GDPR clause in CV 2021

legal advisor Warsaw
Piotr Kłodziński|
|
Comments (0)

GDPR, otherwise known as the General Data Protection Regulation, is Regulation (EU) 2016/679 of the European Parliament and of the Council. The Regulation has been in force in the legal systems of the European Union member states since 25 May 2018. The obligations concerning the protection of personal data arising from the regulation apply to all entities that process data in connection with their business activities.

💡 Key takeaways

  • The recruitment process is inextricably linked to the processing of candidates' personal data and is subject to GDPR.
  • The employer is obliged, among other things, to inform the candidate about the purpose of data collection, its controller, and the candidate's rights (the so-called information obligation).
  • The absence of a specific "GDPR clause" in a CV sent to an employer is usually not a problem – simply sending an application with your details in response to a specific advertisement is already considered consent.
  • "Stockpiling" CVs for future recruitment purposes without the explicit and separate consent of the candidate for such processing is not permitted.

In the event of a breach of the obligations under the GDPR, the offending entity may be fined up to 20,000,000 euros or 4% of its total annual global turnover.

Personal data protection (GDPR) in the recruitment process

Protection of personal data in the employee recruitment process

Regardless of how an employer seeks candidates for a job, the recruitment procedure always involves the acquisition and processing of personal data contained in documents (CVs, cover letters, references). An employer conducting a recruitment process is obliged to inform candidates about the processing of their data in a clear and easily accessible manner (e.g., within the job advertisement). Information must be provided, among other things, about:

  • full name and address of its registered office,
  • contact details of the data protection officer (if appointed),
  • data recipients,
  • intentions for cross-border data processing,
  • the period for which the data will be processed,
  • to which you are entitled (rights of access, rectification, erasure),
  • the right to lodge a complaint with the President of the Personal Data Protection Office,
  • voluntariness of providing data and the consequences of not providing it.

An employer may only collect personal data as provided for by law; furthermore, they may not collect it "in reserve" for future recruitment without the explicit consent of the candidate.

Consent to the processing of personal data

Consent is one of the legal bases authorising data processing. Not just a clause GDPR provided in the application documents is consent to processing. Consent, after all, means a voluntary, specific, informed, and unambiguous indication of permission – in the form of a statement or express affirmative action.

Therefore, the very act of sending a CV to an employer in response to a job advert indicates that the candidate understands which entity they are applying to and for what purpose they are providing data. Consequently, with the GDPR coming into effect, the previous obligation to include a clause in the CV has changed. Today, its absence is not a problem.

Job interview

Data other than those required by labor law and consent in the CV

Candidates often provide more data in their CVs than required on their own initiative labor lawSince the candidate's application is a considered response to a job advertisement, the employer may process this voluntarily provided data, even if the candidate has not included a clause. However, if this data belongs to the category of sensitive data (e.g., health information) and the candidate has not given separate, explicit consent for its processing, the employer cannot process it and is obliged to delete it immediately.

GDPR and consent to future recruitment

The situation is different when candidate data is used for purposes such as future recruitmentUnless the applicant has expressly consented to this in their CV, the employer cannot retain their data and must delete it entirely upon completion of the current recruitment process.

Example GDPR clauses for CV

If a candidate wishes to guarantee their participation in future recruitment drives, they simply need to add the following wording at the bottom of their CV:
I consent to the processing of my personal data for the purpose of recruitment for the position I am applying for. At the same time, I consent to the processing of my personal data for future recruitment processes.

Withdrawal of consent to the processing of personal data

Crucially, the candidate must be informed of the possibility of withdrawing consent at the time their data is obtained. Withdrawal should be easy and possible at any time. If a request to delete data is made, the employer loses the right to further process it and is obliged to delete it from their systems immediately.

Piotr Kłodziński – Legal Advisor Warsaw together with the Law Firm Team
Rate this post