed in the Act. An entity of the financial sector, within the meaning of the Act, includes, among others, an entrepreneur having its registered office in a member state to which a bank has entrusted the performance of activities, in accordance with Article 6a (1) of the Act of August 29, 1997 – Banking Law. According to the referral contained in the Act, the law allows for obtaining a certificate of no criminal record from an IT specialist when the entity conducting this check, based on a written agreement with the bank, performs actual activities related to banking operations (including outsourcing some IT services performed by IT engineers).
7. And what about a situation where, in connection with remote recruitment, we need to verify data such as the candidate’s first name, surname, or date of birth? In accordance with the law, an employer may demand documentation of candidates’ or employees’ personal data to the extent necessary to confirm them (i.e., conduct a so-called “ID check”). It should also be noted that at the recruitment stage, among others, the identity document number and PESEL number cannot be obtained, and other data contained in the identity document cannot be processed, nor can they be stored – especially in the form of copies or scans (in accordance with the guidelines of the Office for Personal Data Protection). Therefore, if we want to outsource such a process, we must ensure that identity document data will not be processed in violation of the principle of data minimization and unnecessary copies of identity documents will not be made, and also conclude with the entity providing the service to the entrepreneur a proper data processing agreement compliant with GDPR regulations.