GDPR and Recruitment

Frequently Asked Questions

The General Data Protection Regulation (GDPR) will greatly impact the way companies recruit globally. We have answered some of the most urgent questions recruiters have about what this means for them and what they need to do now to prepare.

Read FAQs

GDPR | Basic Information

Does the GDPR also govern the personal data of Non-EU citizens living in the EU?

Yes, the regulation applies to the processing of personal data of data subjects who are physically in the European Union.

Does the looming Brexit have any immediate effect on how companies in the UK must or need not be GDPR-compliant?

It is true that once Brexit is final, GDPR will not have any immediate authority in the UK. However, the Information Commissioner's Office (ICO), the British data protection authority, is working on legislation referencing the GDPR, making it very likely that companies within the UK will still be under this legislation or a very similar one. Furthermore, you will almost certainly be receiving applications from EU citizens, making it critical for your business to be GDPR-compliant.

Is the GDPR valid for all data obtained and processed after May 25, 2018, or does it also impact the data I already own, i. e. in my existing talent pools?

If you have consent from your candidates that can be considered valid under the GDPR, you are allowed to keep this data. We advise you to err on the side of caution, obtaining consent from all your existing candidates, if possible, and deleting data that - for whatever reason - you do not have the right to process.

Consent

Can a candidate give consent by including a note in their CV or application letter, stating that they agree to have their data stored and processed?

The issue here is that the candidate does not know how you will process their data, i. e. they don't know where you will store the data, with whom you will share the data, who will get access to the data... Therefore, such a statement is valid provided that the candidate knows about your data processing. Example: If a candidate includes a signed note with the URL of the privacy policy and explicitly states when he/she has seen it and consented to it, this will be considered legitimate consent.

What shape or form does consent need to take - a signed document, a verbal agreement?

Where the processing is based on consent, you shall be "able to demonstrate that the data subject has consented to processing of his or her personal data". So a written declaration is highly recommended.

Do I need to make explicit while obtaining consent how I will process the candidate data?

Yes, you do need to be clear and transparent.

How do I obtain consent when I am not using an ATS?

This is a challenge as you need to prove that you get the consent. So written documentation signed by the candidate will be requested.

While obtaining consent from a candidate, do I have to communicate with him or her in a specified language, i. e. their national language?

There is no provision in the GDPR obliging you to localise your privacy policy. However, the candidate needs to understand exactly what you mean. While almost anybody understands English, it can be beneficial to translate your privacy policy into local languages to make sure that the consent you obtain is valid. It is also advisable to use simple language that is easy to understand for candidates who aren't lawyers.

How do you obtain consent from candidates who hand you their CVs or apply directly at a job fair?

You will need to find a process to document their consent. For example, make sure that you have a standard form signed by each of them, keep this form in your files, delete this data once the candidate requests for deletion, etc. Using a technology solution like the SmartRecruiters Field Recruiting App will support your efforts to be compliant.

How specific do I need to be when stating the purpose of obtaining and processing my candidate data within my privacy policy?

The candidate needs to have accurate information. You need to state for which purpose you will use the data, who will get access to the information (listing internal and third parties), explain the rights of the candidates, who they can contact if they have complaints, etc.

How do I comply with GDPR rules for employee referrals, seeing as referrals rarely give their consent before being approached?

If you approach an individual, you should make sure that you have legimate interest (i. e. job offer). If yes, you must obtain written consent from the candidate and allow the candidate to approve your privacy policy. Once obtained, you can process further.

Consent | Application

If a candidate applies via an ATS does this constitute consent?

Depending on your ATS, it might. If your ATS is set up in a specific way that helps it obtain and store consent, applying to a job will constitute consent. We advise that you refer to your ATS provider to make sure that they obtain consent in a GDPR-compliant way.

If a candidate responds to a sent message does this constitute consent?

No, it doesn't. In order to be able to store and process candidate data you need to obtain explicit consent from these candidates, meaning you will have to enter them into a process to provably obtain consent for further action.

If giving consent to data processing is a necessary condition for being allowed to apply to my job, does this constitute discrimination?

Under GDPR the consent is the first step to process the personal data of the candidate. Therefore, if you need to process the candidate's data, you need to get his or her consent.

If an applicant sends an email or a letter containing their application, does this imply consent to store and process their data?

No, it doesn't. In order to be able to store and process candidate data you received via email or letter you need to obtain consent from these candidates, meaning you will have to enter them into a process to provably obtain consent for further action.

Am I still allowed to accept applications via letter or email?

Yes, you are. However, in order to be able to store and process this data you need to obtain consent from these candidates, meaning you will have to enter them into a process to provably obtain consent for further action.

How do I obtain consent from candidates who apply through an advertisement on a job board?

As the data controller (future employer), you are responsible for obtaining consent. You will have to enter them into a process to provably obtain consent for further action. However, the job boards should be GDPR compliant as well. We urge you to review the terms of use and data privacy of the job boards.

How do I obtain consent from candidates who apply through my own careers page?

The consent of the candidates should be obtained. For example, you will have to build a check box proving that the candidate has read the privacy policy. By checking this box, the candidate gives his/her consent. The candidate should not go further in the process without consent.

Consent | Active Sourcing

Will active sourcing stay possible under the GDPR?

Yes, it will, but there are a few conditions to look out for. As a lawful basis for approaching a candidate you can claim that you have a so-called "legitimate interest" in growing your business by approaching a talent for a role as well as the candidate has a "legitimate interest" in being approached by you. Nevertheless, immediately after initiating contact you have to ask that candidate for their consent to you obtaining and processing their personal data.

In order to track passive candidates, am I allowed to store candidate data in my ATS before I get their consent?

Strictly speaking, no. However, to be pragmatic, you can claim "legitimate" interest when approaching them and immediately ask their consent for further data processing.

How do I ask passive candidates, for example on LinkedIn, for consent?

As a lawful basis for approaching a candidate you can claim that you have a so-called "legitimate interest" in growing your business by approaching a talent for a role as well as the candidate has a "legitimate interest" in being approached by you. Nevertheless, immediately after initiating contact you have to ask that candidate for their consent to you obtaining and processing their personal data.

Do I need to ask candidates for consent that have set their public profiles to display that they are actively looking for job opportunities?

Yes.

Is it permissible to approach candidates whose profiles you found using a search engine?

Yes, if it is a public profile with a business background, making it permissible to assume "legitimate interest" when contacting a potential candidate.

If I contact a candidate about a job opportunity, does this opportunity need to be publicly advertised before I approach them?

No, not necessarily. The key thing is that you have a legitimate interest to contact him, i. e. you have a real job opportunity.

If a candidate accepts my request to connect on a business network, making their contact information visible, am I allowed to contact them?

In line with GDPR's principles, you have the right to contact them if you have a legitimate interest, i. e. a job oppportunity. Furthermore, you shall get their consent and inform them of how you will process their personal data.

Is it still permissible to use sourcing tools that reveal candidates' personal email addresses or phone numbers?

So far, it is still permissible. However, you need to have a legitimate interest to contact them, i. e. a job opportunity and you shall get their consent and inform them of how you will process the data. We encourage you to check the terms of use of such tools.

Is it permissible to store data that is publicly available, i. e. on a company's home page?

No.

Will I still be able to export candidate profiles from LinkedIn into my ATS?

In line with GDPR's principles, you will need to make sure whether you have the right to export such profiles (please check the terms of use that you have with such providers). Furthermore, you need to have a legitimate interest to export such data (i. e. job opportunity) and you need to get the individual's consent.

Is it permissible to store data of actively sourced candidates in an Excel sheet?

Yes, provided that you have legitimate interest for each sourced candidate (i. e. a job opportunity) and you make sure that you have documented the consent for each of them.

Candidate Rights

Right to Access Data

How can I make sure that candidates can access their data?

There are two ways to allow candidates access into their own data:

1) By appointing a designated contact for any candidate requests and sharing their contact information. Candidate requests to access, amend or erase their data need to be heeded within a narrow time frame and compliance must be documented.

2) By employing an ATS or CRM that will allow candidates to log onto their profiles and make any necessary adjustments by themselves. This option has the added bonus of making it easy to retain and log any occurring changes.

Right to Be Forgotten (Erase)

If a candidate states that they are not interested in a job opportunity, am I still able to keep their name in my database?

Yes, if the candidate gives you the authorisation to keep the name in your data base. You shall inform the candidate what you will do with the data after rejection.

If I approach a candidate who I actively sourced, but they do not want their data stored and are not interested in your role, how do I then ensure I or my colleagues do not contact them again?

You shall make sure that this information is spread out accross your organisation. Your process shall guarantee the treatment in line with the candidate's request. To be strict, you should talk personally to every employee, making sure the data is deleted. As this is quite hard to achieve, it is advisable to ask for consent to keep the contact information in order to document the opt-out.

Requests from Candidates

When appointing a contact for candidate requests regarding their data, what contact data needs to be shared exactly?

You shall at least share a direct email address and a post address.

Data Processing

Is it permissible to store candidate data on personal laptops, for example by hiring managers?

You need to make sure that the candidate knows about such storage.

Is it permissible to share candidate data with my colleagues who will take part in job interviews?

You need to clearly state within your privacy policy with whom you will share the candidates' personal data. If you have specified within your privacy policy that you will share this data with colleagues who are direct participants in the hiring process, such as the hiring manager, a future superior or a future colleague, this is permissible. You do not have to personally name these colleagues.

Do candidates need to be made aware of the fact that their data has been shared, for example with the hiring manager?

If you have specified within your privacy policy that you will share their data with employees who are directly involved in the hiring process, you do not have to make the candidate aware of every person you share their data with. However, if you want to share their data with an external vendor who is not named within your privacy policy, for example to run an assessment test, you need to obtain consent.

How long am I allowed to store candidate data?

Interpreting the GDPR in a very strict sense, you are only allowed to keep candidate data for as long as it serves the purpose you named when obtaining it. Once that purpose disappears, you are obliged to erase the data. However, it is up to you how you phrase that purpose. For example, stating that you will keep the candidate data "as long as a candidate is interested in positions within your organisation" gives you some leeway on how long you will be able to keep the data. In this case, you have to be able to prove that this candidate is, in fact, interested in staying within your talent pool.

Am I allowed to ask candidates to renew their consent to retain their data?

Yes, you are. If you have consent to store and process your candidates' data and they have not explicitly banned you from contacting them, you may approach them to renew their consent in your data processing activities.

Is there a maximum limit for how long I am allowed to store candidate data?

You should check the local legislation applicable to such cases. SmartRecruiters offers a Global Compliance Center, making it easy to adjust data retention policies for each use case.

Third party vendors

When you receive applicant data from recruitment agencies, is there a need for a data processing agreement between the recruitment agency and your own company?

Yes, there is a need for a so-called Data Processing Agreement (DPA).

Is there an official GDPR seal of quality for compliant vendors?

As of yet, there is no seal for GDPR compliance. The regulation does include the possibility for official certification that can be given either by the national data protection authority or from a competent private data protection authority. No accreditation of such a seal has taken place yet, as we await that the criteria of accreditation be specified.

Who is responsible for GDPR-compliance when sourcing candidates via job boards?

The data controller (future employer) is responsible. However, the job boards need to be GDPR compliant as well. We urge you to review the terms of use and data privacy of the job boards.

Who is responsible for GDPR-compliance when sourcing candidates via CV databases?

Generally speaking, if the database is hosting candidate profiles, it is their responsibility, as they are the data controller, to make sure that they are GDPR-compliant and have obtained the necessary consent to share the candidate profiles with you. However, as you will become the data controller once the candidate profiles are duplicated within your systems, it is certainly advisable to check back with your vendors on their efforts to become compliant.

Documentation

How do you prove which version of the Data Privacy Policy the candidate accepted?

Our solution allows you to add the date of the version that the candidate will accept. The candidate therefore accepts the version in force on the day of his or her consent. As far as SmartRecruiters is concerned, we archive our privacy statements ("Privacy policy") so it is possible to find the version accepted for the candidate. In addition, if the client has added a link to their own privacy policy, it is the client's responsibility to keep a copy of these declarations in order to keep track of them.

Who controls whether or not candidate data is truly deleted from our systems?

In the case of an audit, you need to be able to prove that you have complied with your candidates' requests to delete their data. Our suggestion is to appoint a Data Protection Officer (DPO) within your company, who would be tasked with running internal audits and ensuring GDPR compliance.


Is your recruiting data GDPR compliant?

Download our SmartPaper for an in-depth overview of the GDPR and its potential impact on your recruiting data.

You’ll also learn:

  • What is the GDPR and who does it impact?
  • How is compliance demonstrated?
  • What are the specific obligations for data processing?
GDPR SmartPaper

At SmartRecruiters, we believe hiring is success, which starts and ends with great people.

And while helping our customers propel their businesses forward by connecting with great talent, we also assist in protecting the data that is generated from your hiring activities. We are committed to helping our customers meet compliance objectives wherever their hiring activities take place.

Take the first step towards Hiring Success