Each time your company needs a new hire, you instruct the company’s recruiter or HR specialist to prepare the vacancy and start the search for a perfect candidate. However, hiring EU-based talents takes extra effort. Each employee-to-be is worried about the line between their private life and their work results, and the GDPR (General Data Protection Regulation) is a powerful instrument and is used to limit the employer’s ability to turn the employees’ private life (strictly speaking, employees’ personal data aka information that identifies or helps identify the person) against them.
The GDPR imposes a number of obligations on the data controller (employers and recruiting agencies working in their independent capacity). Among them, the employer or recruiting agency must:
- decide on the purposes of collection and processing of personal data;
- choose a suitable legal basis for each purpose;
- define the procedure for obtaining the candidate’s consent;
- carry out necessary assessments;
- secure the transfer and processing of personal data in a controlled and safe manner;
- promise confidentiality; and
- inform the candidate on the processing of their personal data.
The last requirement is where the candidate can assess the level of respect and attention to the detail that the hiring entity has. The rule of first impression works here as well and applies not only to the recruiter’s personal traits and office’s decor, but the communication process itself. The candidate is expected to be honest with the employer. The employer (and his recruiting representative) should start with transparency and let them know how careful they are with their data, too.
- the employer’s (recruiter’s) identity and contact details;
- contacts points of the hiring entity’s data processing officer and (or) EU representative (if the hiring entity is registered outside the EU);
- purposes and legal bases of the processing, including the legitimate interests used by the hiring entity;
- sources of personal data (if collected not directly from the candidate);
- recipients of the personal data (for example, other recruiters or affiliate companies of the hiring entity);
- international transfer of personal data (including security measures);
- retention periods;
- candidate’s rights with respect to their personal data;
- existence and mechanism of automated decision-making.
The HR specialist must give the candidate an opportunity to carefully read the policy and ask questions, and only after the candidate is aware of the data processing practices, the recruiter can ask for their consent (for recording the interview, for example, or transfer of their personal data to the other entity or specialist, where necessary).
The HR specialist must know how to deal with the candidate’s data subject requests, too: explain to the candidate the reasons why the personal data cannot be deleted immediately after the interview, or how the candidate may rectify or object to the processing of their data.
However, you must refer to the national data protection and employment law to ensure that the policy comprises all necessary information. In case of doubt, it is better to address a data protection lawyer or your Data Protection Officer to ensure that the policy is encompassing all stages of the interview and is understandable for the potential candidate.