The European Union General Data Protection Regulation (GDPR) – What you need to know about how this new data privacy and data protection law impacts recruiting and candidate information.
Please note that this document highlights key aspects of the GDPR and how they may impact your use of ApplicantStack. We are not providing a legal interpretation of the regulation or legal advice. For further information, please refer to https://www.eugdpr.org or contact your compliance/legal department.
What is GDPR?
- The EU General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC, was designed to correspond data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The new law aims to increase people’s rights to privacy and to protect their personal data.
When is the effective date?
- Effective May 25, 2018
Who does the GDPR affect?
- The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What constitutes personal data?
- Any information related to a natural person or ‘Data Subject’ (candidates), that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What is the difference between a data processor (ApplicantStack) and a data controller (employers)?
- A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. ApplicantStack is that data processor because it processes the candidate data on behalf of the company. Data processors often have “sub-processors” (for example a cloud platform that ApplicantStack uses).
What is “The Right to be Forgotten” and what can I do?
- People have the “right to be forgotten.” The right to be forgotten, also referred to as the right to erasure, which is discussed in Article 17. According to the law, controllers must erase personal data (1) upon the request of the data subject to which it pertains; or (2) when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” As the data controller, it is up to you to decide the point in the application/hiring process at which you no longer have a legitimate interest in retaining a candidate’s personal data, and such determinations will depend on your company’s specific processes and practices.
- You currently have resources to delete any candidate data by using the candidate filters at the top of the candidate view table and deleting the record(s). This will remove all the personal data which was collected in your ApplicantStack account.
What is the “Enhanced Rights to Notice and Access” and what can I do?
- Pursuant to Article 15, data subjects now have a more robust right to access their personal data that is being processed. Companies are required to provide a variety of details at the time data is requested (for example, when a candidate applies to a job), including why they are requesting certain information, how long it will be stored, and where it will be sent.
- Any administrator can add verbiage to their job board via the messages section as well as the instruction section at the top of any questionnaire
- You can also add information to the job description outlining (if any) any process you have in place.
- The GDPR significantly enhances people’s right to access their own personal data, and companies will need to provide this data to candidates upon request in an efficient and easy format.
- You can export any data record into a csv file by selecting “Export Candidate” from the candidate record which will satisfy the GDPR requirement of data portability set forth inArticle 20.
What is “The Right to Object”?
- Article 21of the GDPR grants data subjects an unequivocal right to object to their personal data being processed for direct marketing purposes and related profiling. People have a right to restrict their personal data from being used for direct marketing purposes.
Does the GDPR require ApplicantStack customers to obtain consent from job applicants to transfer their personal data from the EU to the US?
- No, according to Article 46 of the GDPR explicitly states that data transfer to the US is legal if the controller and processor have entered into standard contractual clauses adopted by the EU Commission
Am I required to collect consent from every job applicant?
- No, because collecting resumes and other relevant information is an entirely “legitimate interest” of a company who is trying to evaluate candidates for employment, and it would indeed be expected by the applicants, there is no need to obtain consent from individuals who apply to jobs.
- Article 6 of the GDPR states that “Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Can I still collect data from candidates?
- You can collect data as long as you collect only job-related data and intend to contact the candidates within 30 days Article 5.
What do I need to do?
- You must have clear policies in place and disclose where you store candidate data such as ApplicantStack and state that you will use this data for recruitment purposes only
- Make sure that all the information you collect via the job application is actually required for your recruiting process and adjust when necessary. Only ask for personal data if you need it and it is relevant.
- Make sure you are transparent in your intent to use their data and what you intend to do with it.
- Look at what you do with the data you collect in ApplicantStack. Do you print it? Email it? Share it?