A lot has already been written about the new data protection basic regulation. From May 25, 2018, the General Data Protection Regulation GDPR will come into force and regulate the handling of personal data in a binding manner for companies and organizations of all sizes. The new data protection basic regulation thus has a direct influence on recruitment. It sets limits and standards for the processing of applicant data (i.e. collection, recording, organisation, order, storage, adaptation or modification,

retrieval, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison, linking and limitation, deletion or destruction).

An important key point is that the data subject (applicant) has given his/her consent to the processing of his/her personal data for one or more specific purposes.

In practice, this means that

  • the applicant must be informed, at or immediately after submission of his/her application, of what should and should not be done with his/her data,
  • he/she must actively give his/her consent to the processing / storage of his/her data (e.g. checkbox (form application) or explicit information by e-mail with reply option).
     

In addition, the Regulation requires that

  • the applicant must have access to the data at all times,
  • the data must be made "available" to them,
  • a right to be "forgotten" must be granted and the application data must be completely erasable,
  • candidate data must be kept until their purpose ceases,
  • applicants have the right to correct and adapt their data,
  • everything previously mentioned must be recorded and thus traceable.

The question of who has access to the applications is also important. This means that lying around application documents on desks in open offices is just as taboo as the sending of circular e-mails with applications attached to them to the neighbouring department without access or acknowledgement that can be logged.

Companies with a well-managed recruitment process by trained personnel managers who use an up-to-date application management system have little to fear if their data protection officer has given the go-ahead for the new GDPR.

On the safe side are organisations that transfer their recruitment in the sense of a "Managed Process" through commissioned work in accordance with §28 GDPR to a competent RPO partner who confirms compliance with the basic data protection regulation GDPR in the form of a written declaration and, if necessary, submission of further evidence.

For all other organisations (companies, public clients, municipalities, associations, ...) it will be close. Sensitive fines are imminent as of the validity of the GDPR (end of May 2018). We strongly recommend the involvement of experts, in particular the respective data protection officers.

Do you want to achieve legal certainty with your recruitment or do you still have questions about the GDPR? Call us today and we will be happy to help you.