Articles

Dutch DPA: Employment agencies violate the privacy of the temporary workers

Dutch DPA: Employment agencies violate the privacy of the temporary workers

Dutch DPA: Employment agencies violate the privacy of the temporary workers

30.04.2015

Each year the Dutch Data Protection Authority [“DPA”], taking its limited capacity into account, sets out a number of key objectives on which it will focus. The protection of privacy in the employment relationship has been one of the priority areas over the last two years. Having regard to the financial dependence between employee and employer and the increasing pressure on the employees as a result of the economic crisis, the employee is in a vulnerable position in terms of protecting its privacy. 

The DPA received various signals that employment agencies appeared to be violating the privacy of temporary workers. In a temporary
employment relationship the agency acts as the employer of the temporary worker [“temp”]. For these reasons, the DPA decided to carry out an investigation in respect of two large employment agencies regarding their compliance with the Dutch Data Protection Act [“DDPA”].

Processing of copies of ID cards

According to the DPA, the investigations confirmed that the employment agencies are violating data protection laws on various points. For example, copies of ID cards are made as soon as the temp signs up at an employment agency and these copies are being shared with potential clients. Making a copy of an ID is only permitted if there is a legal basis, for example under the Wages and Salaries Tax Act or the Foreign National Employment Act, or when it is necessary in

connection with the performance of the contract with the data subject. The reason behind this is that the copies of ID cards left lying around can easily lead to identity fraud. ‘ID copies’ also contain information about race and nationality, and the sharing of this information [at an early stage] can lead to discrimination. In addition, this means that the Social Security Number [“SSN”] of the temp is also being processed without any legal basis. As long as an individual has not actually started working for the agency, the aforementioned exceptions cannot be invoked. The legal obligations to process a copy of an ID or SSN only exist when someone actually starts working for the agency. As a result, it will only be necessary to process the information at that stage in order to be able to perform the temporary employment contract with the temp.

The necessary monitoring of a person’s identity by the agencies during the selection process can be effected in a lawful manner by letting the temp show its ID and allowing the intermediary to check it without making a copy. The employment agencies do not agree with this point of view of the DPA: they find the method impractical and are afraid of mistaken identities or mix-ups, particularly because temps often speak to multiple agencies.

Absence registration

The DPA also noted that both employment agencies process too much data on temps who are ill. The agencies list the nature and cause of the illness, which is not allowed. In line with the previous investigations into processing data of ill employers by absenteeism agencies and occupational health and safety services, the DPA holds that the agencies are only allowed to record that someone is ill and to what extent he/she is incapacitated. Furthermore, this is only permitted when it is necessary for the re-integration or the guidance for the employee as a result of illness or incapacity or to meet legal objectives.

Criminal antecedents

Employment agencies want to be able to screen people for their criminal past for certain positions. The processing of criminal information is, however, prohibited under the DDPA, unless one of the legal exceptions can be invoked. In practice, use of the certificate of good conduct is often made. This does not contain information about a person’s previous convictions or on-going criminal proceedings. Because an application for a certificate can take some time, the agencies usually ask a temp to fill out a statement, in which they indicate if they have or have not committed any criminal offences. If the temps report criminal facts through
the statement, processing of criminal information takes place. Furthermore, this statement is also shared with clients of the employment agency. The agencies are of the opinion that this is allowed because they have received consent for the processing thereof from the temps. However, according to the DPA, this consent cannot be relied on: a successful appeal to base the processing of personal data on the justification ground of ‘consent’ can only exist if the consent is given freely. In this case consent is not given freely because of the imbalance in the relationship between the temp and the employment agency.

Religious symbols

One of the employment agencies occasionally recorded that a temp was wearing a headscarf. In principle, processing such information is forbidden precisely because this can lead to discrimination based on religion or belief. There is no legal exception in place that allows the employment agencies to process such data.

Retention period and follow up

Personal data cannot be held for longer than necessary in order to fulfil the purposes for which they were collected, unless the retention is necessary to meet legal retention obligations. However, in some cases the data were retained longer: one agency even retained the data for 24 [!] years.

The practical implementation of the obligations of the DDPA which companies and business must comply with still remains an obstacle. In early 2014, therefore, the DPA published various do’s and don’ts in which a straightforward explanation was given on how to handle the privacy of the employee in the workplace. Useful guidelines regarding the processing of copies of IDs have also been published.

The investigated employment agencies have promised to improve and have adapted or started to adapt their way of working. The DPA will keep a close eye on the matter: the DPA can order enforcement measures, for example imposing an order subject to a penalty, if the violations continue.


Source: http://www.cbpweb.nl/Pages/pb_20141120_uitzendbureaus.aspx

 

Click here for a PDF version of the 51st edition of our ICT Law Newsletter.

 

Team

Related news

02.07.2019 NL law
Debate night: HR Analytics: opportunity or threat?

Seminar - On 2 July 2019, Stibbe's Digital Economy Group will host a debate night in Amsterdam on the hot topic of HR analytics. During Stibbe's debate night, speakers from the world of business, politics, science and law will exchange views on HR analytics, how they can be used in practice, and their development in the context of employment and privacy law.

Read more

07.06.2019 BE law
Part three - GDPR and public law: To retroact or not?

Articles - Since the General Data Protection Regulation (“GDPR”) became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and public law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss the retroactive application of GDPR.

Read more

21.06.2019 NL law
Nieuw boetebeleid van de Autoriteit Persoonsgegevens

Short Reads - Op 14 maart 2019 zijn de nieuwe Boetebeleidsregels Autoriteit Persoonsgegevens 2019 ("Boetebeleidsregels") van de Autoriteit Persoonsgegevens ("AP") gepubliceerd. Dit boetebeleid heeft de AP opgesteld vanwege de inwerkingtreding van de Algemene verordening gegevensverwerking ("AVG") en omdat er op Europees niveau nog geen boeterichtsnoeren zijn opgesteld.

Read more

06.06.2019 BE law
TMT Roundtable: Getting a handle on software quality

Roundtable - Erik Valgaeren, TMT Partner at Stibbe Brussels, and his team organize a roundtable on software quality in our Brussels office on June 6th, 2019. Software quality is a recurring theme in many matters handled by our TMT team. Whether our assistance relates to preparing tender documents, contracting effectively, assessing proper performance or allocating ownership and accountability in challenging IT projects, questions concerning software quality always arise.

Read more

06.06.2019 NL law
Masterclass: Alcohol and drug testing in the workplace

Masterclass - Stibbe will host a masterclass entitled 'Alcohol and drug testing in the workplace' on 6 June in Amsterdam. During this masterclass, employment law expert Johan Zwemmer and privacy experts Frederiek Fernhout and Judica Krikke will discuss the Dutch Data Protection Authority's general prohibition of these tests and discuss whether and how employers should implement.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring