Required Candidate Data in the Recruitment Process for Educational Institutions

The recruitment process for educational institutions—whether conducted electronically or in paper form—is currently underway or will begin shortly. It is worth revisiting a few fundamental principles regarding the collection of personal data from candidates and their parents or legal guardians.

What Personal Data Can Be Collected?

The scope of personal data that educational institutions are allowed to collect during recruitment is clearly defined in Polish education law. The required data includes information about the student and their parents or legal guardians.

  • For minor candidates: first name, last name, date of birth, and PESEL number; if the PESEL is unavailable – the series and number of a passport or other identity document. Also collected are the names and surnames of the parents, residential addresses of both the parents and the candidate, and—if available—their email addresses and phone numbers.
  • For adult candidates: first name, last name, date of birth, and PESEL number; or, if unavailable, the series and number of a passport or another identity document. Also required are the names of the parents, the candidate’s residential address, and—if available—their email address and phone number.

Applications must also include other documents required by education law, such as declarations of single parenthood or family court rulings on divorce or separation.

Can Legal Guardian Identification Data Be Collected?

The collection of PESEL numbers or ID card details (series and number) of a candidate’s parents or legal guardians is not authorised by education law as a necessary part of the recruitment process. Therefore, obtaining this information is unlawful and constitutes a violation of:

  • the principle of data minimisation,
  • the principle of legality, and
  • the principle of proportionality (Article 5 GDPR).

Accordingly, educational institutions should not request PESEL numbers or ID card details from parents.

How Long Can Recruitment Data Be Stored?

The retention period depends on the outcome of the recruitment process. Different rules apply to admitted and non-admitted candidates:

  • For admitted candidates: personal data may be stored no longer than the duration of the student’s enrolment at the institution.
  • For non-admitted candidates: data may be stored for up to one year, unless a complaint has been filed with the administrative court against the director’s decision and the case has not yet been resolved by a final judgment.

Can Recruitment Results Be Published?

Recruitment results are made public. The list of qualified candidates must include their first and last names, sorted alphabetically, and the minimum score required for admission.

According to education law, this list must be displayed at the institution’s premises in a visible location.

Currently, it is also permitted to publish recruitment results on the institution’s website due to the extraordinary national circumstances, in accordance with temporary legislation issued under the COVID-19 special act.

Position of the Polish Data Protection Authority (UODO)

According to UODO guidelines, it is not permitted to publish recruitment results via social media platforms or institutional fan pages.

Publishing personal data online carries risks that should be assessed through a risk analysis. When publishing candidate lists, institutions must apply the data minimisation and storage limitation principles outlined in the GDPR.

Given these risks, UODO recommends that school directors notify candidates individually, using electronic communication methods.

After the temporary suspension of educational institution operations ends, candidate lists should be removed from the website and remain only on the notice board within the institution.

Are There Other Obligations?

Yes. The recruitment process requires the fulfilment of the information obligation under Articles 13 and 14 of the GDPR toward individuals whose data are being collected.

This can be achieved by:

  • including an information clause on the application form, or
  • providing the clause as a separate document to the parents or adult candidates.

This may be either a full clause or an appropriately shortened version, provided that the full document is made available on the institution’s website and posted on site.

In the event of an audit by the supervisory authority, the institution must be able to demonstrate that the obligation has been met. For example, this can be done by producing a signed copy of the information clause from the parent or legal guardian.

Legal Basis:

In accordance with the Act of 14 December 2016 – Education Law, parents or legal guardians submit an application for their child’s admission to the selected educational institution. The content and required attachments are regulated under Articles 150 and 151 of the Act. Notably, the collection of data is not based on consent, but on a statutory obligation to provide certain categories of data (Article 150(1) of the Act).