Articles

Dutch DPA: Employment agencies violate the privacy of the temporary workers

Dutch DPA: Employment agencies violate the privacy of the temporary workers

Dutch DPA: Employment agencies violate the privacy of the temporary workers

30.04.2015

Each year the Dutch Data Protection Authority [“DPA”], taking its limited capacity into account, sets out a number of key objectives on which it will focus. The protection of privacy in the employment relationship has been one of the priority areas over the last two years. Having regard to the financial dependence between employee and employer and the increasing pressure on the employees as a result of the economic crisis, the employee is in a vulnerable position in terms of protecting its privacy. 

The DPA received various signals that employment agencies appeared to be violating the privacy of temporary workers. In a temporary
employment relationship the agency acts as the employer of the temporary worker [“temp”]. For these reasons, the DPA decided to carry out an investigation in respect of two large employment agencies regarding their compliance with the Dutch Data Protection Act [“DDPA”].

Processing of copies of ID cards

According to the DPA, the investigations confirmed that the employment agencies are violating data protection laws on various points. For example, copies of ID cards are made as soon as the temp signs up at an employment agency and these copies are being shared with potential clients. Making a copy of an ID is only permitted if there is a legal basis, for example under the Wages and Salaries Tax Act or the Foreign National Employment Act, or when it is necessary in

connection with the performance of the contract with the data subject. The reason behind this is that the copies of ID cards left lying around can easily lead to identity fraud. ‘ID copies’ also contain information about race and nationality, and the sharing of this information [at an early stage] can lead to discrimination. In addition, this means that the Social Security Number [“SSN”] of the temp is also being processed without any legal basis. As long as an individual has not actually started working for the agency, the aforementioned exceptions cannot be invoked. The legal obligations to process a copy of an ID or SSN only exist when someone actually starts working for the agency. As a result, it will only be necessary to process the information at that stage in order to be able to perform the temporary employment contract with the temp.

The necessary monitoring of a person’s identity by the agencies during the selection process can be effected in a lawful manner by letting the temp show its ID and allowing the intermediary to check it without making a copy. The employment agencies do not agree with this point of view of the DPA: they find the method impractical and are afraid of mistaken identities or mix-ups, particularly because temps often speak to multiple agencies.

Absence registration

The DPA also noted that both employment agencies process too much data on temps who are ill. The agencies list the nature and cause of the illness, which is not allowed. In line with the previous investigations into processing data of ill employers by absenteeism agencies and occupational health and safety services, the DPA holds that the agencies are only allowed to record that someone is ill and to what extent he/she is incapacitated. Furthermore, this is only permitted when it is necessary for the re-integration or the guidance for the employee as a result of illness or incapacity or to meet legal objectives.

Criminal antecedents

Employment agencies want to be able to screen people for their criminal past for certain positions. The processing of criminal information is, however, prohibited under the DDPA, unless one of the legal exceptions can be invoked. In practice, use of the certificate of good conduct is often made. This does not contain information about a person’s previous convictions or on-going criminal proceedings. Because an application for a certificate can take some time, the agencies usually ask a temp to fill out a statement, in which they indicate if they have or have not committed any criminal offences. If the temps report criminal facts through
the statement, processing of criminal information takes place. Furthermore, this statement is also shared with clients of the employment agency. The agencies are of the opinion that this is allowed because they have received consent for the processing thereof from the temps. However, according to the DPA, this consent cannot be relied on: a successful appeal to base the processing of personal data on the justification ground of ‘consent’ can only exist if the consent is given freely. In this case consent is not given freely because of the imbalance in the relationship between the temp and the employment agency.

Religious symbols

One of the employment agencies occasionally recorded that a temp was wearing a headscarf. In principle, processing such information is forbidden precisely because this can lead to discrimination based on religion or belief. There is no legal exception in place that allows the employment agencies to process such data.

Retention period and follow up

Personal data cannot be held for longer than necessary in order to fulfil the purposes for which they were collected, unless the retention is necessary to meet legal retention obligations. However, in some cases the data were retained longer: one agency even retained the data for 24 [!] years.

The practical implementation of the obligations of the DDPA which companies and business must comply with still remains an obstacle. In early 2014, therefore, the DPA published various do’s and don’ts in which a straightforward explanation was given on how to handle the privacy of the employee in the workplace. Useful guidelines regarding the processing of copies of IDs have also been published.

The investigated employment agencies have promised to improve and have adapted or started to adapt their way of working. The DPA will keep a close eye on the matter: the DPA can order enforcement measures, for example imposing an order subject to a penalty, if the violations continue.


Source: http://www.cbpweb.nl/Pages/pb_20141120_uitzendbureaus.aspx

 

Click here for a PDF version of the 51st edition of our ICT Law Newsletter.

 

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more