GDPR: How Recruiters Should Comply With Data Regulations

November 9, 2022

6 min read

Table of Contents

Recruiters deal with a vast amount of information provided by people every day. Their work is governed by many laws, including those related to personal data. This article will cover general rules that acquisition specialists from StaffingPartner use to protect our clients and job applicants, particularly from the European Union.

What GDPR stands for?

The General Data Protection Regulation (GDPR) is a law that regulates how data can be collected, used, and shared.

This rule is related to any company or legal entity that processes or intends to process the data of individuals in the European Union and the European Economic Area (all EU countries plus Iceland, Liechtenstein, and Norway), regardless of whether the company is based inside or outside the EU.

The law gives people some control over their personal information, which briefly can be outlined in three primary rights:

to have the information about what data is being collected about them;
to have that data erased;
to object to its use.

In 2018 it substituted the 1995′ Data Protection Directive, which wasn’t helpful when the Internet became widely used because it didn’t consider new ways of data proceeding.

What data is personal?

Personal data is any details that identify a person. This can be names, addresses, IP addresses, and cookie data. When discussing recruitment, personal data is usually applicants’ resumes, the contact information of clients and applicants, and social media profiles.

How strict is the GDPR?

National authorities can apply penalties of up to €20 million, or up to four percent of the organization’s earnings from the previous year, whichever is more significant. These are not empty threats – in July 2019, Google was fined €50 million by the French data protection authority CNIL for failing to meet GDPR transparency requirements.

GDPR spreads on any business with EU customers, no matter where the organization is established, inside or outside the EU and EEA. Your business could be at risk if you work with recruiters who do not stick to data protection rules.

Data processing in recruitment

Data processing is any operation that’s performed on personal data. It could be recording, storing, organizing, altering, destroying, or transferring. The recruitment lifecycle covers data processing activities, such as sourcing or screening. To comply with GDPR, our recruiters must obtain explicit consent from clients and job applicants before collecting, storing, or sharing their data. This implies that they must have a legal reason for processing data.

“We have a strict rule: to ask a candidate’s permission before sharing their CV with an employer,” said Kateryna Berkutova, Recruitment Team Lead at StaffingPartner. When the person gives clear consent, it is a legal reason. But the recruiter must notify the person of their right to cancel that permission at any time.

When clients leave a message to us through the website, they see an inscription: “By clicking “Send” you agree to the personal data processing,” which means that we start protecting their data from the beginning.

There are four main stages of data processing in recruitment:

Collection: personal data is collected from clients or job seekers, usually through a “contact us” form, application form, or a resume.
Storage: the information is stored in a secure database.
Use: the data is used to match job seekers with open positions.
Sharing: the job seeker’s data may be shared with their consent, usually to send them information about job openings or to set up an interview.

StaffingPartner has more than 230,000 candidates in the database. We have their approval to store and use information from their CVs to find an exciting job for them and the most suitable candidates for you. Let us know if you have open positions.

How does GDPR compliance look in practice?

Our recruiters are regularly trained in data protection and are aware of the consequences of non-compliance. We must consider different data protection laws, not just GDPR. So, let’s discuss the main episodes where recruiters and recruiting agencies interact with personal data and how they comply with GDPR:

“Contact us” form

You can see a “contact us” form on our website, where we warn you that you give us the right to store and use information. According to GDPR, we have no right to store personal data until the client submits it. The data goes directly to our CRM system, where it is stored. Only the recruiters who need to process the data have access to it. We do not share the data with anyone else.

Job advert

The advertisement’s author has to clarify in the text such details as:

a statement that the individual is giving their consent for their data to be collected and used for recruitment purposes if they apply;
the name, phone number, or other contact details of the hiring organization (in the case of recruiting agencies, there may be the agency’s name and contact info instead).

Interview

The main rule of GDPR is that personal data must be collected only for specific and legitimate purposes. This means that recruiters can’t ask job seekers for more information than they need to determine if job seekers are qualified for the position. For example, a recruiter should not ask for an applicant’s date of birth unless it’s necessary to check that the person is of legal working age.

Retention periods

Under the law, personal data must be kept for no longer than is necessary for the purposes it was collected. Recruiters have nearly 30 days to contact job seekers after receiving their applications to let them know if they’ve been selected for the next step. If there is no intention to get the job seeker, the legitimacy of collecting the data no longer exists, and the job seeker can ask for their data to be deleted.

“A candidate has the right to know what is going on with their data. So we notify them that we’ve received their application, we tell them what the next steps are, and ask their permission to share the CV with employers if we find them suitable for the position,” said Kateryna.

Destruction

When data is no longer necessary, it must be destroyed to ensure it can’t be recovered or reused. This could mean shredding paper records or permanently deleting digital files. For example, if job seekers’ data is stored on a laptop that will be sold, the data must be wiped from the device before it is handed over to the new owner.

The bottom line

When working with recruiters as a client, you should always check that they are GDPR compliant. Complying with the law is not only a legal obligation but also the right thing to do to protect people’s privacy. StaffingPartner takes data protection seriously, so drop us a message if you need help with recruiting under GDPR.