The scope of GDPR services in the HR sector
Data security in the HR industry business case

The HR industry processes a lot of relevant and sometimes sensitive personal data of employees and candidates. These include information on education and work experience, salary and performance appraisals, health status and, not infrequently, data on family members.
A major challenge in the context of RODO can sometimes be reconciling the interests of the employer with the restrictive data processing regulations for candidates and employees, who are the weaker party in this relationship. In addition, HR companies often use external parties such as IT tool providers to store employee data, benefit providers and providers of monitoring tools such as company cars. This increases the risk of a disorderly entrustment of data processing.
As the ODO 24 team, we have implemented RODO in specialised HR companies. We have dealt with both recruitment and employment-related processes (e.g. in employment agencies). We also have experience in supporting clients for whom HR is not a key business area.
We serve or have served, among others. Verita HR, DSA, Human IT Group, SNW, HRK oraz Trenkwalder.

The HR industry processes a lot of relevant and sometimes sensitive personal data of employees and candidates. These include information on education and work experience, salary and performance appraisals, health status and, not infrequently, data on family members.
A major challenge in the context of RODO can sometimes be reconciling the interests of the employer with the restrictive data processing regulations for candidates and employees, who are the weaker party in this relationship. In addition, HR companies often use external parties such as IT tool providers to store employee data, benefit providers and providers of monitoring tools such as company cars. This increases the risk of a disorderly entrustment of data processing.
As the ODO 24 team, we have implemented RODO in specialised HR companies. We have dealt with both recruitment and employment-related processes (e.g. in employment agencies). We also have experience in supporting clients for whom HR is not a key business area.
What issues have we been dealing with?
We have regulated the reading of attendance based on data from an app on an employee's phone confirming their presence on the premises. We have also increasingly set rules for the use of AI bots in recruitment. In such projects, we analysed whether there could be so-called automated decision-making towards candidates. We evaluated the integration of employer systems with government systems, such as CEPiK. We verified the possibility of supporting foreign candidates in completing formalities, e.g. when applying for an electronic residence card. We examined the admissibility of the processing of criminal record data. We verified the requirements related to the admission of posted workers. We streamlined data flows between group companies that act as temporary work agencies. We regulated the processing of data from GPS devices installed in company cars - not only location data, but also driving style data. We helped implement the so-called outplacement process for departing employees. We reviewed the scope of services provided by recruitment agencies, which often act as processors, but sometimes process data to an unacceptable extent or go beyond their role. We analysed instances of permissible background checks on candidates, including keeping so-called blacklists and retaining recruitment notes. At some of our clients - groups of companies - one of the tasks was to sort out the transfer of candidate data between companies.
Whether we are working for a company specialising in HR services or for an organisation where HR is not a key business area, we regularly face the need to implement effective data deletion procedures. On more than one occasion, we have regulated the sourcing of candidate data from portals such as LinkedIn and the rules for contacting candidates. We have sorted out the provisions of contracts concluded between temporary employment agencies and user employers. We have also dealt with audits of temporary employment agencies conducted by user employers or by their contractors. This issue arises not only in relations with temporary employment agencies, but also in relation to other actors in the supply chain. Our work has led to compliance in a variety of areas - not only those identified above - and to the elimination of the associated risks.
We serve or have served, among others. Verita HR, DSA, Human IT Group, SNW, HRK oraz Trenkwalder.
GDPR and cybersecurity – challenges for the automotive sector
HR companies process a lot of sensitive candidate and employee data every day. Sometimes they also process data that they do not immediately identify as personal data, such as information resulting from an employee's activity while using Microsoft 365 services. The increasing scale of automation and integration of various systems containing candidate or employee data also increases the risk of potential leaks. While employee data breaches typically do not cause as much reputational damage as customer data leaks, they may involve greater risk to individuals and thus more often require notification to the President of the DPA.
Securing personal data and IT infrastructure - including HR and accounting systems (containing, among other things, payroll data) - requires the implementation of effective cyber security mechanisms: from encryption and access management to incident monitoring and responding to attack attempts. It is worth remembering that data leaks of people other than employees often start with the disclosure of company email addresses, which are used to carry out phishing attacks, for example.
We use recognized international standards.
This is how you recognize quality
We use recognized international standards. This is how you recognize quality
CIPM
Implementation of privacy and personal data protection system
ISO/IEC 27001
Information technology - Security techniques - Information security management systems
ISO/IEC 29134
Information technology - Security techniques - Guidelines for data protection impact assessment
ISO/IEC 27001
Privacy information management system
ISO 31000
Risk management - Principles and guidelines
PRINCE2 and SMC™
Project management methodologies
ISO 19011
Guidelines for auditing management systems
ISO/IEC 27005
Information technology - Security techniques - Information security risk management
What our customers say about our services
Marcin Wieczorek

„I am very impressed with the high level of substantive expertise of the training staff”
From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.
Magdalena Węglewska

„We can wholeheartedly recommend ODO 24 as a professional and reliable partner”
For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.
Agnieszka Karłowicz

„A practical approach, continuous advisory availability, and positive working relationships”
We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.
Tomasz Siwicki

„I recommend the company ODO 24 as a professional partner”
For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.
Opinion of the participants
Tomasz G.
2 years ago
I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.
Aleksandra P.
2 years ago
Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.
Sławomir M.
2 years ago
Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.
Wacław T.
3 years ago
The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.
Maria K.
1 year ago
The training was conducted in a way that was understandable even to those without previous experience in this field.
Piotr N.
10 months ago
Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.
Anna W.
8 months ago
A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!
Jan K.
1 year ago
It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.
Katarzyna J.
6 months ago
The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.
Michał L.
4 months ago
Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.
Joanna D.
3 months ago
I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.
Andrzej S.
2 months ago
Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.
RODO in HR Questions and Answers
The processing of candidates' data in the recruitment process must be carried out in accordance with the principles of RODO, in particular the principles of data minimisation and transparency. The HR company should collect only the data necessary to assess the candidate, and provide the candidate with an information clause specifying the purpose of the processing, the legal basis and the retention period.
Candidates' CVs may be retained for the duration of the recruitment process. If the HR company wishes to keep candidates' data for the purposes of future recruitment processes, it is necessary to obtain appropriate consent. In practice this also means implementing a data retention policy and conducting regular reviews of candidate databases.
Yes, however in such a situation the HR agency often acts as a processor of data on behalf of its clients. It is then necessary to conclude a data processing agreement, which sets out the rules for processing candidates' data and the obligations of both parties.
Each candidate should receive information about the data controller, the purpose of processing, the legal basis, the retention period and their rights. The information clause should be available already at the stage of the job advertisement or the application form.
Yes, but only if the candidate’s consent to the processing of data in future recruitment processes is obtained. Consent should be voluntary, specific and capable of being withdrawn at any time.
ATS and HRM systems should meet the security requirements set out in RODO. This includes access control to data, encryption of information, keeping a record of processing activities and regular security testing.
Yes, but only to the extent necessary to carry out the recruitment process. Data should be transferred securely, and the relationship between the HR agency and the client should be regulated by an appropriate agreement — an entrustment of data processing or the provision of data in a controller-to-controller model.
Data of seconded employees should be retained for the period necessary to fulfil the secondment agreement and for the duration required by labour and tax law. After that time, the data should be deleted or anonymised.
Yes, most HR companies process data in a systematic way, and therefore should maintain a record of processing activities. This document describes, among other things, the purposes of processing, categories of data and the security measures applied.
An HR company should implement a security incident management procedure that sets out how breaches are identified, how they are analysed and the obligation to report a breach to the supervisory authority within 72 hours if there is a risk to the rights of natural persons. This procedure should cover both cases where the HR company is the data controller (itself assesses the incident) and where it is the processor (in which case it only passes information about the incident to the relevant data controller).
Our greatest value is the trust of our customers.
How can we help you?
Write or call, we will find a solution






