The new EU-wide General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Various measures and steps should therefore be initiated early to ensure that all of your company’s data applications are adapted to the new regulation by then.
As a provider of the CRM and recruiting software 1Tool, we have also been dealing with the topic and the extent of the GDPR in the HR sector for a long time. With our tips, we would like to provide you with the best possible support in complying with data protection requirements and give you an insight into what the GDPR means for your applicant management.
Data collection and use in the application process
As sensitive personal data is processed during recruitment, certain regulations must be observed when handling this data.
1) Check the data that is requested via your online application platform and restrict it if necessary
As the collection of information about candidates is only permitted to a limited extent as part of an application procedure and inquiries about marital status, compulsory insurance and religious views are not relevant at the time of application, you should definitely delete these fields from your online form.
2) Obtain the consent of your applicants for the use of data within Group companies
As a Group company, candidates must be informed precisely whether applicant data will be used by all participating companies in the company or whether applications will be processed separately for all companies. Accordingly, the applicant’s consent is required with regard to the use of data within the Group as a whole.
3) Be sure to involve an employee in the decision-making process
Even if it seems convenient to use automated decisions regarding profiling for the pre-selection of suitable candidates, it is advisable under data protection law that an employee from the HR department also accompanies the decision-making process.
Duty to inform
4) Inform candidates about relevant points before using the application platform
You are obliged to inform applicants in advance about numerous aspects, such as the name and contact details of the controller, the purposes of data collection, the existence of a right to lodge a complaint with the supervisory authority and much more. Your interested parties must be able to access the data protection information at any time, which is why it is advisable to provide the information online by linking to an information page.
Storage period of applicant data
5) Ensure that your applicant data is stored in compliance with the law
Applicant data may only be stored without consent for as long as the application process lasts or as long as storage is required due to statutory retention periods. The period for asserting claims by rejected applicants is six months from the date of rejection due to the Equal Treatment Act. Storage for longer than 6 months therefore requires the consent of the candidates.
