Legal Basis for Processing Recruitment
Final hiring decisions are made by hiring managers and members of our recruitment team. We take into account all information collected during the application process. Controllers should assess whether the processing of personal data is „necessary“ for the pursuit of their business or professional purposes. The adjective „necessary“ is not synonymous with „indispensable“, but neither is it as broad as „ordinary“, „useful“, „reasonable“ or „desirable“. It may be easier to simply ask, „Is there another way to achieve the identified interest?“ If this is not the case, treatment is clearly necessary; or If there is another way, but would require disproportionate effort, you may find that the treatment is still necessary; or Where there are several ways to achieve the objective, a Data Protection Impact Assessment (DPIA) should be used to identify the least disruptive processing activity; or If the processing is not necessary, legitimate interests cannot be relied on as the legal basis for that processing activity. Remember that the processing must comply with the GDPR and your legitimate interest. Pay attention to access control – password protection, password strength, and other access management controls. And, of course, make sure online – your website and the other online services you use. What happens if you delegate some of your processing functions to third parties, such as data processors such as AmazingHire? And remember that at the heart of consent and legitimate interest in recruitment is the idea of fairness and transparency for the candidate, and that can only mean good things for the future of the industry and your business. Keep in mind that the new regulations came into force to ensure that individuals effectively exercise their rights, but not to get businesses to seek consent or enter into contracts. With a consistent approach, you can make your recruitment processes GDPR compliant without extra effort. Consent – and nothing less than that – is the necessary legal basis for processing personal data for recruitment purposes. In recruitment, it is common to process data from references.
These references usually contain only a name and a means of contact; a telephone number. It is the responsibility of the applicant to inform the reference of the processing of his personal data. However, the recruiter must inform the candidate of their responsibility to speak to their references. You will also be asked to provide information on equal opportunities. It`s not mandatory: if you don`t deploy it, it won`t affect your application. We will not provide the information to employees outside of our recruitment team, including hiring managers, in a manner that can identify you. Any information you provide will be used to compile and monitor equal opportunities statistics. The main legal basis for the processing is the employment contract. However, consent is also possible if it meets legal requirements. This means, for example, that it must be given explicitly and freely. When you answer these questions about the processing of candidate data, you may find that some of them are not applicable to your company (e.g., „Is there a broader public benefit to processing?“) In this case, you could mark as „not applicable“ because regulators expect you to have considered this issue but found that there was no relevant answer.
Then we move on to transparency. Transparent processing is about being clear and honest about who you are, how and why you use personal data. It is important that you review your privacy notice. They must be easily accessible and easy to understand, written in clear, precise and simple language so that even a child can understand them. Include information about the purposes of the processing, retention periods, data distribution and, of course, your legal basis. According to the GDPR, the candidate must be informed that the data will be stored for future recruitment and must be able to withdraw consent or object to processing. Consent and legitimate interest are two of the six legal bases on which companies can collect and process personal data under the GDPR (other possible grounds are contract, legal obligation, vital interests and public mission). The reason consent and legitimate interest are the only legal bases recruiters usually talk about are those that most often apply to the industry (except perhaps your contractual rights to keep records of all candidates you refer).
A relevant person applies to advertise a job. The candidate sends his application either to a recruitment company or to the hiring company. The legal basis for processing personal data for recruitment purposes is our legitimate interest in developing our business. This is not an illustrated exercise. The Article 29 Working Party cautions against fixing the balancing test documentation in such a way that data subjects, data authorities and courts can review the assessment. It should cover a wide range of factors, including the „possible consequences (potential or actual) of data processing“. These include, for example, the „broader emotional impacts“ and the „deterrent effect on .. freedom of research or expression that may result from continued surveillance/persecution.“ A rule of thumb is to communicate in the same channel where you found resumes – like LinkedIn Recruiter or LinkedIn. Do not export data to your own CRM or email program and continue the recruitment process without the candidate`s consent. Sometimes it is advantageous to hire an external party, such as a specialized recruitment firm.
This means that the external party shares personal data with the hiring company. In this case, the recruitment company can only exchange data on a few selected candidates. The agreement with this external company must be clear as well as an appropriate wording of the data processing agreement. In accordance with Article 28 of the GDPR, you must conclude a written contract that obliges the processor to take the same security measures that you would have to take if you had to carry out the processing yourself. Make sure your contract includes all the information needed to prove compliance. Article 28 can help you prepare the draft contract. What needs to be done to make the processing lawful? It is important to identify a valid legal basis, the so-called legal basis. The main principle of using legitimate interest as a legal basis for data processing is that you can demonstrate that you are using an applicant`s data in a way that an individual would reasonably expect and where there is a valid justification for processing their data.