GDPR, or the General Data Protection Regulation, is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95 /46/EC. The regulation has been in force in the legal systems of the European Union member states since May 25, 2018.
The obligations regarding the protection of personal data arising from the regulation apply to all entities that process personal data in connection with their business activities. In the event of a breach of obligations arising from GDPR, the violating entity may be fined up to EUR 20,000,000 or 4% of its total annual worldwide turnover.
Protection of personal data in the employee recruitment process
Regardless of how an employer searches for job candidates, the recruitment procedure always involves obtaining and processing personal data contained in recruitment documents, including CVs, cover letters and references. An employer who conducts a recruitment process and collects personal data from candidates is obliged to inform them about the processing of their personal data in a clear and legible manner, as well as easily accessible to the candidate. This can be done, for example, in the content of a job offer. The employer should inform the candidate about:
- full name and address of its registered office,
- contact details of the data protection officer (if appointed),
- data recipients
- intention to process data cross-border
- the period during which the data will be processed or the criteria for determining this period,
- your rights: to request access to your data, including receiving a copy of it, rectifying it, deleting it or limiting its processing,
- the right to lodge a complaint with the President of the Personal Data Protection Office,
- voluntariness or obligation to provide data and the consequences of not providing it.
- The employer may only collect personal data provided for by law, and may not collect them "in reserve" for future recruitment unless the candidate expressly consents to it.
Consent to the processing of personal data
Consent is one of the legal bases authorizing the processing of data. However, it should be noted that this is not the only clause GDPR included in the application documents constitutes consent to the processing of data by the employer. Consent of the candidate whose data is to be processed means freely given, specific, informed and unambiguous indication of consent to the processing of personal data by the data subject in the form of a declaration or clear confirmatory action.
Therefore, the very act of sending a CV to the employer, constituting a response to a job advertisement, indicates that the candidate understands to which entity he is applying and for what purpose his data will be processed. Moreover, the applicant knows the scope of data he or she sends to the recruiter. Therefore, the applicant's action indicates that he has expressly consented to his data being processed by the employer. Thus, upon entry into force GDPR the current obligation to include a clause in the CV has changed. Today, when she is gone, it is not a problem.
Data other than those required by labor law and consent in the CV
Candidates often provide more data in their CVs than required on their own initiative labor law. Due to the fact that the candidate's application is an informed response to the job advertisement - the candidate knows to whom he is providing the data and for what purpose - the employer may process it, even if the candidate did not include the clause in the document. However, if the data provided by the applicant falls into the category of sensitive data (e.g. information about health status) and the candidate has not given separate express consent to their processing, the employer cannot process this data. Additionally, the employer is obliged to remove them immediately.
GDPR and consent to future recruitment
Otherwise the situation is developing in the case of using candidate data for future recruitment purposes. If the applicant has not expressed explicit consent, the employer cannot process his or her data and should delete it after the recruitment process is closed.
Examples of GDPR clause for CV - personal data clause for CV
I consent to the processing of my personal data for the purpose of recruiting for the position I am applying for. At the same time, I consent to the processing of my personal data for the purposes of future recruitment processes.
Withdrawal of consent to the processing of personal data
Importantly, the candidate must be informed about the possibility and method of withdrawing consent to the processing of his personal data by the employer at the time his data is obtained. Withdrawing consent should be easy and possible at any time. If the applicant requests the employer to delete the data, the employer loses the right to further process his data and is obliged to delete it immediately.
Piotr Kłodziński
Legal Advisor Warsaw
together with the Law Firm Team