What do you need to know when you process job applicants’ data?
The employer, when making a decision about starting the recruitment or employment process, decides about the purposes and methods of personal data processing. Each employer is therefore a controller of personal data of both candidates for employment and employees and must fulfil the obligations provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC – GDPR.
The employer must inform candidates of the purpose of data processing
GDPR imposes an information obligation on every entity collecting personal data. During the recruitment process, personal data contains a CV document, which is made available to potential employers in response to a job offer or outside the recruitment process. The latter situation quite often occurs in the transport industry, where employees are hired by recommendation or people interested in work deliver their applications directly to the company’s headquarters or send e-mails regarding their experience and preferred position.
From the perspective of GDPR, the way in which a potential employer receives personal data does not exempt him from the obligation to provide information. However, the source of the personal data collected influences the content of the information that should be made available to candidates for the job and when they should fulfil this obligation. However, it is up to the employer to determine all the methods of personal data collection permitted by the employer and to demonstrate that the information obligations have been properly fulfilled.
The employer shall indicate the moment of permanent deletion of the data
Determining the time of storage of personal data is one of the most difficult tasks for personal data controllers. The period of storing the data of the candidate for work should be adjusted to the principles of data processing and defined in advance by the controller.
As a rule, the employer should permanently delete the personal data of the candidate (e.g. through destruction) with whom the employer has decided not to enter into an employment contract. Therefore, it should take place immediately after the recruitment process, i.e. after signing the employment contract with the newly hired employee, unless the candidate has agreed to participate in recruitments organised in the future.
Such a position may raise the doubts of many entrepreneurs because if the employer will be obliged to permanently delete the data of candidates after the recruitment process is over, how will he be able to defend himself against the allegation of discrimination? This legal problem has been described in detail in the legal clarification of 23 January 2019 issued by the Minister of Digitisation. The period for which the employer is entitled to store the data of candidates for work indicated in the document is not, however, which will carry out inspections.
The obligation to delete data applies to information received by the employer in both paper and electronic form. This requires control over the sources of data acquisition as well.
The employer is obliged to check whether he needs all the data
The scope of data that the employer may request from an applicant for employment is listed in the national Labour Code of a given country. It often happens that a candidate for a job provides on his/her own initiative more data than indicated in the Labour Code. In such a situation, unless such data belong to a specific category (so-called sensitive data such as racial origin, political opinions, data concerning health or religious beliefs), such data are processed by the potential employer on the basis of consent. Consent may consist in a statement or behaviour which clearly indicates in the context that the data subject has accepted the processing of their personal data in this regard.
During the recruitment process, however, it may happen that a candidate, on his/her own initiative, informs a potential employer about his/her health condition. If a candidate for a job does not consent separately to the processing of such personal data, and the employer does not have a provision of law, which implies the obligation to collect such data, the employer should remove such data from its resources.
In quite a few cases in transport companies, the driver’s personal file still contains a certificate of no criminal record. The certificate of no conviction is a document containing data on convictions, prohibited acts or related security measures contained in the National Criminal Register of a country, the functioning of which is regulated by each country differently.
For example, in Poland, it is regulated by the Article 6(1)(10) of the KRK Act, which states that employers have the right to obtain information on persons whose personal data have been collected in the register to the extent necessary to employ an employee who is required by the Act not to be convicted of any criminal offence, to exercise full public rights, as well as to establish the right to hold a specific position, perform a specific profession or conduct a specific business activity.
Any carrier who collects certificates of no conviction from drivers should, therefore, indicate, in the event of a check, the legal basis on which he is entitled to do so.
Real changes needed
Proper implementation of the requirements of GDPR and building a system of personal data protection requires that entrepreneurs introduce real changes in their organisations. However, the work on the protection of personal data should not only aim at avoiding financial penalties for infringements. On the other hand, it is known that they have a very motivating effect. We know from experience that it takes time to put in place rules to enable legal obligations to be properly fulfilled, which confirms that if it is to be good and cheap, it will not be quick.
Photo: Niek Verlaan/ Pixabay