1. Home
  2. Glossary
  3. GDPR

Glossary: HR & Recruiting Definitions

What is the GDPR?


Definition

The abbreviation GDPR stands for “General Data Protection Regulation” and refers to an EU-wide law on the collection, processing, and storage of personal data for specific purposes.

Since the law came into force, companies have been faced with changed requirements regarding the systems and processes used for recruiting and applicant management, as well as data protection and data security.

Table of contents

When did the GDPR go into effect?

The General Data Protection Regulation (GDPR) came into force in May 2018 and has since regulated the treatment of personal data in accordance with EU law.

Is the GDPR the only data protection law?

No. The GDPR does not cover all relevant topics related to data protection and should therefore be applied alongside national laws and regulations.

Which specific laws apply depends on the country in question. For example, a separate law exists in Germany, called the Bundesdatenschutzgesetz (or BDSG, meaning Federal Data Protection Act). This act has existed since 1977 but was updated in May 2018 to supplement the GDPR.

What is personal data?

On the European Commission’s information portal, personal data is defined as follows:

“Personal data is any information that relates to an identified or identifiable living individual.” The GDPR further stipulates that “different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”

As stated in Article 4 of the EU GDPR, identification in this context refers to “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person”.

Personal data: Examples

The GDPR law only deals with data in relation to natural persons. Based on this definition, the following data are considered personal by the GDPR:

  • First and last name
  • Private address
  • Telephone number
  • Non-anonymised e-mail addresses ([email protected], whether private or business)
  • Date of birth
  • ID card number

Data relating to legal persons, i.e., companies, societies or associations, are not considered personal and are therefore not covered by this law.

Examples of non-personal data:

  • Commercial register number
  • General/anonymised e-mail addresses ([email protected])
  • Anonymised data in general

Why is data protection so important?

First and foremost, data protection in line with the GDPR is so important because if personal data falls into the wrong hands it can cause serious damage. Think of misuse of candidate data, fines for companies in the event of violations, financial damage, and so on).

Furthermore, awareness of the value and need for protection of personal data is steadily growing in society. A company that demonstrates awareness, expertise, and professional handling of data can score points as a considerate employer. This can help boost the employer image and ensure trustful interaction with employees and potential team members alike.

Which articles of the GDPR are particularly relevant for recruiting?

The General Data Protection Regulation consists of a total of 11 chapters with 99 articles covering the collection, storage, and processing of personal data. Recruiters should be particularly familiar with the following articles.

  • Art. 5 GDPR (Purpose limitation)

    If an application process is pending, recruiters must ensure (and be able to prove) that they collect personal data exclusively for the purpose of selecting candidates (data processing to establish an employment relationship).

    In doing so, they must follow the principle of necessity. This means that only the most necessary data (e.g. first and last name, contact details, qualifications) that is vital for selecting the new team member may be requested.
  • Art. 6 + 7 GDPR (Lawfulness of processing + conditions for consent)

    If a talent pool is to be established, recruiters should comply with these two articles. In this case, the data may only be processed and stored with the candidate’s consent for the duration of the application process.

    Inclusion in such a talent pool means longer-term storage of the collected data (beyond the application process) and, therefore, requires the explicit consent of the person concerned. Moreover, the forwarding of personal data within a company to recruiting colleagues or management is only allowed with consent as well.
  • Art. 9 GDPR (Special categories of personal data)

    If not enough or no qualified applications are received, recruiters can also start looking for candidates themselves (“talent sourcing”) and collect data without prior consent.

    In principle, there must be a legitimate interest on the part of the person collecting the data, but Article 9 of the GDPR contains an exception. According to this, under certain conditions, certain personal data may be collected without prior consent if the data subject has published this information themselves. However, this only applies to Xing, Indeed, or LinkedIn profiles, but not to private social networks such as Facebook.
  • Art. 12 + 13 + 14 GDPR (Transparency + duty to inform about data collection)

    Recruiters are obliged to inform potential applicants about the usage of their personal data and explain to them how their data is used. Candidates must know what data is collected for the selection process and who collects and processes this data. Further information that needs to be provided includes to whom the data is transferred and where it is stored.

    This applies regardless of whether the personal data is obtained directly via the person concerned or via third parties (headhunters, social networks, etc.). In addition, the candidate must be informed of their rights and enabled to exercise their rights in a simple manner.
  • Art. 17 GDPR (Right to erasure, i.e. ‘right to be forgotten’)

    Anyone who has applied has the right to have their data deleted after the application process has been completed. This would automatically be the case with a rejection. But beware: from then on, the data must be kept for at least five months.

    This time is reserved for applicants in case they want to pursue claims for damages. For example, if they have been discriminated against or in any way treated unfairly during the process. Companies must be able to prove they have made a non-discriminatory decision when selecting or rejecting an applicant.

    If no action is taken, the data will be deleted after these five months. The applicant should, however, immediately be deleted from the talent pool at any given time upon their request.
  • Art. 30 GDPR (Records of processing activities)

    A record must be kept of the processing activities involving personal data, listing all applicant management processes. In this case, the purpose is to provide evidence.

    If an applicant complains to a competent authority about unlawful processing of their data, recruiters must be able to provide the data protection supervisory authority with evidence of proper data processing on their part.
  • Art. 88 GDPR (Processing in the context of employment)

    For everything that takes place after the application process (data processing for the employee’s file, storage of employee data, etc.), Article 88 of the GDPR refers to a country’s own, separate national legislation.

    For instance, taking Germany as an example again, further details about personal data processing are stipulated in Section 26 of the BDSG, titled the Datenverarbeitung für Zwecke des Beschäftigungsverhältnisses (Data Processing for the Purpose of the Employment Relationship).

What does a GDPR-compliant application process look like?

Even without in-depth knowledge of the GDPR, the following measures can be taken to ensure a compliant application process.

Educate applicants early on about data collection, processing, and storage

Applicants must be informed about how their personal data will be handled and what their rights are in this respect. For example, for applications via the company’s own career site or through an Applicant Tracking System (ATS) a clearly visible reference to the data protection policy can be placed on the page. In case of unsolicited applications or applications via job boards, the relevant documents could be attached to the confirmation of receipt.

Only actively source on professional networks

If active sourcing is needed, only data that potential candidates have published themselves and thus made available publicly and voluntarily may be collected. Candidate research should therefore only take place via professional networks, like LinkedIn, and never via personal social media.

Ask only purposeful questions in the interview

Personal data may only be collected and processed for a specific purpose. The purpose is to determine the candidate’s qualifications and cultural suitability for employment within a company. Consequently, the questions asked during the interview process should only relate to this and not ask for any unnecessary details and data.

Record data processing activities

As explained, according to Article 30 of the GDPR you should ensure that all data processing activities are recorded in the directory.

No background checks!

Background checks may be tempting and sometimes very meaningful, but they are extremely questionable from a legal point of view. After all, they constitute data collection beyond the original purpose and therefore violate the principle of necessity. There are some exceptions in this area, but these are rare.

Talent pool: Admission only after rejection and consent

While consent is not required for self-initiated participation in the selection process under the GDPR, explicit consent must be given for inclusion in the talent pool. However, recruiters should only propose inclusion in the talent pool after a rejection.

The principle of free choice applies here. With the application, the candidate has already decided to become part of a company and would therefore no longer have any alternative choices. The situation is different after a rejection.

Talent Pool: Ask regularly

The storage of personal data according to the GDPR can also be a problematic matter, as there is no official time limit for this. Therefore, it is advisable to check the desired data storage in the talent pool at regular intervals (approximately one year). Alternatively, the data can be automatically deleted after one year but giving the candidate the option to renew or delete it.

How can companies ensure GDPR compliance?

The GDPR requires a lot of attention and in-depth knowledge of data protection and the law. So how can companies ensure compliance without this knowledge?

By choosing one of the following options:

  1. Appoint an external service provider to represent the company in data protection matters
  2. Hire an in-house expert

According to Article 37 of the GDPR, every organisation must appoint (and publicly announce) a Data Protection Officer (DPO) to ensure legally compliant data processing. With the help of our free GDPR Data Protection Officer job description template, you can make your search easier and find competent and talented professionals faster.

Free recruiting software that helps you hire faster

Find out for yourself how we help you attract, screen, and manage the best talent to grow your team.

Get started for free
See more articles