The EU General Data Protection Regulation (GDPR), which took effect on May 25, 2018, also poses new challenges for employers dealing with applicant data. Numerous data protection regulations have to be followed even before an employment relationship is established, because application documents contain personal data.
The most important new features and practical tips at a glance:
Data protection plays an important role even in job postings. Pursuant to art. 32 of the GDPR, personal data must be kept secure when being processed, including by encrypting the data.
Practical tip: If applications can be submitted via an online portal, ensure that the transfer of applicant data is encrypted using state-of-the-art technology. In this case, and when transferring application documents via e-mail, also ensure that appropriate encryption is used when storing the data.
Receiving application documents
Section 13 of the GDPR contains a range of information that must be shared with the applicant after the application documents have been received. This includes, for example, the type of data processing and information on the intended use and the length of the retention period.
Applicant data may then only be made available to people involved in the application process (for example, managing directors, personnel administrators, and possibly the works council).
Practical tip: If an online portal is used, the information to be made available to the applicant should be retrievable from the corresponding page (for example, via a link). In the case of applications submitted via e-mail, it is advisable from a practical standpoint to e-mail the information with a confirmation that the application was received.
To prevent unauthorized parties from accessing the applicant data, it should then be stored and managed separately from other records. If the data is secured on a common network, make sure that only the authorized group of people can access it. In the case of applications submitted on paper, ensure that they are not stored openly, but rather in a locked filing cabinet, for example.
Involving service providers
If services from third parties (service providers) are used during the application process, order processing (formerly: order data processing) is generally given. Consequently, an agreement that meets the requirements of the GDPR and specifies the purpose, nature, and scope, etc. of the data processing must be concluded between the service provider (processor) and employer (controller).
Practical tip: Employers who outsource application procedure (sub)processes are advised to use an order processing agreement tailored to their needs in order to ensure an adequate level of data protection. This is especially advisable given that the employer (as the data controller) and service provider (processor) are equally liable in the event of a violation of the GDPR. If the data will be processed outside the EU, further ensure that the recipient guarantees an adequate level of data protection (for example, by using standard data protection clauses, formerly: EU standard contractual clauses).
Deleting applicant data
Applicant data (in application documents or transcripts from the personnel manager, for example) may only be stored for a specific purpose, i.e. for as long as is required for the purposes of filling the position. However, this does not mean that the data must be deleted immediately after the position is filled. For example, in order to enable the company to defend itself if a rejected applicant asserts claims based on an alleged violation of the General Equal Treatment Act, the documents should always be stored for an additional six months after the application is rejected.
Practical tip: Application documents received by mail should be given to an authorized person to be disposed of in accordance with data protection requirements. In the case of digitally submitted application documents, particular care should be taken to ensure that every copy is deleted.
If the employer wants to store the data for a longer period (especially longer than six months), for example in order to keep the applicant in an applicant database, they must obtain a written declaration of consent from the applicant. The declaration of consent can be sent along with the confirmation of receipt or submitted by the applicant by checking a box prior to submitting an online application.
Right of information and documentation
According to section 15 of the GDPR, applicants also have the right to obtain comprehensive information from employers on the stored data. This right of information covers, for example, the intended use, the planned storage period, and whether the data has been made available to third parties.
Practical tip: In order to be able to comply with any information requests, all processes connected with an application that are relevant from the standpoint of data protection should be documented.
The information can be provided to the applicant either at their request or voluntarily, for example in a rejection letter.
To summarize, the GDPR imposes stricter requirements for employers in connection with the application process. It is therefore essential to revise existing processes. In doing so, the data protection provisions should be taken very seriously, as the penalties for violations have become far more severe. Applicant data must therefore be handled with care.