Hays Poland
Candidate Privacy Notice
Effective from 1 July 2026.
If you are on this page because you wish to access your marketing preferences click here.
Introduction
This Candidate Privacy Notice explains how Hays collects, uses, shares, and protects your personal data when you engage with us or are contacted by us in connection with work related opportunities.
Who is this notice for
This Candidate Privacy Notice applies to you if you engage with Hays as a candidate for permanent or temporary employment, or as a freelancer/contractor. It also applies if your profile or application has been introduced to Hays by another recruitment supplier, agency, or similar intermediary.
If you are seeking employment with Hays internally, you should refer to our Internal Recruitment Privacy Notice.
Who we are
We are Hays Group (“we”, “us”). We are the data controller, which means we decide how and why your personal data is used during recruitment. Depending on your country and the type of opportunities you are pursuing, different Hays entities may be responsible for the processing of your personal data. We provide a full list of the Hays data controllers which apply to you while reading this Candidate Privacy Notice in Appendix 1 below.
1. What personal data we collect
2. Where we obtain personal data from
3. How we use your personal data
4. What the candidate database is and how we use it
5. How long we retain your personal data
6. Who we share your personal data with
7. Where we transfer personal data
8. What your rights are
9. How to exercise your rights and contact us
10. How we use automated decision-making and artificial intelligence
11. How we protect your personal data
12. Updates to this policy
13. Appendix 1
1. What personal data we collect
We only collect personal data that is necessary to engage with you in connection with work-related opportunies, including the assessment of your profile, and, where applicable, the initaition, administration, and performance of any resulting contracutal relationship. Certain personal data (such as your CV and contact details) is required to assess your suitability and progress your application. If you do not provide this information, we may be unable to consider you for roles or continue the recruitment process.
Personal data you provide directly
- Name and contact details
- CV/resumé, work history, qualifications, education
- Skills, certifications, professional memberships
- Current and expected renumeration and benefits, or pay rate
- Cover letters, questionnaires, assessment responses
- Interview notes, meeting and call transcriptions, or recordings (if applicable)
- Bank account information
- Other information you may choose to share with us, such as photograph, date of birth, nationality, next-of-kin
Sensitive or special category data (collected only when lawful and appropriate)
- Health or disability information (used to provide adjustments)
- Diversity information [e.g., ethnicity, gender, sexual orientation, religious affiliation, etc.] (only where permitted by law and subject to your explicit consent)
- Vaccination or health‑screening data (only for roles requiring it)
- Criminal background checks (only where permitted by law and for roles requiring it)
Personal data we collect indirectly from other sources
- References and employment verification
- Background screening (including right to work, education/qualification verification) from providers we contract with (where legal and appropriate)
- Interview or role-specific feedback from our clients
- Your published professional profile (e.g., LinkedIn)
- CV/resumé or employment details provided to us by another recruitment agency, managed service provider, or recruitment outscourcer
Personal data we collect automatically
- IP address and device identifiers
- Log data (dates/times you access our platform)
- Cookie or tracking data if you browse our website, apps, use our online recruitment systems or interact with our marketing emails
- Behavioural insights (e.g., jobs viewed, interaction history)
Please note the above list of categories of personal data is not exhaustive and is subject to change depending on legal obligations, our legitimate interest, or through your explicit consent.
2. Where we obtain personal data from
In many cases, we collect your personal data directly from you, for example when you submit your CV, apply for a role, communicate with us, or otherwise engage with our (recruitment) services.
However, in some circumstances we may also receive personal data about you from other sources, including:
- Recruitment suppliers, agencies or other intermediaries who introduce your profile to us in connection with potential work opportunities
- Your current or former employer, referees, or professional contacts, where you have asked them to share your details with us or where this is appropriate in the recruitment context
- Publicly available sources, such as professional networking platforms, job boards, talent pools, company websites or other online sources, where your personal data is made publicly accessible for professional or recruitment purposes
- Third-party service providers we work with in the recruitment process, for example providers of skills assessments, background checks (where permitted by law), or similar services
Where we obtain your personal data from third parties or publicly available sources, we do so only where this is permitted by applicable data protection laws and where we have a lawful basis to process your data. We will use such personal data in accordance with this Candidate Privacy Notice and for the purposes described in it.
3. How we use your personal data
The legal bases we rely on for our recruitment related activities may differ depending on the country you are located in. While we generally process personal data on the basis of contractual necessity, legal obligation, or our legitimate interests where permitted by applicable law, we may rely on your consent for certain processing activities or in jurisdictions where consent is the primary lawful basis for processing. Where we rely on your consent, you may withdraw it at any time in accordance with applicable law. Further information on country‑specific requirements is set out in Appendix 1.
Where we rely on our legitimate interests to process your personal data, these interests are primarily connected to operating an effective, high‑quality and responsible recruitment business. In particular, our legitimate interests include:
- identifying and matching suitably qualified candidates with relevant job opportunities;
- maintaining an up‑to‑date candidate database to enable timely and efficient recruitment activities;
- improving the quality, accuracy and efficiency of our recruitment technology, services and processes;
- meeting the expectations of our clients by presenting suitable candidates for roles they are seeking to fill;
- preventing fraud, misuse of our services and ensuring the security of our systems; and
- establishing, exercising or defending legal claims.
We carefully consider the impact of such processing on your rights and freedoms and apply appropriate safeguards.
Purposes & Legal Bases
|
Purpose |
What We Do |
Legal Basis |
|
Pre recruitment activities |
Determine whether you might be interested in or benefit from our recruitment services. Our legitimate interest is to proactively identify and approach potential candidates in order to offer relevant career opportunities and recruitment support. |
Legitimate Interests |
|
Process your application |
Review your CV, assess suitability, conduct interviews & tests. Our legitimate interest is to assess your suitability for roles and to efficiently match qualified candidates with relevant job opportunities. |
Legitimate Interests; Contract |
|
Communicate with you |
Schedule interviews, request info, send updates, manage our relationship with you. Our legitimate interest is to manage the recruitment process effectively, keep you informed, and maintain an appropriate and ongoing candidate relationship. |
Legitimate Interests; Contract |
|
Post recruitment relationship |
Maintain an ongoing relationship with you or support you in your next role. Our legitimate interest is to maintain an ongoing professional relationship with you and support you in identifying future career opportunities. |
Legitimate Interests |
|
ID/Background/reference checks/compliance checks/sanction list checks |
Verify your ID, qualifications, work history, right‑to‑work, criminal checks (only where legally permitted), compliance and sanction lists checks. |
Legal Obligation; Legitimate Interests; Consent where required |
|
Skills or psychometric assessments |
Run role‑specific tests with human review (only where legally permitted). Our legitimate interest is to assess role relevant skills, competencies and suitability in order to improve the accuracy and fairness of candidate matching and to support informed recruitment decisions, always with human review. |
Legitimate Interests |
|
Provide reasonable adjustments |
Use health/disability info to adapt our recruitment process. |
Consent; Employment‑law obligations |
|
Diversity & equal opportunities monitoring |
Use diversity data in aggregated, anonymous form only. |
Consent; Legal Obligation |
|
Including you in our Candidate/Talent Pool |
Retain your CV to match you with future roles we may believe are suitable. Our legitimate interest is to maintain an organised and searchable database of candidates in order to efficiently match individuals with current and future job opportunities, reduce repeated data collection, and provide ongoing recruitment support. |
Legitimate Interests |
|
Administration |
Make records, including transcriptions of meetings with you, to allow our consultants to focus on their relationship with you, to ensure our information is accurate and up to date, and improve the quality of our systems and processes. Our legitimate interest is to accurately document recruitment‑related conversations, improve the quality and consistency of our recruitment processes, and allow our consultants to focus on meaningful engagement with candidates rather than manual note‑taking. |
Legitimate Interests; Consent |
|
Other recruitment related services |
Offering you a related service, such as CV writing guidance, trainings, carreer coaching. Our legitimate interest is to provide additional recruitment‑related support that may enhance your employability and career prospects. |
Legitimate Interests |
|
Service improvement |
Improve your experience and develop or optimise our recruitment technology, to analyse how our recruitment services are used and to build new, or to improve the quality, effectiveness and reliability of our processes, tools and candidate experience. Our legitimate interest is to ensure that our recruitment services remain accurate, efficient and relevant, and that candidates are presented with suitable opportunities in a timely manner. |
Legitimate Interests |
|
Marketing |
To contact you about future opportunities, networking events, industry insights, or about vacancies we believe we can help you to fill. Where we rely on our legitimate interests for recruitment‑related communications, this is limited to communications about similar roles or services that are relevant to your professional profile and expectations. |
Consent; Legitimate Interests |
|
Advertising |
To present you with adverts and other content that we think are relevant to you, on other digital channels. Or to use your data to create profiles we may use to promote our services. |
Consent |
|
Analysis |
Use insights to better understand employment trends and insights across industries. Our legitimate interest is to analyse recruitment trends and outcomes in order to improve our services and better understand labour market developments. |
Legitimate Interests |
|
Anonymisation of data |
Process personal data in order to anonymise it, thereby enabling its further use for lawful purposes such as testing, statistical analysis, and the improvement or development of our products and services, without identifying individuals. Our legitimate interest is to anonymise personal data in order to enable its further use for statistical analysis, testing, and the improvement or development of our recruitment services, while no longer identifying individuals. |
Legitimate Interests |
|
Legal, regulatory & compliance |
Keep necessary records, respond to authorities, prevent fraud, establish, exercise or defend ourselves from legal claims. Respond to and participate in client audits and fulfil our client compliance obligations. Our legitimate interest is to fulfil client audit and compliance requirements, ensure transparency and accountability in the provision of our recruitment services, and maintain trusted business relationships with our clients. |
Legal Obligation; Legitimate Interests |
|
Customer satisfaction |
Assess and improve customer (client and candidate) satisfaction, including through surveys and feedback analysis. Our legitimate interest is to assess and improve the quality, effectiveness and reliability of our recruitment services for candidates and clients. |
Legitimate Interests |
|
Investigation/Whistleblowing |
Investigate or respond to any incidents, complaints or grievances involving you and prepare reports in relation to the same. Our legitimate interest is to investigate and respond to reported incidents, complaints or suspected misconduct, and to protect the integrity of our business, our candidates, and other stakeholders, including by establishing, exercising or defending legal claims. |
Legitimate Interests Legal Obligation |
|
Business relationship |
For freelancers/contractors, process: personal data necessary for the provision of services including, performance monitoring and billing. |
Contract, Legitimate interests, Legal Obligation |
|
Profiling / automated tools |
Use automated tools to help screen or match applications (never fully automated final decisions), building profiles to enable us to provide the best possible service and maximise the relevance of opportunities and content we provide to you. Our legitimate interest is to support our consultants by improving the relevance of job matching, reducing administrative workload, and ensuring that candidates are considered for roles aligned with their skills and experience. Automated tools are used only to support human decision‑making and never to make fully automated final hiring decisions. |
Legitimate Interests; Consent where required |
You have the right to object at any time to personal data processing where we have explained that we rely on Legitimate Interest. Please see the “How to exercise your rights and contact us” section.
We do NOT sell your personal data to third parties.
This includes for California Consumer Privacy Act/California Privacy Rights Act purposes.
4. What is the candidate pool and how do we use it
If your details are held in our database, they form part of our “Candidate Pool”. This allows us to store and update your information, track your progress through recruitment processes, and consider you for current and future job opportunities. Our consultants regularly search the Candidate Pool to identify potential matches. If we find a role that may be suitable, we will contact you to check whether you are interested. If you are, we will continue the recruitment process with you; if not, your details will remain in the Candidate Pool so that we can consider you for other opportunities and continue offering you recruitment‑related support (such as training opportunities, salary guides, or guidance on CVs and interviews).
If you object we will record and respect your objection and, where needed, work with you to understand which processing you no longer want us to carry out.
5. How long we retain your personal data for
We follow Hays’ Group Data Retention Policy. Your personal data will be retained only for as long as required to meet legal obligations, where we have an ongoing relationship with you, or where we have a legitimate business interest.
Examples of legitimate interests include:
- Keeping records of recruitment decisions
- Considering you for future roles
- Fulfilling audit or compliance requirements
When personal data is no longer needed, it is securely deleted or anonymised. We provide more information on the retention duration which applies to you in Appendix 1 below.
6. Who we share your personal data with
We may share your personal data with:
|
Recipient |
Why We Share |
|
Clients |
When you apply for a role with them or a role they sponsor |
|
Recruitment technology providers |
To manage applications, assessments, and storage |
|
Background‑check providers |
When role appropriate and legally permitted |
|
Group companies |
When another group entity participates in the hiring process or supports our operations |
|
Legal or regulatory authorities |
When required by law |
|
(IT/cloud) service providers |
Secure storage, hosting and support our operations |
|
Managed Service Providers |
To support Hays or Hays’ clients in our resourcing and/or recruitement services |
|
Auditors |
As strictly necessary to conduct or participate in Internal or External Audits |
|
Other Organisations |
As strictly necessary during a Merger or Acquisition involving Hays Group or its legal entities |
We require all third parties to protect your data, use it only as instructed, and ensure that appropriate safeguards are in place.
7. Where we transfer your personal data
As we are a multi-national organisation, your data may be accessed or stored in countries outside your home country.
Whenever we transfer personal data internationally, we use one or more of the following:
- Adequacy decisions (countries officially recognised as having strong data protection laws)
- Standard Contractual Clauses (SCCs) or similar safeguards
- Other legally approved mechanisms
Where necessary, we complete Data Transfer Impact Assessments to assess the risk of transferring your personal data, and to ensure that we have acceptable safeguards in place.
You may request more information about these safeguards.
8. What are your rights
Depending on your location, you may have the following rights:
- Access your personal data
- Request correction of inaccurate personal data
- Request deletion (with lawful exceptions)
- Restrict certain processing
- Object to processing based on legitimate interests
- Data portability
- Withdraw consent at any time (where processing is based on consent)
- Right to not be subject to an Automated Decision
- Right to complain to our Data Protection Team regarding our processing of your personal data
- Right to complain to your local data protection regulator
9. How to exercise your rights and contact us
If you wish to exercise any of your rights, or if you have questions or concerns about how your personal data is used, you can contact the relevant Hays entity responsible for processing your personal data. As responsibility may vary depending on your country and the nature of your engagement with us, the appropriate contact details may differ.
We provide a full list of the relevant Hays entities and their contact details, including data protection contact points, in Appendix 1 below.
You may also contact your local data protection regulator/authority if you are not satisfied with our response.
10. How we use automated decision-making and AI
We are constantly exploring ways in which we can improve our service, and enable our colleagues to help you find the best match for your skills and experience. We use automated tools to support screening or matching, but hiring decisions are never made solely by automated means. Human review is always included. Our use of AI is focussed on connecting the best individuals to the best opportunities, and taking some of the administrative burden off our colleagues so they can spend more time connecting and understanding you and your needs. We will never use AI to fully automate the hiring process, and we will be transparent in our use of AI throughout our hiring processes.
11. How we protect your personal data
We are constantly improving our organisational and technical security measures to keep your data secure, including regular training for our colleagues, role based access controls, cyber threat detection, data encryption, secure data storage, and regular auditing.
12. Updates to this policy
We may update this policy to reflect changes in our practices or legal requirements. The latest version will always be available on our website and includes an “Effective Date”. Significant changes will be communicated when required.
13. Appendix 1
|
WHO WE ARE |
HAYS Poland sp. z o.o., with its registered office in Warsaw, ul. Marszałkowska 126/134, 00-008 Warsaw, entered in the register of entrepreneurs of the National Court Register under KRS number: 0000165021, Tax Identification Number (NIP): 5252269193, with share capital of PLN 1,595,000.00. Hays Outsourcing sp. z o.o., with its registered office in Warsaw, ul. Marszałkowska 126/134, 00-008 Warsaw, entered in the register of entrepreneurs of the National Court Register under KRS number: 0000525318, Tax Identification Number (NIP): 5272720107, with share capital of PLN 5,000.00. Hays Poland Centre of Excellence sp. z o.o., with its registered office in Warsaw, ul. Marszałkowska 126/134, 00-008 Warsaw, entered in the register of entrepreneurs of the National Court Register under KRS number: 0000550129, Tax Identification Number (NIP): 5272732719, with share capital of PLN 1,000,000.00. Where more than one of the Hays entities listed above jointly determines the means and purposes of the processing of your personal data, those entities will process your personal data as joint controllers within the meaning of Article 26 ( 1 ) of the GDPR.
We comply with the requirements set out in the GDPR in relation to establishing joint controllership arrangements between Hays companies. If you wish to exercise your rights under the GDPR in connection with the processing of your personal data by Hays entities acting as joint controllers, please contact us using the communication channels listed above. |
|
HOW TO EXERCISE YOUR RIGHTS AND CONTACT US |
You can contact the data protection team by email at [email protected]. You can also contact us by post at: Hays Poland sp. z o.o., ul. Marszałkowska 126/134, 00-008 Warsaw. |
|
HOW LONG WE RETAIN YOUR PERSONAL DATA FOR |
We will keep your personal data on our systems for up to three years from the date on which it is obtained or from the date on which we establish contact with you (or, where applicable, with the company for which you work or with which you cooperate). After that period, your data will be deleted or anonymised, unless further retention is necessary for purposes arising under applicable law or for the establishment, exercise or defence of legal claims. For the purposes of this Annex, establishing contact means, in particular, submitting your CV via our website, taking part in one of our online training sessions, contacting us regarding potential job opportunities (whether verbally or in writing), or clicking on a link contained in one of our marketing messages. Merely receiving, opening or reading an electronic message from us will not be regarded as establishing contact in this context; we will only regard active steps taken by you, such as clicking on a link or replying directly to a message, as establishing contact. In the case of Candidates whose services are provided through an external company or another entity, establishing contact with you means establishing contact with the company or entity that provides services on your behalf. If such company or entity informs us that it is no longer working with you, we will retain your personal data for no longer than three years from that point or, if later, for a period of three years from the date on which we establish direct contact with you. In the case of Candidates who wish us to process their personal data solely in connection with a specific job application and who have objected to the inclusion of their data in the candidate pool, we will retain your personal data only for the period necessary to carry out the relevant recruitment process, which may be extended by the period required to fulfil legal obligations or by the period necessary for the establishment, exercise or defence of legal claims. |
|
HOW WE USE YOUR PERSONAL DATA |
Purposes and legal bases for processing personal data To the extent applicable under the law, we process your personal data on the following legal bases:
Special categories of personal data We process special categories of personal data where this is necessary for the purposes of carrying out obligations or exercising specific rights in the field of employment, social security and social protection law, pursuant to Article 9 ( 2 ) ( b ) of the GDPR, to the extent that such processing is permitted under applicable law and subject to appropriate safeguards. This may include, in particular, situations in which the processing of special categories of personal data is necessary:
In limited cases, we may also process special categories of personal data on the basis of your explicit consent, pursuant to Article 9 ( 2 ) ( a ) of the GDPR. Processing on the basis of consent In certain circumstances, we process your personal data on the basis of consent, pursuant to Article 6 ( 1 ) ( a ) of the GDPR, in particular:
Where processing is based on consent, such consent is given voluntarily, specifically, knowingly and unambiguously, and may be withdrawn at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of processing carried out before the consent was withdrawn. Recruitment-related communications In cases permitted by applicable law, we may contact you regarding recruitment-related matters without obtaining separate consent, where:
You may object to receiving such communications at any time by using the unsubscribe mechanism provided or by contacting us in accordance with the information set out in this Annex. |
|
PROVISION OF PERSONAL DATA |
The provision of personal data to the extent specified by law, in particular Article 22¹ of the Labour Code, is necessary in order to participate in the recruitment process concerning employment under an employment contract. The provision of other personal data is voluntary; however, it may be necessary in order to participate in particular stages of the recruitment process or to use selected recruitment-related services. Failure to provide personal data required by law or necessary for the conduct of the recruitment process may result in us being unable to consider your application or continue the recruitment process. Where personal data are processed on the basis of consent, providing such data is voluntary and a failure to give consent will not result in any adverse consequences. |
|
SUPERVISORY AUTHORITY |
Urząd Ochrony Danych Osobowych |
.
