During your recruitment process it is essential that you handle job applicant data in accordance with the strict new rules under the GDPR. The GDPR demands certain requirements as to the transparency about the processing and the communication with the job applicant.
This can be communicated in a privacy statement tailored specifically for job applicants.
Which requirements need to be met by a privacy statement?
A privacy statement must have the following characteristics:
• easy to understand
• easy to access
These requirements should ensure that the candidate knows exactly where (s)he stands according to the protection of his or her data.
Additional and more specific requirements may apply, depending on the way data is being collected:
• Direct data collection is when the candidate inserts his data himself, for example via an application form.
• Indirect data collection is when a recruiter takes data, for example, from a candidate’s LinkedIn profile.
Direct processing of personal data
When data is being collected directly from the candidate, the privacy statement needs to be provided before or at the moment the data is being transferred. You can manage this by inserting a link to the privacy statement in the application form.
The privacy statement should at least contain the following information:
• the data processor’s identity and contact information
• the goal and legal foundation for the processing
• the data processor’s legitimate interest
• the possible recipients (or categories of recipients) of the personal data
• information regarding the forwarding of personal data to a third country (outside the EU), if that’s the case
• the storage period or the criteria that are being used to determine the storage period
• the person concerned needs to be informed about his/her rights
• the person concerned needs to be informed about his/her right to withdraw his/her approval for the processing of data
• the person concerned needs to be informed that he/she has the right to file a complaint
• it needs to be declared if automated decisions will be made
Indirect processing of personalised data
If data is collected indirectly, for example via LinkedIn, the same requirements as illustrated above apply. Additionally, it needs to be indicated which type of data (category) were processed and which source has been used.
If the personal data are being processed with the goal to communicate with the person concerned, this information needs to be provided at the moment of the first contact.
Also, if the personal data is being forwarded to third parties, the person concerned needs to be informed, at the latest when the data is being shared with third parties.
Identity and contact information
Both the identity and the contact information of the person who is in charge of the data processing need to be stated in the privacy statement.
Legal basis of the processing
In order to process personal data, there needs to be a legal basis for the processing. The following mentioned requirements need to be fulfilled:
• the person concerned has given their approval for the data processing
• the processing is necessary for the execution of a contract
• the processing is necessary for the data processor’s compliance with legal obligations
• the processing is needed for the protection of the parties’ vital interests
• the processing is necessary for the execution of a task
• the processing is necessary to comply with the legitimate interests of the person in charge of the processing
Personal data may not be stored any longer than for the sole purpose of the collection. In general, data collected during the recruitment process should be deleted as soon as it becomes clear that the candidate won’t be hired.
If you want to store the candidate’s data for future offers, you need to inform them beforehand and be ready to delete it if they change their mind.
If you would like a privacy statement for the purposes of recruitment, please email me firstname.lastname@example.org or call me on 07917 878384.