Responsibilities of Recruitment on Processing Personal Data of Candidates Based on GDPR
Personal data is a fundamental right of humans, and individuals have a right to privacy and control over their personal information. Based on the Universal Declaration of Human Rights (UDHR), no one shall be subjected to arbitrary interference with his privacy (Article 12 of the UDHR). Therefore, the right to protect personal data has to be protected by law. In the European Union (EU), personal data is protected strictly by the General Data Protection Regulation (GDPR), which went into effect across the EU on 25 May 2018. This regulation marks a great awakening to protecting individual privacy in all areas of life. In particular, the GDPR requires organizations to keep the personal information of customers, employees, and users confidential and used only for notified and authorized purposes. For employers or recruitment agencies, the GDPR significantly influences the collection, storage, usage, and sharing of candidates’ information. Therefore, they must comply with the GDPR when collecting and processing candidates’ personal information. Typically, the information of job applicants is listed as sensitive information, such as date of birth, nationality, address, phone number, email, educational record, and work experience. This article focuses on analyzing the GDPR regarding how employers legally collect and process the personal data of job candidates.
GDPR and Recruitment Process
The GDPR aims to protect natural persons concerning processing personal data as a fundamental right (Recital 1 of GDRP). This regulation gives individuals greater control over their data and requires companies to be more transparent about collecting, processing, and using personal data. Personal data in GDPR means information to identify a natural person. The information can be “[...] a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“ (Article 4(1) of GDPR). Furthermore, the personal data of the candidates can be the special data in Article 9 of GDRP. Accordingly, the processing of special data shall be prohibited, including revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or the processing of genetic or biometric data to uniquely identify a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation (Article 9 of GDPR).
In practice, many recruiters collect this information about the candidates. So, how could they process them legally? This prohibition does not apply when the data subject has given explicit consent to processing those personal data for one or more specified purposes. Besides, the recruitment can prove that the processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in employment and social security. Social protection law or processing is necessary to protect the vital interests of the candidates where they are physically or legally incapable of giving consent (Article 9(2) of GDPR).
At the same time, the GDPR listed the operations for processing personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making alignment or combination, restriction, erasure or destruction available (Article 4(2) of GDRP). Therefore, when a candidate applies for a job, the employer advertising the job and the third-party recruitment agency may be considered either a controller or a processor of the candidate’s data, depending on the specific circumstances.
The GDPR provides a specific definition for the controller and “processor“ of personal data. Based on that definition, the controller means the natural or legal person determining the purposes and means of processing personal data. At the same time, the processor processes personal data on the controller’s behalf (Articles 4(7) and 4(8) of GDPR). Therefore, the recruitment can be either controller or processor on the meaning of GDPR. In most cases, the employer would be considered the controller of the candidate’s data because they determine the purposes and means of processing the personal data, such as collecting, storing, and using the candidate’s data for the recruitment process. On the other hand, if the employer uses a third-party recruitment agency to assist with the recruitment process, the agency may be considered the processor of the candidate’s data. The agency processes the personal data on behalf of the employer, according to the employer’s instructions, and is required to comply with GDPR requirements as a processor. It is important to note that in some cases, the employer and the recruitment agency may be considered joint controllers of the candidate’s data.
Regarding the rights of the job candidates, they have many rights to control or protect their information, such as the right of access to their data and specific information about how it is being processed (Article 15 of GDPR), right to rectification, which gives data subjects the right to have inaccurate personal data corrected (Article 16 of GDPR), right to erasure (right to be forgotten), which gives data subjects the right to have their data erased in certain circumstances (Article 17 of GDPR), and the right to data portability, which gives data subjects the right to receive their data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller (Article 20 of GDPR).
Responsibilities of Recruitment on Processing Personal Data of Candidates
Based on these regulations above, the processing of candidates’ personal data is essential and requires the employer or recruiter to bear responsibility for this process. They must also respect candidates’ rights to access, rectify, erase, and restrict the processing of their data. Furthermore, these responsibilities must be taken into consideration:
Firstly, recruitment agencies and employers must obtain explicit and informed consent from candidates before collecting, processing, or transferring their data. This means that candidates must be fully informed about the purposes for which their data will be used and provide clear consent for their data to be used. Together, the processing of job candidates’ data must be lawfully, fairly, and transparently executed (Article 5(1)(a)(b) of GDPR).
Secondly, in terms of data minimization, personal data must only be processed to the extent necessary for achieving the specified purposes. Recruitment agencies and employers must therefore take reasonable steps to ensure that job candidates’ data is accurate and kept up-to-date where necessary (Article 5(1)(c)(d) of GDPR).
Thirdly, they must take time limitations for data storage into account. Recruitment agencies and employers must not keep job candidates’ data for longer than is necessary for specified purposes (Article 5(1)(e) of GDPR). This regulation can impact storing the data of candidates who make an application but are not selected. According to paragraph 13.2 of Recommendation CM/Rec(2015)5 of the Committee of Ministers, Council of Europe: “Personal data submitted in support of a job application should normally be deleted as soon as it becomes clear that an offer of employment will not be made or is not accepted by the job applicant. Where such data are stored with a view to a further job opportunity, the data subject should be informed accordingly, and the data should be deleted if he or she so requests“. Due to this, many recruiters provide requests to their candidates about storing data for further job opportunities.
Fourthly, they must implement appropriate technical and organizational measures to ensure the security of job candidates’ data (Article 5(1)(f) of GDPR). Providing appropriate access controls, encryption, and other security measures to prevent unauthorized access to personal data is necessary to meet the security requirement.
Fifthly, they are also responsible for accountability which is stated in Article 5(2) of GDPR. Therefore, they must comply with the GDPR’s requirements for processing personal data and maintaining records of their data processing activities. Besides, they may be required to conduct Data Protection Impact Assessments (DPIAs) to assess the potential impact of the processing of personal data on the rights and freedoms of candidates. This may be necessary if the processing involves high-risk activities, such as large-scale processing of sensitive personal data or new technologies.
Finally, if they want to transfer the personal data to a third country or an international organization, it may take place where the European Commission has decided that the third country, territory, or one or more specified sectors within that third country or the international organization in question ensures an adequate level of protection. Such a transfer does not require specific authorization (Article 45(1) GDPR). However, in the absence of a decision according to Article 45(3), the personal data may transfer to a third country or an international organization only if the controller or processor has provided appropriate safeguards and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available (Article 46(1) of GDPR). As mentioned above regarding the accountability rule, when transferring data, it is imperative to ensure that the data is still under appropriate safeguards under the GDPR.
According to Article 83(5), upon infringement of the basic principles for processing personal data, infringers can be subject to administrative fines of up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. With this awareness of upholding the rights of job applicants by protecting personal data, employers are expected to take appropriate measures to protect this special data and respect candidates’ rights to access, rectify, erase, and restrict the processing of their personal data.
ARTICLE29 - Opinion 2/2017 on data processing at work - wp249. (n.d.). https://ec.europa.eu/newsroom/article29/items/610169
Council of Europe, Recommendation CM/Rec(2015)5 of the Committee of Ministers to Member States on the processing of personal data in the context of employment.
European Convention on Human Rights. (n.d.). https://www.echr.coe.int/documents/convention_eng.pdf
General Data Protection Regulation (GDPR) – Official Legal Text. (2022, September 27). General Data Protection Regulation (GDPR). https://gdpr-info.eu
United Nations. (n.d.). Universal Declaration of Human Rights. https://www.un.org/en/about-us/universal-declaration-of-human-rights
Cover image: Freepik. (2022, March 10). Hiring and recruitment concept job interview recruitment agency vector illustration Premium Vector [Illustration]. Retrieved from https://www.freepik.com/premium-vector/hiring-recruitment-concept-job-interview-recruitment-agency-vector-illustration_24440279.htm
Figure 1: IT Social. (n.d.). GDPR [Illustration]. Retrieved from https://itsocial.fr/wp-content/uploads/2018/01/iStock-903899986.jpg
Figure 2: Lasonde, J. (1st March 2019). How Can You Improve Your Recruiting Process with Activity Ratios? Bullhorn [Illustration]. Retrieved from https://www.bullhorn.com/blog/recruiting-process-activity-ratios/
Figure 3: ProjektPro. (25th April 2022). Digital archiving representation [Illustration]. Retrieved fromhttps://www.projektpro.com/blog/digitale-archivierung
Figure 4: SkillCast. (n.d.). File transfer [Illustration]. Retrieved from https://www.skillcast.com/hubfs/filetransfer 1200x627.jpg