If you interpret the GDPR in a very strict sense, you can only keep candidate data as long as it serves the purpose you mentioned when making the purchase. As soon as this purpose ceases to apply, you are obliged to delete the data. However, it is up to you to decide how you formulate this goal. For example, if you specify that you keep candidate data “as long as a candidate is interested in positions in your company,” you have some leeway as to how long you can keep the data. In this case, you need to be able to prove that this candidate is actually interested in staying in your talent pool. Sometimes you have more than one great candidate for a role. If you can`t hire them all, you may want to keep the ones you haven`t hired for future roles. To stay GDPR compliant, you need to make sure that you don`t keep this data longer than you originally mentioned to candidates. For example, if you told candidates in your funding email that you would keep their data for a year after they applied, you don`t need to send them another email until that year has passed. Conversely, if you told candidates that you would keep their data until you filled out that particular position, you will need to inform them again that you want to keep the data you have collected. In 2011, Law 70 further simplified things with the specification regarding the possibility for the employer to obtain study programs without explicit declaration of consent to data processing, taking care to “provide the interested party, even orally, with brief information”.

Who owns it? hence the communication on the management of a candidate`s personal data? Would you like to know the details of the processing of your personal data by PULSAR? Read the information clause What form or form should consent take – a signed document, an oral agreement? This is a good opportunity to make sure your talent database is up to date and relevant. Determine which candidates are well suited for future vacancies in your company and which are not: The issue of personal data and CV may seem complex, but in reality it is not and can be summarized in two essential points: So far, there is no seal for GDPR compliance. The Regulation provides for the possibility of official certification, which may be granted either by the national data protection authority or by a private data protection authority. The accreditation of such a seal has not yet taken place, as we are waiting for the accreditation criteria to be established. Is it allowed to share candidate data with my colleagues who will attend the interviews? If they ask you to delete their data, you must comply with it. Our hiring specialists can answer all your questions about the GDPR and the feasible GDPR Feature Pack. Request a free demo to learn how Workable`s all-in-one recruitment software can protect candidate data while making your hiring process more efficient. As it is not absolutely necessary to do so, it is superfluous and very often also wrong (if you send a spontaneous application and you do not have information about how the company processes the personal data with which it comes into contact), is it advisable or not to include permission to process personal data in the CV? The GDPR covers personal data that your company has collected in the past. This means you`ll need to review your talent databases, spreadsheets, and other files in which you store applicant data before the law goes into effect in May.

Note that if you wish to be considered for another position within the company, you must consent to the processing of your personal data in future recruitment processes: is it allowed to store the data of candidates actively obtained in an Excel spreadsheet? Your company should have a transparent privacy policy that explains how it collects, processes, and protects data, and gives data subjects instructions on how to ask your company to delete and correct their data. In addition to this privacy policy, it may be helpful for your company to have a privacy policy for recruitment. This notice is addressed directly to applicants and must contain all the information required by Articles 13 and 14 of the GDPR, as well as a recount of your company`s measures to ensure data protection: In order to track passive candidates, can I store candidates` data in my ATS before receiving their consent? Strictly speaking, no. However, for the sake of pragmatism, you can assert a “legitimate” interest by contacting us and immediately obtain your consent to further data processing. They need to find a process to document their consent. For example, make sure you have a standard form signed by each of them, keep this form in your files, delete this data as soon as the candidate requests deletion, etc. Using a technology solution such as the SmartRecruiters Field Recruiting app supports your efforts to be compliant. Under the GDPR, an employer can also request the sending of a “private CV containing sensitive data identified in EU Regulation 2016/679 (General Data Protection Regulation – GDPR)”. “Take advantage of the fact that the receipt of a CV with authorisation is formally incorrect, since the processing of sensitive data cannot be carried out on the basis of pre-contractual measures in accordance with Article 9 of the GDPR (Article 6(1)(b)).

If you are not using a TTY, you should invest in an ATS before the GDPR comes into effect. Spreadsheets, which are the most common alternative to software vendors, can expose you to GDPR compliance risks because they provide poor audit trail, access controls, and version control. One of the main advantages of spreadsheets is also one of their main flaws, as they can be easily duplicated, modified and distributed without the owner`s knowledge. And they are a tedious method of deleting and correcting data. The GDPR sets out obligations towards 1) data controllers or those who determine the purpose and means of processing the personal data of EU citizens, and 2) processors or those who process the personal data of EU citizens on behalf of controllers. If the database hosts candidate profiles, it is usually their responsibility, as they are the controller, to ensure that they are GDPR compliant and that they have obtained the necessary consent to share the candidate profiles with you. However, since you become a data controller once candidate profiles are duplicated in your systems, it is certainly advisable to check with your suppliers for their compliance efforts. So far, this is still allowed.

However, you must have a legitimate interest in contacting them, i.e. a job offer, and you must obtain their consent and inform them of how you are going to process the data. We encourage you to review the terms of use for these tools. By giving your consent, you further acknowledge that you may withdraw your consent electronically by sending an email to dataprivacy@hbreavis.com, clicking “unsubscribe” in any of our emails sent to you, or by sending a written request to our current address: Level 7 of 33 King William Street, London, EC4R 9AS, United Kingdom. You can revoke your consent before the end of the period you have given, i.e. at any time. The revocation of consent is without prejudice to the lawfulness of the processing of your personal data by us prior to the revocation. If you receive data from recruitment agency candidates, is a data processing agreement required between the recruitment agency and your own company? Can I ask candidates to renew their consent to the retention of their data? How specific should I be if I specify the purpose of obtaining and processing my candidate data in my privacy policy? When obtaining consent, do I have to explicitly state how I process the candidate`s data? There are two ways to give applicants access to their own data: Please note: While Workable has consulted with lawyers both to create this guide and to update the features of our own products, Workable is not a law firm. All information in this guide is general information only. It is not intended to provide legal advice or to be the complete and complete explanation of the law, nor to meet your specific needs.

Organisations should seek independent legal advice on their own data protection provisions. The employer may not obtain consent to the processing of candidates` personal data, but must comply with a whole series of binding rules due to their legal provisions: when candidates fill in your application forms, they provide you with their personal data. Since the applications correspond to real job offers, you have a legitimate interest in processing this data and do not have to ask for your explicit consent. But to be fully GDPR compliant, make sure: Yes, you are. If you have consented to the storage and processing of your applicants` data and they have not expressly excluded you from contacting them, you can contact them to renew their consent to your data processing activities. For candidates you want to keep in your database, prepare an email to give them the necessary information. This email should be similar to the email you would send to candidates, as it should contain all the information about the data you have and where. These emails should also include links to your privacy policy.

.