How GDPR affects Staffing and Recruiting
GDPR affects Staffing and Recruiting by how data can be stored, collected and processed. The processing generally occurs when the recruiter gathers data on potential candidates and performs a search among them. The recruitment process can include contact information, grades, certifications, CVs, general data, tests and other documents. Companies process both tests of personality and skills and document an interview with the candidate.
Here are a few key directives of GDPR that affect the daily work of recruiters and hiring teams:
- You need legitimate interest to process candidate data. GDPR obliges you to collect data only for “specified, explicit and legitimate purposes.” This means, for example, that you can source candidate data as long as you collect job-related information only and you intend to contact sourced candidates within 30 days.
- You need to have candidate consent to process sensitive data. GDPR requires you to ask for consent when you want to process data like disability information, cultural, genetic or biometric information or information gathered for the EEO survey or a background check. In these cases, you must ask for consent in a clear and intelligible way and provide candidates with clear instructions on how to withdraw their consent should they wish to.
- You need to be transparent about processing candidate data. Companies must have clear privacy policies and recruiters are obliged to make those policies available to candidates. You must also disclose where you store candidate data (e.g. your ATS) and state that you will use this data for recruitment purposes only.
- You need to assume responsibility for compliance (accountability.) Your company needs to be able to demonstrate compliance with the GDPR. For example, under GDPR, your company is responsible for who it does business with (e.g. an ATS provider or sourcing services.) If your contractors fail to comply with the law, your company is accountable as well.
Also, you are obliged to comply when candidates exercise their rights under GDPR:
- Candidates have the “right to be forgotten.” Candidates have the right to ask you to delete and stop processing their personal data. You must locate every place that you keep their information (e.g. spreadsheets) and delete it within one month after receiving the candidate’s request.
- Candidates have the right to access their data and ask you to rectify it. Candidates have the right to ask what data of theirs you hold. They can also request that you make corrections to any inaccuracies (rectify.) You must grant both requests within one month and provide candidates with a free, electronic copy of their own personal data.
Source candidates online with care
Sourcing is an essential function for organisations that want to find great people. However, sourcing requires finding and storing personal candidate data so complying with GDPR all the way is critical.
First, keep in mind that you need legitimate interest to source candidates and process their personal data. Ensure that you:
- Actually intend to contact those candidates. Simply building your talent database by adding candidate data in case you need it in the future is not legal under GDPR.
- Plan to contact candidates as soon as possible. You can only keep a candidate’s data without informing them for a limited time (a month at most). Contact these candidates as soon as possible and delete their data if they ask you to. If you change your mind about a candidate, and decide not to contact them, you must delete their data immediately.
- Collect only the data you need. You may want to process candidate data relating to education, work history or skills along with contact details. These types of data make sense for your recruitment process. However, you should not process irrelevant data (e.g. cultural information) for recruiting purposes. If you need to process this data, make sure to explain it when you contact candidates and ask for their consent.
- Obtain data lawfully. Gathering data from social profiles is legal under GDPR, if those profiles are publicly accessible and if you can reasonably assume that candidates expect to be contacted. For example, you may assume that a publicly accessible LinkedIn profile indicates a reasonable expectation of contact. Only then, you can proceed to process candidate data.
GDPR Affects Different Types of Recruitment
There are mainly two different ways to perform recruitment. First, you have the traditional individual job posting. Second, is by applying to a recruitment platform. Depending on how you recruit, both the legal basis for processing and the information to provide to the data subjects differ. Therefore, in the following, we describe the legal basis and the information to give in both situations. After that, we describe the special category recruitment of an External Search. We round this article up with describing how to process two data types relevant in the recruitment process.
Individual Job Posting
A data subject applies to the listing of a job. The candidate sends its application to either a recruitment firm or the hiring company.
The main legal basis for the processing is the contract for recruitment. But, consent is also possible if it fulfils the legal requirements. That is, it must be e.g. explicit and freely given.
Also, it is important to provide the applicant with relevant information about the processing activity. This information must be clear and you must give it in an appropriate and easy-accessible way. The information provided to the data subject should advise not to attach sensitive data to the application. Additionally, if the legal basis for the processing is consent, you must inform the applicant on the right to withdraw the consent at any time.
According to GDPR, the applicant must be informed that the data will be stored for future recruitments and must be able to withdraw its consent or object to the processing.
GDPR’s Effect on Recruitment Platforms
As part of recruitment firms, or for larger organisations, they use recruitment platforms for processing the data of candidates. The data can include various documents, such as a resume and notes from an interview. The data can be of more or less sensitive nature. Sometimes it is the combination of data that could be considered intrusive. As a rule of thumb, recruitment platforms use personal data in such ways that mandate a data protection impact assessment. Often there are large scale data sets and candidates are profiled, scored and data sets are matched from different sources.
Legal basis for the processing can be either contract, consent or legitimate interest.
Legitimate interest is possible to use when first there is a documented legitimate interest. Second, this interest must outweigh the interest of the applicant to not have its personal data processed. Since it is in the interest of the applicant to be recruited this is normally not a problem. This because the candidate itself has applied for the work. But, you cannot process more data than you need to fulfil the interest identified: such as giving an effective and purposeful service.
Head Hunting (External Search)
Sometimes a hiring company, either on its own or by the help of a recruitment firm, performs an external Search (also called headhunting). This search can be based on legitimate interest, provided that the headhunter respects the potential candidate’s restrictions in terms of availability to the job market. The legitimate interest can e.g. be to find talented candidates to recruitment. Also, the interest can include to inform and mediate an offering to these candidates.
When a headhunter has collected some candidates by searching on the web, the headhunter must contact the individual and ask for hers or his consent to proceed. The candidate must receive information about, for example: What personal data that has been collected, from what sources, retention periods, recipients to receive the data, purposes and legal basis, the individual rights of the candidate and that the candidate may object to further processing.
A rule of thumb is to communicate within the same channel as you found the CVs – such as LinkedIn Recruiter, or LinkedIn. Do not export the data into your own CRM or email program and continue the recruitment process without the candidate’s consent.
For an external Search to be compliant with GDPR it cannot include more data than what is strictly necessary and relevant to the job offer. You must inform the data subject about the processing. Also, you must give the data subject the opportunity to object to it.
Special Category Data
According to the data minimisation principle, a controller must limit the data that it processes to what is necessary. You assess the necessity with consideration to the purpose of the processing. A recruiter cannot process special category data if it is not relevant for the specific job offering and information about this collection must be provided at first contact, i.e. in the job listing. This includes both health data and data on criminal records.
Managing the References
In recruitment it is common to process data of references. These references normally only include a name and a way of contacting them; a phone number. It is the applicant’s responsibility to tell the reference about the processing of their personal data. But, the recruiter must inform the applicant about its responsibility to talk to its references.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As your Article 27 Representative we will always help if you receive a SAR, RTE, or other data prot
We have said this previously but we are still seeing a huge number of Subject Access Requests [
Summary: The Right to Be Forgotten is one of the fundamental rights defined in GDPR. Also