Data protection and recruitment – what you need to know

GDPR and data processing in recruitment

Since 25 May 2018, the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) have applied to the processing of personal data in the workplace, including during recruitment. Section 26 of the BDSG is particularly important, as it allows prospective employers to process personal data necessary for establishing, managing, or terminating an employment relationship.

The data requested makes a difference

HR departments are entitled to request information about educational and professional backgrounds, qualifications, certificates, and other relevant documentation. However, questions concerning health data, political affiliations, union memberships, marital status, or leisure activities are generally not permissible, as they are not necessary for hiring decisions.

In recent years, digitalisation and new online platforms have transformed recruitment processes. Companies now not only rely on information provided by applicants but also search professional social networks or contact previous employers. However, not all sources are permissible. Professional networks may be accessed, but private accounts are strictly off-limits. Additionally, creating a comprehensive personality profile from publicly available online data is explicitly prohibited.

Access restricted to authorised personnel

Not only is the scope of processable data limited, but so too is access to applicant data. Only individuals involved in the recruitment process and with decision-making authority should have access to application documents. This group must be clearly defined for each recruitment process.

In larger organisations, a compliance policy with binding rules for handling applicant data is essential. Confidentiality rules are valuable since many organisations store, duplicate, and distribute application documents internally. Implementing a duplication prohibition for application documents can help. Additionally, agreements can specify permissible interview questions and clarify which sources HR staff may use for research.

Obligations to inform about data processing

Regardless of internal policies, companies have direct obligations towards applicants. Employers must inform candidates, under Articles 13 and 14 of the GDPR, about how and why their data is processed and, where applicable, which external sources are used (e.g., social media, calls to former employers). Additionally, employers must inform candidates of their rights and identify the data controller.

For online application tools, this information can be embedded in a text field. For email applications, it can be included with the confirmation of receipt. Alternatively, the information can be provided via a link to the website’s privacy policy. Applicants submitting documents by post must also receive this information, either by mail or email. Automating this process is recommended to avoid violations. Applicants are not required to confirm receipt or acceptance of the privacy notice. The employer's responsibility is solely to provide the information.

Deletion obligations after recruitment

Companies should always remember the purpose of processing applicant data: filling a vacant position. If a candidate is rejected, the purpose for retaining their data ceases. Consequently, all data of the rejected candidate should be deleted or returned to them.

However, if a rejected applicant lodges a claim under the General Equal Treatment Act (AGG), companies may have a legitimate interest in retaining the data for a short period. Unfortunately, data protection authorities have not yet provided uniform guidance on appropriate retention periods. Recommendations range from three to six months. Under no circumstances should data be retained for longer than six months. The deletion period begins when the recruitment process concludes, typically when the position is filled. Given the importance of deletion, automating this process with a defined deletion policy is highly recommended.

The solution: a secure content platform

To meet GDPR requirements technically, career sections on company websites should be encrypted according to the latest standards. For email applications, a digital, encrypted mailbox should be provided, and communication should also be conducted via encrypted email. A secure content platform can seamlessly meet these requirements and, ideally, also manage access permissions and automate data storage and deletion processes.

Key points at a glance

• The processing of personal data begins as soon as an application is received and stored on a server. From that point, companies must inform applicants about data processing.

• Applications sent to general email inboxes accessible by multiple employees pose a data protection risk. A dedicated email address or, better yet, an encrypted digital mailbox should be used.

• If the website’s privacy policy does not specify how applicant data is handled, companies must fulfil their obligation to inform applicants after initial contact.

• Applicant data must be deleted no later than six months after the recruitment process concludes. To retain data longer, companies need the applicant’s explicit consent.

• To fully comply with GDPR requirements, encrypting the recruitment process is advisable, ideally through a secure content platform.

Image: PeopleImages.com – Yuri A/shutterstock.com