GDPR headache coming to recruitment in 2018 – resolved by Krzysztof Dzioba of EY LAW
The Web has transformed how people look for jobs as well as the way companies recruit professionals. Candidates either fill out forms and willingly submit their personal information or are identified by recruiters based on the information they choose to share online. In some cases, the data of candidates involved in the hiring process get mishandled.
On 25 May 2018, a new privacy regulation addressing this issue comes into force. It’s called the General Data Protection Regulation (GDPR).
Although May 2018 may seem far away, there’s a lot that needs to be done so you need to start right away. The clock is ticking, but organizations are still far from ready. According to a 2017 study by TrustArc entitled “Privacy and the EU GDPR”, 61% of survey participants reported that they have not started the process of implementing the GDPR. To give you a better understanding of the GDPR and its implications on the recruitment process, we talk to Krzysztof Dzioba of Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k.
1. What is the General Data Protection Regulation (GDPR) and who does it apply to?
On May 4, 2016, after four years of tough negotiations, the GDPR has now been published in the Official Journal. The regulation is a game changer for all types of organizations. The final draft introduces more stringent and prescriptive data protection compliance challenges, backed by fines of up to 4% of global annual revenue. The Regulation will replace the Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The GDPR will enter into force in all EU on 25 May 2018 with no requirement of implementation by Member States.
The Regulation will have a significant impact on businesses in all industry sectors, bringing with it both positive and negative changes for business in terms of cost and effort. Organisations are likely to welcome the harmonization of laws across all member states which will make the complex data protection landscape easier to navigate for multinational organizations. The introduction of new rights for individuals, such as the Right to be Forgotten and the Right to Portability, as well as the introduction of mandatory breach notification, are likely to increase the regulatory burden for organizations.
Every company and some public institutions processing personal data (of clients, employees or contractors) is required to implement the GDPR.
What is most important, the GDPR does not require specific technical solutions regarding data protection. It states that such solutions should be adjusted to specific data and risk related to breach of personal data protection. Entities processing data will now have to prove that they assessed the risk and applied proper measures.
Data protection got much more complicated and became a living process, which needs to be monitored and developed constantly.
2. How does the GDPR affect the recruitment process and the work of recruiters compared to previous protection of personal data regulations?
In most cases, personal data of candidates and employees are protected based on separate acts of each Member State.
Due to article 88 of GDPR, the same rule will apply since May 2018. Member States were granted right to provide more specific rules regarding protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context. Therefore rules in that respect are yet to be established in each country. It is expected that differences might be quite significant, regarding e.g. biometrics or specific categories of personal data.
The GDPR on its end will add several new privileges to employees and candidates which might be additionally adjusted by national regulations.
There are also a few new rules regarding consent for data processing – which will be mentioned below.
3. How does the GDPR impact the first contact with the candidate? What type of consents are legally required?
Due to motive 32 of the GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. Silence, pre-ticked boxes or inactivity should not constitute consent.
In consequence, in the recruitment process the employer should inform the candidate, among others, about:
- the purposes of personal data processing,
- the period during which they will be stored,
- recipients of data,
- the right to lodge a complaint to the supervisory body.
Formally, all candidates should be informed about data processing rules by the employer, either by document (attached or referred in job offer) or by stating required information in the first contact.
4. Are there any differences between processing personal data of an active candidate (who sent their CV) and a passive one (whose data was found on LinkedIn, GitHub, Twitter or Facebook)?
The employer should process the personal data of potential employees in accordance with the principles of reliability, purposefulness, adequacy, and temporality.
The employer should take into account the need to fulfill the information obligation towards the active candidate. The scope of information may vary depending on whether the CV will be obtained by the employer from a third party or directly from the candidate.
Processing data of passive candidate needs certain legal basis – like legitimate interest. Gathering information on social media has to be in relation to business purposes only. In other words, employers are only allowed to collect and process personal data of candidates as long as this data is necessary and relevant to the performance of the job.
Basically, the difference in treatment of candidates personal data results from legal basis of processing. Active candidate gives consent and passive candidates data are processed based on the employer’s legitimate interest. Initial contact with such candidate should, however, cover information obligations of the employer.
5. What counts as personal data under the GDPR?
According to the GDPR ‘personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Basically, any information which might identify a certain person is personal data.
While a given information for a certain entity will function as personal data, it won’t do so another. Excessive costs or time to identify a certain person means that information might not be considered personal data.
6. Do candidates obtain any rights to protect their data gathered in the recruitment process? What are their rights?
Under the GDPR candidates will have more rights in the area of processing their data at the recruitment stage and the employer will have to ensure their implementation. For example, a candidate’s data can be processed on the basis of their voluntary and conscious expression of will. Consent cannot be presumed and users will have the right to withdraw it, but it must be an equally easy process as consent.
The GDPR, as stated above, implements rights which are not excluded from the recruitment process, for example:
- the right to be informed how personal data will be used,
- the right of access,
- the right to rectification of data that is inaccurate or incomplete,
- the right to be forgotten under certain circumstances,
- the right to block or suppress processing of personal data,
- the new right to data portability.
Member States might clarify how those rights might be executed by employees during the recruitment process.
7. How does the GDPR affect candidates who participate but don’t get selected? Can their data be lawfully stored and if so, to what extent?
Employers should not store candidates’ data (including CV) for a period longer than the duration of a given recruitment procedure.
As the European advisory body on the protection of personal data indicates – the Working Group art. 29 – in Opinion 2/2017 on data processing at work, stated that “data collected during the recruitment process should generally be deleted as soon as it becomes clear that an offer of employment will not be made or is not accepted by the individual concerned. The individual must also be correctly informed of any such processing before they engage in the recruitment process.”
Remember that personal data does not only relate to CVs. Information stored about candidates in the interview process also needs to be disposed of.
If employers would like to process such data for a longer period of time, e.g. for the purpose of subsequent recruitment, they should have an appropriate legal basis – like the candidate’s consent.
However, processing of data gathered in the recruitment process might last for a longer period of time – in case of legitimate interest (for example in order to defend against claims relating to discrimination). It should be strictly monitored, that in such case, data is not used for other recruitment processes or other purposes.
8. Can candidates lawfully demand their data obtained in the course of the recruitment to be deleted? Do they have the right to obtain their personal information?
Under the GDPR right to be forgotten, the candidate will be entitled to require demand from the employer to erase personal data about them in certain circumstances. It might happen when the employee has revoked consent.
The GDPR did not exclude the right to obtain their personal data from the recruitment process.
Additional rules or requirements in that respect might arise from each Member States acts.
9. How does the GDPR apply to using external tool (such as ATS) in the recruitment process? Which party is as treated as the data administrator and the data processor?
Depending on the type of services provided, data exchange between the employer and the recruitment service provider may take the form of a relationship between two administrators or an administrator and a person processing personal data on request.
The answer to the question which model is valid in each case requires analysis of contracts concluded with such partners. For example, a recruitment agency might transfer only basic information about the candidate to the employer (e.g. experience and education and not identification data) and therefore not transfer personal data. In such case, the employer will not be in my opinion considered data controller or even processor.
10. Are any additional consents legally required after the candidate is hired? Do new hires require any training regarding systems used in the organization and data protection in these systems?
In most cases, the exact catalogue of personal data required for an employment contract is regulated by acts of each Member State. No consent is required if labour law, tax law or any other general provisions require processing certain personal data.
It is advised that employers should only process data which does not require employees’ consent. Why?
First, due to the GDPR, as stated above, any consent should be granted freely, without compulsion. In every relation, the employer is addressing the employee from the position of strength. Therefore, it is significantly harder to prove that the employee could simply deny or revoke their consent for personal data processing, e.g. their image for marketing or integration purposes.
Of course, some of the employee benefits (e.g. company car, health care) might be in relation to data processing. However such consent might be revoked at any time and data should be processed only for a time period that is required for such purpose.
11. How does the GDPR apply to employee dismissal? Do employers have any obligations which need to be fulfilled?
Firstly, as stated above, if employees’ consent is the only legal basis for processing personal data – the employee might revoke consent at the moment of dismissal. In consequence, all such data should be erased from the employer’s systems.
If the basis for data processing is defined in a certain act (regarding labour law, social security, tax), the employer is still required to store that data after termination of the employment contract.
Other regulations and requirements might be imposed on employers in acts of each Member State.
12. In the case of data transfers outside the EU, who is legally bound to protect the data and ensure all procedures are in agreement with the GDPR?
The employer determines the purposes and means of processing of personal data of employees. Therefore, it should be considered a controller as stated in article 4.7 of GDPR. The controller is held accountable in case of any breach of data protection.
Due to the accountability rule, failure to exercise due diligence of a third country entity of will be borne by the employer. In consequence, the employer has to make sure that the third country entity has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available – due to article 46.1 of GDPR.
Of course, if the employer will suffer financial consequences due to misconduct of contract by the third country entity – it might assert its rights in court and demand compensation.
13. What are the consequences of non-compliance with the GDPR?
Firstly, the obvious and well-known financial consequences (penalties up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher). Secondly, civil claims from data subjects. And finally,– significant marketing damage.