Start now Start now

GDPR and recruiting: the rights and obligations of recruiters and applicants

The new EU general data protection regulation (abbreviated “GDPR”) is approaching rapidly. For most, if not all, companies, this means changes need to be made to their way of working. Because as soon as personal data are involved, any processing, transmission and/or storage must be in line with the new law. If your use of data violates the GDPR, you will be subject to heavy fines. In the event of a violation caused by recklessness, the company could be subject to a penalty in the amount of €20 million or 4% of the company’s turnover worldwide, whichever is higher. Negligence will entail a fine of €10 million or 2% of the company’s turnover.

An overview of the facts

 The protection of natural persons’ personal data is central to the GDPR. These data comprise all information related to a natural person or information which identifies the person. Specifically, this refers to their name, ID numbers, location information and online usernames. Other data to be protected include a person’s physical, physiological, genetic, psychological, economic, cultural or social characteristics. If these data are to be processed, the person is to be informed in accordance with the GDPR. We’ll get to that in a bit.

The GDPR divides people into 3 groups

Each of the three groups either has the right to the protection of their personal data or the obligation to protect such data:

  • Data subjects
  • Data controllers
  • Data processors

Data subjects are natural persons who are entitled to protection of their personal data. In terms of recruiting, this refers to candidates who provide personal data during the application process.
The controller determines which personal data is needed and how it is to be used. This category includes recruiters and companies that determine which data is necessary for the recruiting process.
The processor processes the data according to the controller’s instructions. For example, it could be the provider of a recruiter management system, as it collects and processes the applicants’ personal data.

The 5 principles of the GDPR 

The GDPR is based on 5 principles which should improve the fairness and safety of using personal data.

  1. Transparency
    Data subjects must always know that their data is going to be processed. In other words, applicants should know which data is going to be processed and when.
  2. Purpose limitation
    The use of data may only be for the explicitly defined purpose and may only be stored for a limited time. Data collected during the application process shall only be used for this purpose.
  3. Data minimization
    Personal data must be limited to what is necessary in relation to the purposes for which it is processed. If certain information is irrelevant with regard to the application process, recruiters are not allowed to collect it in accordance with the GDPR.
  4. Accuracy
    When a controller has information, the controller must always ensure that it is up-to-date and accurate. This is the most difficult principle for recruiters. You will find out more in our whitepaper: GDPR & Recruiting, which is available in the download section and can be downloaded for free.
  5. Storage limitation
    The GDPR dictates that data can only be stored for a limited time, even if it does not specify for how long. This is another area that requires special attention from recruiters, particularly when talent pools are used.

The challenges associated with recruiting or applicant tracking are less about a legitimate interest in data processing activities and more about ensuing a level of technological and organizational security that protects against risks.”

The GDPR does not set out specific technical or organizational measures (abbreviated “TOMs”). However, depending on the factors or purpose of data processing, it makes sense to implement the following measures, among others, to be able to ensure compliance with the GDPR:

  • Pseudonymization
  • Encryption
  • Ensuring confidentiality
  • Ensuring integrity
  • Ensuring availability
  • Ensuring system stability
  • etc.

Other measures which make you conform with the GDPR are available here: GDPR & Recruiting.

How can you make your recruiting process fit for the GDPR?

Proper planning is half the battle. In particular, it is advisable to appoint a data protection officer; it does not matter if this person is part of the company or a third party. Remember, you shouldn’t pick someone who has no idea about data protection and who will have to do a lot of reading up on the GDPR in addition to their other daily business activities. As with any project, it makes sense to create a schedule and a budget. Prioritize your goals. Then you can gather information on the status quo. It should provide valid information about, as well as answers to questions about the current status of your company’s data security. You can also draw up the necessary documents, such as contracts, forms or agreements. On the one hand, this will help you prioritize goals and, on the other hand, you will save time when the GDPR actually enters into force on May 25, 2018.

That could be of interest to you

Google for Jobs arrived in Germany and Switzerland Google for Jobs
Google for Jobs arrived in Germany and Switzerland

Recruiters keep asking themselves about Google for Jobs – what effect does the function have, for example, on searches for candidates? We have summarized the most important information for ...

Diversity in Recruiting Diversität-im-Recruiting
Diversity in Recruiting

Nowadays, recruiting and diversity management are inextricably linked. The company ultimately decides which candidate is best suited to a vacancy during the application process. This step is crucial to ...

HR Controlling in 2019 hr-controlling-2019
HR Controlling in 2019

Nowadays, controlling is also an integral part of the recruiting process, in line with the motto “Trust is good, controlling is better.” Therefore, you need particular KPIs (key performance ...

5 steps to finding the right applicant tracking software Prescreen Bewerbermanagement Software
5 steps to finding the right applicant tracking software

Every company needs to find the right employees to be successful. However, setbacks and problems often occur during the recruiting process, slowing it down or making it difficult to ...

Goodbye talent shortage, hello active recruiting! talent-shortage-active-recruiting
Goodbye talent shortage, hello active recruiting!

The prevalent lack of talented specialists poses challenges for recruiters on a daily basis. It makes it even more difficult to find the right person for the job. Things ...

GDPR and recruiting: the rights and obligations of recruiters and applicants dsgvo-und-recruiting-rechte-und-pflichten-fuer-recruiter-und-bewerber
GDPR and recruiting: the rights and obligations of recruiters and applicants

The new EU general data protection regulation (abbreviated “GDPR”) is approaching rapidly. For most, if not all, companies, this means changes need to be made to their way of ...

The problem with job portals die-jobboersen-problematik
The problem with job portals

You might well think that the number is overwhelming, but in truth, the jungle of job portals in German-speaking countries is not yet all that complex. However, recruiters are ...

In-house recruiting In-house-recruiting
In-house recruiting

What are the opportunities and challenges associated with it?  Do you know who your company’s real performers are? They are the employees bursting with ambition and motivation who therefore ...


Our support team looks forward to your inquiries!

Contact us