Complete guide: applying GDPR in recruitment & direct search
About the guide: GDPR in recruitment
This guide on the processing of candidates’ personal data during recruitment processes is a collection of answers to the most frequently asked questions among recruiters regarding GDPR-related issues in. recruitment.
The GDPR guide in recruitment was created based on the experience of recruitment practitioners and lawyers specialized in the field of personal data protection. The issues addressed in the GDPR guide to recruitment were also topics of discussion during webinars conducted jointly with lawyers and experts in GDPR.
GDPR in recruitment – key terms
Processing of personal data – processing of personal data refers to any actions performed on this data, such as recording, copying, editing, or sending the data, regardless of where the data is located (e.g., in a notebook, Excel, recruitment system, on the LinkedIn platform or a mobile phone).
Legal basis for the processing of personal data:
- legal interest
- legal obligation
Personal data can be processed provided that one of the three grounds is present:
Consent of the person whose data is processed. This is the most straightforward situation in which the candidate has directly or implicitly given consent for their data to be processed.
Legal interest is a situation where, due to a legitimate interest, the entity may process personal data without consent.
Legal obligation – a situation in which the law, such as the Labor Code, authorizes the processing of personal data.
To dispel any doubts – it is enough to have one of the above grounds to process personal data following the law however, it is always advisable to consult with a lawyer or data protection expert to ensure that data processing is compliant with the law.
GDPR in recruitment: Frequently Asked Questions
Can a candidate's personal data be processed without their consent?
Yes, a candidate’s personal data can be processed without their consent, provided there is a legal interest or a legal obligation.
It’s also important to note that a candidate’s consent can be implicitly expressed through their actions, which confirm their interest in participating in the recruitment process. This primarily includes actions like sending a CV, scheduling an interview, or conducting a recruitment conversation via LinkedIn messages. Such actions can be interpreted as consent to participate in the recruitment process, which allows the company to process the candidate’s personal data, such as adding the candidate to the applicant tracking system or database.
Are there any other requirements, besides the three legal bases, that an employer must fulfill to process a candidate's personal data?
Indeed, there is.
Beyond having a legal basis for data processing, regulations impose an additional requirement: the duty to inform the candidate about their data processing. This is commonly referred to as the ‘information obligation’.
In Poland, the information obligation requires the employer to provide the candidate with several pieces of information, as outlined in Articles 13 and 14 of the Polish GDPR. This primarily includes the details of the entity processing the personal data and the principles governing data processing.
A recommended practice is to prepare a ‘Data Processing Information’ document, encompassing all the elements specified in Articles 13 and 14 of the GDPR. This document is then provided to candidates, thereby fulfilling the information obligation.
When is it necessary to fulfill the obligation to inform?
The obligation to inform should be met immediately after the initiation of the candidate’s personal data processing. What does this look like in practice? Here are a few scenarios:
If you’re conversing with a candidate on the LinkedIn, but you’re not yet storing their data outside the platform, the obligation to inform does not apply. Since their data is processed solely on the LinkedIn platform, you as an employer do not possess their data. In this case, only the regulations of the LinkedIn are applicable, which outline who (LinkedIn platform) and under what conditions (as specified in the terms and conditions) processes the data.
If you’re communicating with candidates on the LinkedIn platform and storing their data outside the platform (for example, in an ATS system that allows you to manage sourcing/direct search such as the Element ATS), you’re required to fulfill the obligation to inform. In Poland, this involves providing them with the information indicated in Articles 13 and 14 of the GDPR. Additionally, there must be a legal basis for processing personal data (such as the candidate’s consent or a legitimate interest).
If a candidate has submitted their CV in response to a job ad, it’s advisable to include a statement in the application form where the candidate acknowledges being informed of the obligation to inform, and either include or provide a link to the obligation within the form.
Is it permissible to provide the obligation to inform via a hyperlink, or must the candidate receive the full content of the obligation immediately?
Yes, it’s not necessary to include the full content of the obligation to inform on the application form or within the message to the candidate. It’s sufficient to provide the candidate with a link to a document or webpage that contains all the legally required information, or a link to a document (for example, a PDF) that can be displayed, downloaded, and read at their convenience.
Is it acceptable to send a link to the obligation to inform in a LinkedIn message?
Yes, absolutely. In the following question, we’ll discuss what such a message could potentially look like.
Balancing GDPR compliance and candidate engagement in everyday recruitment communication
The law mandates immediate compliance with the information obligation as soon as a candidate’s personal data is processed. However, this can be a challenging task for recruiters who are in the process of building a relationship with the candidate. Every communication, even every word, should foster this relationship, and introducing legal complexities early on can hinder the trust-building process.
Unfortunately, the law doesn’t always align with the practical needs of recruiters, and there’s no one-size-fits-all solution. However, among the less-than-ideal options, the following approach seems most effective:
- Initiate contact with the candidate on LinkedIn and engage in a conversation there.
- Add the candidate to your candidate list in your applicant tracking system, Excel, or any other tool used for sourcing or direct search activities. This action triggers the information obligation as it begins the processing of personal data outside LinkedIn.
- In response to one of the candidate’s messages, send a message like this: “I would like to keep in touch with you, and for this purpose, I’ll be saving your contact details. As per data protection regulations, I’m required to inform you about who will be storing your data and under what conditions. Therefore, I’m sending you a link to our data processing policy: [link] 🙂 Best regards, and let’s stay in touch :)”
This example demonstrates one way to integrate the information obligation into the conversation with the candidate. It’s helpful to have this or similar phrasing readily available for easy copy-pasting. The link should direct the candidate to the document or website containing the information obligation.
An alternative scenario worth considering is when the candidate has already agreed to send their CV. In such cases, it’s best to ask the candidate to submit their CV through an application form (e.g., a form generated by the Element ATS) instead of sending it via LinkedIn message or email. This way, they can immediately give their GDPR consent and access the information obligation.
For more information on how to prepare consent on the application form, please refer to the later part of this guide. Here’s an example message to the candidate in the discussed scenario: “If possible, please submit your CV using the application link: [link]. This way, you will immediately appear in my recruitment system, and we will have your GDPR consents, saving you the need to add or manually send those consents anywhere 🙂”
Is the source of a candidate's data relevant? (LinkedIn vs Facebook and Other Platforms)
While it may initially appear that the source of a candidate’s data could be significant, in reality, the rules for processing personal data remain consistent, regardless of the platform from which the data originated.
Whether the data is sourced from LinkedIn, Facebook, or any other platform, the following requirements must be met when we store this data in our own resources, such as a recruitment system or a notebook:
- A legal basis for processing must be established. This can be one of the following: consent, legitimate interest, or legal obligation.
- The information obligation must be fulfilled.
It’s important to note that the specific platform used for recruitment, such as LinkedIn, does not alter these requirements. The same principles apply whether the data is sourced from LinkedIn, Facebook, TikTok, or even Tinder. The law does not differentiate or prescribe different procedures based on the platform used.
How long can a candidate's personal data be processed?
The GDPR does not provide a definitive time frame for the processing of a candidate’s personal data. Instead, it stipulates that personal data should not be processed for longer than is necessary for the purposes for which the data is being processed.
The term “necessary for the purposes of data processing” is open to interpretation and should be considered on a case-by-case basis. A common practice suggests a period of 14 days following the conclusion of the recruitment process (for administrative purposes) as an acceptable duration.
As of September 10, 2022, a court ruling has been issued that contradicts the decision of the President of the Personal Data Protection Law Office (UODO). This ruling suggests that an employer may retain a candidate’s CV for up to 3 years following the conclusion of the recruitment process. More details can be found in my article discussing this ruling.
In my view, which should be considered as personal opinion rather than legal advice, the necessary duration for data processing extends as long as there is a realistic possibility of hiring the candidate. In the event of a legal dispute, it would be incumbent upon us to demonstrate that all candidates whose data we are processing are genuinely being considered for the position they applied for.
It’s important to differentiate between a candidate’s consent to participate in a specific recruitment process and consent for future processes. For a specific recruitment process, the candidate’s personal data can be processed until the conclusion of that process and for a brief period (e.g., the aforementioned 14 days) thereafter. However, if the recruitment process is ongoing because we are continuously seeking candidates for a specific position, the situation becomes more complex. If a candidate is not the first choice and is kept in the process as a backup, the process remains open, and a final decision regarding the candidate is not made. In such a scenario, it’s unclear how a court would interpret the processing of the candidate’s data for an extended period, such as 12 months.
When it comes to consent for future recruitment processes, the GDPR does not provide specific guidelines. In my experience implementing Element ATS in various companies, I’ve observed that most companies apply 12- or 24-month terms for consent to future recruitment processes. However, some companies interpret consent for future recruitment processes as indefinite until the candidate revokes it. Unfortunately, there is no universally accepted solution in this regard.
Can a single general consent for all recruitment processes be included in the application form for a specific job position, along with the data processing information?
No, this is not permissible in Poland. When a candidate applies for a specific job position through a particular job ad, it is not appropriate to require consent for future recruitment processes. The best practice is to provide the candidate with two separate consent options:
- Mandatory Consent: This is for the specific recruitment process the candidate is applying for, and it should include a link to the data processing information.
- Optional Consent: This is for future recruitment processes. In this case, it is not necessary to repeat the information already approved in the first consent box, including the link to the data processing information.
Is consent for future recruitment processes mandatory?
Does submitting a CV imply consent for data processing?
Does implied consent apply to future recruitment processes?
Can personal data be processed without fulfilling the information obligation?
What's the difference between having fulfilled the information obligation without obtaining consent and having obtained explicit consent?
Should we renew consent for extended data processing period?
Is it necessary to always fulfill the information obligation when storing candidate data outside LinkedIn, even if the candidate's actions indicate interest in the recruitment process?
Is it permissible to share candidate data within the same organization and under entrustment agreements?
Are there any notable court cases related to the processing of job candidates' personal data?
- Schedule a live demo of our ATS, and start recruiting easily effectively!
- Read other posts:
The article analyzes the use of ChatGPT content in communication, pondering the ethics and appropriateness of using AI-generated content as one’s own.
Explore key aspects of preliminary employment and B2B agreements in our guide. Learn about the essential information required, the rights and obligations arising from such contracts, and how to handle missing details. Our guide offers professional advice and tips to facilitate understanding of these important legal documents.
Dive into our in-depth tutorial on GDPR-compliant recruitment. Master best practices for sourcing, direct search, job advertisements, and candidate verification to ensure full compliance with GDPR standards.
Complete guide: applying GDPR in recruitment & direct search About the guide: GDPR in recruitment This guide on the processing of candidates’ personal data during
Explore Recruitment Process Outsourcing (RPO). Learn its definition, functions, and benefits. See how RPO can enhance your hiring strategy.
How to Respond to Negative Anonymous Employee Reviews – a complete guide for employers, with real life examples and solutions.