During a job application process, you collect a lot of information about applicants in your search for the best candidate for the job. Job application data includes not only information gathered via application letters, CVs and notes you make during job interviews, but also the results from an assessment, psychological test or medical check-up.
Such job application data is personal data. Hence, these data fall under the Personal Data Protection Act and - since 25 May 2018 - under the new GDPR legislation, which lays down stricter rules for the privacy of individuals than the current Personal Data Protection Act.
Are you planning to recruit new employees soon? If so, please take a moment to go through the questions and answers below.
Yes. Under the new legislation, as an employer you are legally obliged - since you ‘process’ personal data - to clearly inform new and existing business relations about what you do with their personal data. Job applicants also fall within this group of ‘business relations’. The best way to fulfil your obligation is to place an online privacy statement on your company website. In this statement, you must declare the purpose for which you process personal data.
You may do this only if you, as an employer, have a legitimate reason to take the applicant’s online information into account during the job application process. For example, you may need to this because the information is important for the position that the person is applying for.
It is advisable to only consult social media that is intended to make someone’s competences known, e.g. LinkedIn or Twitter if someone tweets a lot about his or her field of expertise. Please note that the transparency principle remains applicable. It is recommended that you declare this in your privacy statement and also mention that social media may be checked for professional reasons.
You may retain the CV in order to assess the person’s suitability for an existing or future position. However, you may do this only if you have informed the applicant of this in advance, e.g. via the privacy statement. Please note: you may only process data that is relevant to the purpose for which it will be used, i.e. in this case, for the purpose of the application. You may also keep any notes you have made. But the general rule applicable to all personal data is that these data may be retained only for as long as necessary to fulfil the purposes for which they were collected. However, it is possible to request applicants for permission to store their data for a year. After a year, you may contact them again to request them to renew their consent and update their data.
Yes, that is possible. The current privacy legislation provides for the right to data rectification and removal: applicants may ask an organisation to remove objectively incorrect, incomplete data or irrelevant data.
The new GDPR legislation has further broadened the scope of this right by introducing the right to data erasure (i.e. the right to be forgotten). This means that an organisation is obliged, in certain cases, to remove a person’s personal data from its records if he or she requests this.