General Data Protection Right aims to ensure a consistent and equivalent level of protection of rights and freedoms of people in regards to the free movement of their data within the single European market.
It becomes active from the 25th May 2018 which is the deadline for a two-year transitional period granted to companies to implement new requirements. From this moment, these companies might face fines up to EUR 20 million (or 4% of global turnover – whichever is greater).
It concerns not only companies based in Europe, but also those having clients or processing data from EU citizens. Let’s have a look at how it’s going to influence recruiters and recruitment agencies.
Candidates affected by the processing of personal data will have the following rights:
Right to information (Article 12)
A candidate has to know that you process his/her data. If they apply for a job they need to include a formula or note in their CV, otherwise, you’re not allowed to process it.
“I declare, that I agree to have my data, if it necessary, processed for recruitment process (according to the Act of personal data protection, dated 29 of August 1997, Dz. U. Nr 133 Poz. 883*).”
You’re also obliged to inform them about the goal of collecting their data – whether it’s for a particular recruitment process or future recruitment processes as well. If they agree to take part in a specific recruitment process, you need to cancel their data from your database when the process is finished. If they decide to take part in a particular process and future ones, you can keep their CV in your database. Also, you will have to ask for their permission to send them other job opportunities. You’re not allowed to presume that a candidate gives an implicit consent to process their data. In case there’s a leakage of data in your company, it’s lost or stolen you’re obliged to immediately inform this person as well as the supervisory authority for the respective country.
Right to access (Article 15)
A candidate, at any time, can ask you whether their data is being processed. If that’s so, then you’re obliged to provide them all the copies with their data, including the purposes of processing, the time of storage, origin, and transfer of data to an international organization or a third country. That’s why you’re obliged to trace this information. ATS (Applicant Tracking System) is very helpful here, as it allows to show the history of all applications and to justify that they were used for specific recruitment processes. Of course, we’re talking here only about applications of the candidates who agreed to be kept in our database for future recruitment as well.
Right to rectification (Article 16)
Article Continues Below
A candidate has right to change their data which is inaccurate. If you have an old CV and a candidate sends you an updated version you’re obliged to include the new one and delete the old one if a candidate asks you to do so.
Right to erasure / “Right to be forgotten” (Article 17)
A candidate has right to rectify their data. For example, if some time ago they agreed to be in your database, you reached them with a new job opportunity they have right to refuse it and to have their data removed from your database. In this case, you’re obliged to do so.
Of course, as a recruitment agency or any party which keeps personal data you’re obliged to secure them. You need to check who, in your company or outside it, has access to it and if they’re secure. You need to check if all the third parties with whom you cooperate act according to GDPR rules. Moreover, you need to keep a record of people authorized to process personal data, a register of personal data activities and their category as well as a registry of a personal data breach.
As you can see, there’s a lot do to before the 25th of May, so it’s important to take action. There’s plenty of information on the internet about it, and if you cooperate with European companies, it’s a good idea to ask them what actions they’ve already taken and what steps they’d advise you to undertake.
- Dz. U. Nr 133 Poz. 883 – you need to include this one when you apply for a job in Poland.