Therefore, it is important to understand GDPR compliance. In most cases, the company that posts its vacancy and embarks on the recruitment process will be considered the data controller. This will make them responsible for adhering to several obligations.

Notably, here are some specific and recurrent instances, in the course of recruitment, headhunting and hiring, where a controller should look closely at the GDPR to make sure it is implementing the most appropriate and compliant solution. 

Legal bases: which is the most appropriate?

The lawfulness principle of the GDPR, first introduced in Article 5, requires that data is processed in a lawful manner, meaning that it must rely on at least one of the legal bases listed in the following Article 6. Not all legal bases are, however, always going to be applicable or the most appropriate choice, especially when dealing with candidates sourced online or applicants. The same holds true for current employees.

The imbalance of power when relying on consent

The European Data Protection Board (EDPB) acknowledges in their guidelines 05/2020 on consent, that there is a clear imbalance of power between an employer and their employee. Undeniably, the same is to be considered between a potential employer, and a prospective employee, or applicant. Although there is no dependency yet, one can still argue that an employer has a stronger bargaining position over a candidate that wishes to work for them. Therefore, the EDPB generally advises against the use of consent as a legal basis for processing activities carried out in this context. That is because, it would be difficult to prove that consent is freely given, as required by definition in Article 4 of the GDPR. In practice, it is likely that a candidate would feel obliged to provide their consent to any use of their data, as they might assume it gives them a better chance to get the job.

Legitimate interest is a good option, but comes with requirements

Instead, relying on legitimate interest might be preferable. However, the controller must still be mindful that it will also come with requirements. Based on Article 6 of the GDPR, the legitimate interest of the controller, cannot override the interests or fundamental rights and freedoms of the data subject. Which means that to begin with, the organization will have to, first and foremost, identify what the specific legitimate interest pursued is. Generally, sourcing individuals online, perhaps on professional social networking platforms, to find suitable candidates for a specific position, can be in the interest of growing a team and overall bettering an organization. However, merely identifying the interest is not enough. One would have to also balance this interest with the rights and freedoms of the data subject, also known as a balancing test, by performing a legitimate interest assessment.

Performance of a contract can be relied upon, but with limitations

Similarly, the legal basis of necessity for the performance of a contract might actually be the most appropriate for the processing of data of individuals who apply for an open position. Specifically, when interpreting the Article 6(1)(b) provision: in order to take steps at the request of the data subject prior to entering a contract. However, this might require strict adherence to the definition. It would have to be a contract that the data subject has requested. Therefore, for processing activities in the context of online recruitment and headhunting, it is unlikely that this legal basis can be relied upon. Instead, as mentioned above, legitimate interest might be the only option.

Online recruitment and the duty to inform

On the topic of online scouting and headhunting, there are further legal obligations that controllers need to be mindful of, when processing personal data for this purpose. Those being, depending on how these activities are carried out, the requirements of Article 14.

Reaching out to the candidate in due time

First and foremost, it is crucial to actually contact the candidate, if their data has been processed. In fact, Article 14 requires this communication to be done within a reasonable period after obtaining the personal data and at the latest within one month. That time-frame should also serve as a retention period for the data processed for this purpose, should the candidate not respond, for example. 

The communication should also require all the information to ensure that the transparency principle is met. Therefore, ideally the candidate should be directly informed, or at the very least be provided with a specific privacy notice indicating all the information required by Article 14 e.g. the identity of controller, the purpose of processing, the categories of data processed, etc…

Honoring data protection principles and data subject rights

Needless to say, the controller should adhere to the other principles of the GDPR. Notably, data minimization, by processing only the information that is strictly required to source the ideal candidate.

Furthermore, a controller should also inform candidates of and be mindful of data subject rights. Specifically ensuring that mechanisms are in place to allow for candidates to exercise them, and ensuring that the data be processed for a specific purpose, so once that has been fulfilled, the data should no longer be processed. In practice: if the data is only processed to reach out to potential candidates, and they reject the offer but do not expressly request the data to be erased, their personal information should still be erased, unless it serves another explicitly indicated purpose.

Processing special categories of data in recruitment

In accordance with Article 9 of the GDPR, special categories of data include the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data related to sex life or sexual orientation.  As a general rule, processing data that falls under these categories is prohibited. However there are exceptions. Related to the context of hiring potential employees, two might be particularly relevant: explicit consent from the data subject and necessity to carry out legal obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law, based on national law provisions.

How does this apply to recruitment?

There are several reasons. For example: a potential  employer might wish to request information about a candidate’s disability to make relevant adjustments, perhaps for interviews and, if relevant, for the work moving forward. Furthermore, many companies have established equal opportunity programs, dedicated for specific minorities and/or in a certain field. Alternatively, they wish to monitor whether they meet equal opportunity requirements. Some organizations might even get recognition for ensuring high standards for diversity e.g. Stonewall Top 100 employers in the UK, Human Rights Campaign Corporate Equality Index. However, in order to monitor those metrics and ensure diversity, they process special categories of data, such as race, disability (health data) and sexual orientation. 

Explicit consent or national law obligation?

As mentioned before, using explicit consent might be an issue, because it is hard to truly guarantee that it is freely given in this context. Especially when applying for an equal opportunity program, it is unlikely that the applicant has any choice but to disclose the relevant information, as that will be the deciding factor as to whether they meet the criteria to enter into the program. 

Instead, one can rely on the second exception, related to national legal obligations. In many countries, laws that ensure the equal treatment of minorities and penalize discrimination at work, often also include articles or sections that require positive action, in the field of employment. For example, in Germany, positive action is required by §5 of the Equal Treatment Act (AGG). In the UK, where the UK GDPR applies, this is provisioned in Article 159 of the Equality Act 2010. 

Organizations are left free to decide how to implement this, but this freedom has gradually led to defining metrics and equal employment opportunities. Since this is a way to exercise a legal right of the data subject, and a legal obligation of the controller, one could preferably rely on this exception, rather than explicit consent. 

In fact, best practice would be to rely on the national legal obligation exception where such exceptions apply, but request data subject’s explicit consent, which gives them the option not to reveal this information e.g. prefer not to say.

In conclusion…

Under the GDPR, controllers must process personal data of candidates and applicants lawfully. Not all legal bases are equally applicable: in the context of recruitment, relying on legitimate interest or performance of a contract might be more reliable than relying on the applicant’s consent, although those also have their rules and limitations too. 

Furthermore, a controller must ensure to note and follow the obligation to contact candidates that it scouts online, and keep in mind the one month deadline to get in touch.

Lastly, controllers might wish to get acquainted with national legal obligations in the scope of equal employment, as legal obligations in those frameworks provide them with a legal basis to process special categories of data, for the purpose of promoting diversity in the workplace. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Understanding GDPR Compliance in Recruitment appeared first on TechGDPR.

Territorial applicability

The territorial applicability of the GDPR is outlined in Article 3 and is conditional on three criteria:

1. the location of the controller/processor
2. the offering of services to individuals in the EU/EEA (through targeting them)
3. the monitoring of the behavior of data subjects in the EU.

Human Resources (HR) data also includes personal data (i.e name, email address, physical address, bank account, …) and hence the processing of these data falls under the scope of the GDPR. 

According to GDPR Art. 3.1

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

When a company is located in the EU/EEA and its employees or contractors are also located in the EU/EEA, Art.3.1 of the GDPR applies. Therefore, any handling of employees personal data should be performed in a GDPR compliant manner. This can range from setting the legal bases for the processing to adhering to the data protection principles (GDPR Art. 5) and ensuring the exerceseability of the employees rights (Articles 15-21 GDPR). 

The situation becomes less clear when the company is located outside of the EU/EEA but has employees located in the EU/EEA. GDPR Art. 3.2 regulates the extraterritorial effect of the GDPR and foresees that when a company is not established in the EU, it will fall under the GDPR only if:

1. it offers services to data subjects based in the EU/EEA (through targeting them and not incidentally)
2. it monitors EU-based data subjects behavior.

The EDPB has stressed in its 03/2018 Guidelines on the territorial scope of the GDPR that employment doesn’t constitute an offering of service. Indicatively, one can read from its example of a US company processing personal data of its employees while they were on a trip in the EU for human resources purposes:

“In this situation, while the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service and is therefore not subject to the provision of the GDPR as per Article 3(2)a.”

It is possible however that an employer monitors its employees. This could include, among others, 

1. Application usage monitoring, 
2. CCTV monitoring, 
3. email monitoring and, 
4. geolocation through company-issued equipment. 

In this case, any personal data of employees located in the EU, collected through this monitoring activity, will fall under the GDPR even if the employer (controller) is located outside of the EU/EEA and has no subsidiary in the EU/EEA, under the GDPR Art. 3.2. 

Concluding applicability of the GDPR for HR data for non EU companies

We can therefore conclude that if the company doesn’t monitor its employees based in the EU/EEA, then any processing of their personal data for HR related purposes (issuing of payroll, insurance, drafting of their employment contracts) will not fall under the scope of the GDPR. This seems also to be in line with the EDPB 3/2018 Guidelines on the extraterritorial effect of the GDPR.

If the company is located outside the EU/EEA and has no EU/EEA based employees or contractors then any employee personal data processing even through monitoring would fall outside the scope of the GDPR.

The post GDPR and HR data for non EU-companies appeared first on TechGDPR.