UNESCO Chair in Inter -cultural and Inter -religio us Studies [627602]
University of Bucharest
UNESCO Chair in Inter -cultural and Inter -religio us Studies
Intercultural Management
General Data Protection Regulation
(GDPR) in the Context of the Hiring
Process in Multinational Companies
COORDINATOR:
Prof. Univ. D r. Consta ntin St oenescu
STUDENT: [anonimizat] 5
Chapter I: ………………………….. ………………………….. ………………………….. ………………………….. ……………….. 9
Introduction to the General Data Protection Re gulation ………………………….. ………………………….. …….. 9
(GDPR) ………………………….. ………………………….. ………………………….. ………………………….. …………………… 9
Introduction ………………………….. ………………………….. ………………………….. …………………………. 9
Context of Enforcement ………………………….. ………………………….. ………………………….. ………. 10
European Convention of Human Rights (Art.8) ………………………….. ………………………….. ………… 10
Data Protection Directive ………………………….. ………………………….. ………………………….. …………….. 10
General Data Protection Regulation (GDPR) ………………………….. ………………………….. ……………. 11
Key Concepts of GDPR ………………………….. ………………………….. ………………………….. ……….. 12
Personal Data ………………………….. ………………………….. ………………………….. ………………………….. …. 12
Data Processing ………………………….. ………………………….. ………………………….. ………………………….. . 13
Data Subject ………………………….. ………………………….. ………………………….. ………………………….. …… 13
Data controller ………………………….. ………………………….. ………………………….. ………………………….. .. 13
Data processor ………………………….. ………………………….. ………………………….. ………………………….. … 14
Chapter II: GDPR Guidelines ………………………….. ………………………….. ………………………….. …………….. 15
GDPR Principles ………………………….. ………………………….. ………………………….. ………………… 16
Lawfulness, Fairness and Transparency ………………………….. ………………………….. …………………… 16
Purpose Limitation ………………………….. ………………………….. ………………………….. ……………………… 17
Data Minimization ………………………….. ………………………….. ………………………….. ………………………. 18
Accuracy ………………………….. ………………………….. ………………………….. ………………………….. ………… 19
Storage Limitation ………………………….. ………………………….. ………………………….. ………………………. 19
Integrity and Confidentiality ………………………….. ………………………….. ………………………….. ……….. 20
GDPR Rights of the Data Subjects ………………………….. ………………………….. …………………… 21
The Right to be Informed ………………………….. ………………………….. ………………………….. …………….. 21
Right to Access ………………………….. ………………………….. ………………………….. ………………………….. .. 22
Right to Rectification ………………………….. ………………………….. ………………………….. …………………… 23
Right to be Forgotten ………………………….. ………………………….. ………………………….. …………………… 24
Right to Restriction of Processing ………………………….. ………………………….. ………………………….. … 24
Right to Data Portability ………………………….. ………………………….. ………………………….. ……………… 25
Right to Object ………………………….. ………………………….. ………………………….. ………………………….. .. 25
GDPR Infringement ………………………….. ………………………….. ………………………….. ……………. 26
Introduction to GDPR Infringement ………………………….. ………………………….. …………………………. 26
Lower Level Fines ………………………….. ………………………….. ………………………….. ……………………….. 28
Upper Level Fines ………………………….. ………………………….. ………………………….. ……………………….. 29
Fine Issuing Criteria ………………………….. ………………………….. ………………………….. ……………………. 29
Chapter III: GDPR in the Recruitment Branch ………………………….. ………………………….. ……………….. 31
Introduction to GDPR in Recruitment ………………………….. ………………………….. ……………… 31
The impact of GDPR in Recruitment ………………………….. ………………………….. ……………….. 32
Candidates as Data Subjects ………………………….. ………………………….. ………………………….. ………… 33
Employers as Data Controllers ………………………….. ………………………….. ………………………….. …….. 33
Recruitment Platforms as Data Processor ………………………….. ………………………….. …………………. 33
Changes in Recruit ment ………………………….. ………………………….. ………………………….. ………………. 34
Candidates’ Fundamental Rights ………………………….. ………………………….. …………………….. 35
Right to be Informed in Recruitment ………………………….. ………………………….. ………………………… 35
Right to Access in Recruitment ………………………….. ………………………….. ………………………….. …….. 36
Right to Rectification in Recruitment ………………………….. ………………………….. ……………………….. 36
Right to erasure or Right to be Forgotten in Recruitment ………………………….. ………………………. 36
GDPR Consent ………………………….. ………………………….. ………………………….. ……………………. 37
Legitimate Interest ………………………….. ………………………….. ………………………….. ……………… 40
Active sourcing of Candidates ………………………….. ………………………….. ………………………….. 41
1) Searching for and finding prospective candidates (prospects). ………………………….. ………… 42
2) Contacting prospects that have been found ………………………….. ………………………….. ………… 42
3) Managing prospect relationships ………………………….. ………………………….. ……………………….. 43
Processing candidates outside EU ………………………….. ………………………….. …………………….. 44
Chapter IV. Practical Analysis ………………………….. ………………………….. ………………………….. ……………. 45
The influence of GDPR ………………………….. ………………………….. ………………………….. ……….. 47
GDPR Consent ………………………….. ………………………….. ………………………….. ……………………. 48
Active Sourcing ………………………….. ………………………….. ………………………….. …………………… 50
Candidates’ Rights ………………………….. ………………………….. ………………………….. ……………… 51
Conclusion ………………………….. ………………………….. ………………………….. ………………………….. …………….. 53
Annexes ………………………….. ………………………….. ………………………….. ………………………….. …………………. 55
Bibliography ………………………….. ………………………….. ………………………….. ………………………….. ……………. 69
Introduction
If we take a close look at our everyday lives, we may notice that from a technological point of
view we are living in an era where technology rules our lives. We wake up and check our phones,
check our messages, e -mails and social network. We check for updates o n how our acquittances’
lives are going on, we let everyone know how our lives are going and this way, we end up spending
precious hours of our lives using social media. Mor eover, we sometimes refuse to go to shopping
centers and go from one store to anoth er and in the end , we decide that it’s much easier to click a
few times and buy everything online. We share ou r contact details and even more private
information such as our credit card details. Even when we actually decide to go to the store, we
are appr oached by their personnel and we are informed about their ongoing promotions and we
decide to give our contact details, just in order to participate to their promotions and to receive
even more information later on via text messages, phone calls or e -mails . We enter various
websites every day and let them know where we are and what type of device we use. We connect
to the internet or turn on the TV and see news about events a ll over the world.
Another example is that we want to learn something new and we h ave access to so many apps and
websites that offer us free or paid courses and lessons. In exchange for information, we might give
some of our personal details as well.
We buy smartphones, smart TVs, smart watches and allow so many people to know everyth ing
about our lives and at the same time we use them to find out about anything that goes on in the
world. We can easily say that we live in a society where knowledge throug h technology is
indispensable because we always need to be up -to date and we must a lways be aware of everything
that goes on around us.
As we can see, technology is a part of us and it’s difficult to go a day without accessing any
technological device that gives us access to information. Another thing that can be noticed is that
our link with the hi -tech world is, in fact, a trade. We receive access to all the details we need about
anything, we make our own lives easier and more innovative, but we give in e xchange some of
our personal information, such as our names, addresses, phone numbe rs, personal e -mails, credit
card details, IP addresses, types of devices we use and so on. If we think this though, we make
ourselves more vulnerable because we never know who are the people because technology servers
who have access to our information a nd we have no idea what they might to without our approval.
All these examples prove that there was a critical need for security, which explains why GDPR
appeared. It is th at law that does not only protect the personal data that can be found on papers,
but it also protects all the information that are stored by oth ers virtually.
However, all the examples above were general and can be applied in our everyday lives. Moreover,
we usually think about what happens to us, how we become vulnerable and how we must make
sure the organization s which store our data certainly keep them safe.
This thesis shows the impact of GDPR from another angle and from a more specific branch. Its
purpose is to exemplify the key aspects of GDPR and to show their impact in recruitment.
People are not affected by recruitment daily, but there are times in their lives when they must find
a job so they start a recruitment process which leads to having the ir personal data stored and
process ed. Now the question is, how vulnerable become personal data from a recruitment point of
view? The answ er is quite simple. We apply for jobs on a company’s website and we automatically
give them access to our data, which can be stored for a long time and be accessed by -sometimes –
numerous people. We create CVs and post them on job websites which gives comp any the
opportunity to find and store our data. We create profiles on social media like Linked In, which,
again gives companies the opportunity to find our data, store it and even use it. We use other open –
source websites and apps, where we create profiles so again, we give recruiters the chance to find
our data. As it can be seen, everything is happening online and onlin e data are difficult to be erased,
which makes our personal information very vulnerable. This is where GDPR interferes and makes
sure that companies store our data safely and only when they are allowed to.
In order to be GDPR compliant, companies had to g o through multiple changes to ensure their
candidates’ and employees safety, therefore, this thesis is meant to analyze all these changes and
to show the way companies decided to approach this issue.
As I have mentioned before, the General Data Protection Regulation affects organizations with a
broad range of activities and it also affects different departments within the organizations,
therefore, it would be very difficult to focus on all the areas that must deal with the GDPR, so I
decided to analyze the way it changes the approach of recruiters regarding the hiring process.
I thought of approaching this topic because I work in the recrui tment department of a company
and the enforcement of his law changed my way of handling candidates and employees, so I must
make sure that the way I organize my every day activity and the way I manage the personal data I
have access to, is GDPR compliant. This is why, this thesis is not only related to my personal
activity, but to the general activity of companies who dea ls with GDPR. My aim is to see other
approaches to GDPR as well.
In order to achieve my goals, I followed a simple structure, which will be presented below.
The first chapter of the thesis is an introduction to GDPR. It s purpose is to show the conte xt in
which GDPR was adopted and to explain its key concepts. This is why this chapter is divided into
three other sub -chapters. The first one deals with the context of enforcement, while going through
the laws the preceded GDPR. There are mentioned the Europea n Convention Law and the Data
Protection Directive, which lead to the enforcement of G eneral Data Protection Regulation. These
subchapter s explain some of the strengths and weaknesses of the laws, showing the need of a new
one that could deal with the tech nological development as well. The last subchapter, mentions a
few key concepts that will be used later on in the thesis. The concepts t hat were mentioned are
personal data, data processing, data subject, data controller and data processor. Explaining the se
concepts will help with the understanding of the GDPR and the topics it approaches.
The second chapter is more in depth and it is mea nt as a guideline to GDPR. It mentions and
explains its principles, the rights of the data subjects and the risk of GDP R infringement.
The first subchapter, namely GDPR principles show the rules that set the limits of the regulation.
This is the basis upon which all companies structured their data policies and it is meant to be a
guideline for everyone who wants to be GDPR compliant. In this subchapter, I talked about
principles like lawfulness, fairness and transparency. purpose limitation, data minimizati on,
accuracy, storage limitation, integrity and confidentiality.
I believe that the core of GDPR is the data subject, w hom it’s meant to protect, therefore, in the
second sub -chapter I mentioned and explained the rights of the data subjects. It’s important to
know what are their rights in order to find ways to protect them. In this sub -chapter I talked about
the following rights: right to be informed, right to access, right to rectification, right to be
forgotten, right to restriction of processing, right to data portability and right to object.
The third major issue analyzed in the second chapter of the theses is the inf ringement of GDPR. It
has been one year since the regulation was enforced, but the fines that have already been issued
are enormous, whic h shows that GDPR is a strict law and all companies must be very careful when
processing data subjects’ personal inform ation, because the punishment can be harsh. In this
subchapter I presented what the punishment is for not being GDPR compliant and I gave a few
examples of relevant companies which dealt with the infringement of GDPR.
The fourth chapter is not a general o ne anymore. It is more specific and it presents GDPR from
the perspective of the recruitment area. It shows the impact of GDPR in recruit ment and links the
key principles and right mentioned above, with their meaning in recruitment. I believe it is
mandato ry to explain these links because they are the key to understanding the way recruitment
functions. Following the explanation of the prin ciples, I talked about specific activities in
recruitment, activities that dominate the every day activity of recruiters . The activities I mentioned
are the related to obtaining GDPR consent, active sourcing and legitimate interest in recruitment.
The fif th and the last chapter of the thesis is the practical analysis. For this part, i used the method
of interviewing and I asked different people who work in recruitment about their everyday
activities and about the way they deal with GDPR. The aim was to se e how the regulation affected
their activity and what they do in different situations that might complicate the recruitme nt process.
The interview was focused on the rights of the candidates, GDPR consent and active sourcing.
All in all, this thesis is m eant to focus on the changes that interfered when GDPR was enforced
and it showed the changes from the perspective of recr uitment. In order to achieve my goal, I
started from a more general topic, such as GDPR in any area in which it can apply, and I ended
with something more specific, meaning GDPR in recruitment. By the end of the thesis, I will have
analyzed the changes tha t occurred in recruitment, as well as different approaches to the issues
they might arise.
Chapter I:
Introduction to the General Data Protection Regulation
(GDPR)
Introduction
The first chapter of this thesis serves as an introduction to GDPR and has the purpose to explain
the reasoning behind this regulation, as well as its importance and applicability in multiple areas.
In order to give all the necessary information, this chapter is divided into two main subchapters .
The first subchapter refers to the conte xt of enforcement. It serves as a short history of GDPR an d
it mentions the laws th at preceded it. It starts with the European Convention of Human Rig hts,
continues with the Data Protection Directive and ends with the enfor cement of General Data
Protection Directive. It is important to menti on all the step s that lead to GDPR because they show
how the previous laws dealt with pe ople’s right s from the point of view of their privacy and
personal data. The rules were useful for the time when they were enforced, but un fortunate ly, they
all started missing important details, as soon as technology developed and people started having
other needs and th eir personal information needed more and more p rotectio n.
The se cond subchapter is an overview of the key concepts of GDPR. It gives basic def initions of
the most used concepts in GDPR and in this paper. It shows the meaning of personal data, data
processing, data subjects , data controller and data processor. In ord er to understand the meaning
of the regulation and the importance of the rules that were adopted there, it is mandatory to
understand the key concepts, which represent the core of the rules.
All this information will be general and can be applied in any field of activity that interacts with
the GDPR. It s purpose is to offer a b asis upon which the rest of the subject will be built around,
because it is important to understand the reasoning of the general law before applying it into
something as specific as the recruitment process in multinational companies.
Context of Enforcemen t
European Convention of Human Rights (Art.8)
“Everyone has the right to respect for his private and family life, his home and his
correspondence.”1 is the law that stands at the basis of the General Data Protection Regulation and
it states one of the most important human rights, namely, the right for privacy. At a first glance,
this statement itself seems to be broad and leave room for interpretation, as there are several terms
mentioned that need to be defined properly . For example, what is the privat e life? What defines
the family life and what are their boundaries? The idea of private life refers to the fact that people
have full control upon the aspects that refer only to their own identity such as their personal
interests, politic, religious or sex ual preferences, physical appearance, professional choices and
background and so on. Similarly, the right to have the family right respected refers to the freedom
people have when starting a family, moving in with someone, adopting children and so on. Also ,
people also have the right to have private conversations and correspondence. Generally, the state
cannot interfere in such aspects, but there still exist boundaries that must also be ta ken in
consideration. There are moments, when the state can interfere in someone’s private lives and
these exceptions refer to the unlawful actions, when the state must prevent crime, or protect the
economy, the national security or health or rights of other people.
Data Protection Directive
In spite of the fact that Article 8 of the European Convention of Human Rights promised to respect
and protect the private lives of people, it could not keep up with one aspect that endangered
personal information, namely the evolution of technology, The emerging internet, gave people
access to a large pool of information, but the cost was the use personal data. At that time, the
internet was in its infancy and the threat of illegal use of personal data was not so big yet, but even
so, in 1995 the European Union adopted the Data Protec tion Directive , also known as Directive
95/46/EC .
1 European Convention of Human Rights, Art. 8/1950
The directive mentioned above is built on seven principles that are mean t to protect the personal
information collected , or the information that might circulate. It is mentioned that individuals must
be info rmed whenever their personal data is collected. Moreover, they must be informed about the
entity that collects their data, and about the reason why their personal information is stocked. At
the same time, it is allowed to use information only for the reason that was mentioned before. In
order to ensure the safety of people, they must be assured that their information is protected from
any abuse or illegal use. Moreover, they are allowed to view their processed data at any time, and
modify any necessary infor mation.
Even if these principles seem right, there is a serious issue that must be taken into consideration
when talking about the Data Protection Directive, namely, the natur e of the law itself. As the name
dictates, this law is a directive, and in the E uropean Union , this type of laws are not directly
applicable in all the Member states, but they have to be transported into national law.2
General Data Protection Regulation ( GDPR)
The principles adopted by the DPD are still available and can be applied today as well, so we might
wonder why was there a need to switch from the directive to GDPR?
First of all, the previously adopted directive, did not manage achieve its goals an d the level of data
protection was rather low. Some data processing activities c ould be allowed in some member
states, but forbidden or unlawful in other European states. It proved difficult to align the level of
protection in all EU countries.
Moreover, times changed and the internet is highly developed now. Many of the actions that used
to take place “offline”, now happen on the internet. People have access to social networks, where
they share a large number of personal information , online shops also gr ew significantly and now
it’s easier to buy anything from the internet and user s have access to shops all over the world, so
their personal information are shared in a much larger geographical area, banking actions also
moved online and people have the fr eedom and possibility to do various transactions from the
2 P. Voigt, A von dem Bussche, 2017, pg 2
comfort of their own h omes. Also, the archives of companies are not represented by a large pile of
papers and now they stock important data on private servers on the internet.
All the changes that occurred in the digital area, asked for a more controlled environment and
manage ment of information that are present online, therefore the Data Protection Directive needed
to be upgraded and updated. This is why in January 2012 a proposition f or GDPR was released
and four years later, in April 2016 it was adopted by the Council of the European Union and then,
by the European Parliament. In May 2016 it was published in the Official; Journal of the European
Union and so it entered into force. No later than two years, the General Data Protection Regulation
became applicable to all member states of the European Union.3
Key Concepts of GDPR
In order to understand this new law, it is important to have a large baggage of information
regarding the key concepts the regulation is based upon. This is the only way all involved parties
can under stand their obligations and rights and become GDPR compliant.
Personal Data
The first concept that must be clarified is “personal data”, which r efers to any information that
might help an organization identify a person. Data that fall into information s uch as name, date of
birth, hometown, gender, ethnicity, religious beliefs, political beliefs, IP Address, web cookies,
banking details, phone numb er, photos of even pseudonyms.4 As it can be seen, nearly any
information that can be associated with one pe rson can be considered personal data and must be
processed carefully.
3 European Data Protection Supervisor. https://edps.europa.eu/data -protection/data –
protection/legislation/hi story -general -data -protection -regulation_en
4 Schonfield, J “The Guardian . GDPR: How can I email data securely ”, Mar. 29, 2018
www.thegu ardian.com/technology/askjack/2018/mar/29/gdpr -email -data -protection -regulations -secure
Data Processing
Now that we clarified what personal data is, we can move to the next concept which is “data
processing”. In order to understand the procedures that organizations must b e careful about, we
must know for sure what it means to process such information. Accord ing to the GDPR legislation,
the processing of personal data covers a wide range of actions performed on the possessed
information. Data processing means “collecting, r ecording, organizing, structuring, storing,
adapting or altering, retrieving, consulting , transmitting, erasure or even destructing of personal
data. Moreover, data can be processed either manually or automated. ”5
Data Subject
Data Subjects are also a pa rt of the GDPR and they are represented by any person whose data is
processed. They c an be members of an organization, users of certain services or applications or
even simple visitors of websites.
Data controller
Another important party is considered the Data Controller, who is the person who possesses
personal data and decides why and how information will be used.6 This is the person why takes
responsibility when processing data and must ask for permission in order to process personal data.
They must also make sure the data subjec ts are aware of the information that is pr ocessed and
about the way it is going to be used.
5 GDP R, Art 4 (2) https://gdpr -info.eu/art -4-gdpr/
6 DGP R Art 4 (7) https://gdpr -info.eu/art -4-gdpr/
Data processor
A data processor, on the other hand is a third party that processes personal data on behalf of a data
controller.7 In this case, we are not talking about people who process data, but abou t software that
helps data controller stock and process information. Examples of Data Processors are cloud
servers or email service providers.
7 GDPR Art 4(8) https://gdpr -info.eu/art -4-gdpr/
Chapter II: GDPR Guidelines
The second chapter of the thesis was built as a guideline to the GDPR rules. Its purpose is to show
the princip les of the regulation, the right s of the data subjects and the consequences of infringing
GDPR . This is the step that leads to a better understanding on ho w GDPR works in all the fields
that it affects and it is also the base upon which GDPR is constructed in recruitment, which i s the
focus of this paper. Therefore, in order to detail these aspects, th e second chapter is divided into
three main sub -chapters.
The first sub -chapter is about the prin ciples that guide every company which wants to be GDPR
compliant. It explains concepts such as lawfulness, fai rness and transparency, purpose limitation,
data minimization, accuracy and storage limitation. Briefly, acc ording to GDPR, companies must
be transpa rent to the data subjects. They must be correct, and tell them all about the way their data
is going to be processed. Moreover, they must only use the data for the purpose they mentioned .
Whenever companies want to use someone ’s data for a different reason, they must inform and ask
for permission. It is forbidden at all times to use data in a way that the data subject was not informed
about. Also, while processing personal information, companies must use only the data that are
useful to them . They might have access to multiple information and some o f them are definitely
not import ant, so companies must not use them in any way. L ast, but not least, companies mu st
always keep only the relevant data and they must always make sure th at the information they
possess are correct.
The second sub -chapter, g oes even further and it analyzes the right s of the data subjects . As It can
already be seen, people whose data might be stored and process ed are the main focus of GDPR,
therefore they have a well-structured set of right s that they must be aware of. According to GDPR,
data subjects have the following right s: the right to be informed – which means they must know
everything a bout the wa y their data is going to be processed ; the right to acc ess – which gives
people the possibility to see their personal data whenever they want and they are not allowed to be
charged for asking for this piece of information ; the right to rectification – right which allows data
subje cts to modify the ir own data so that it is always correct ; the right to be forgotten – which
allows the m to stop ha ving the ir data stored or processed ; the data portability right – that gives
them the opportunity to ha ve their information moved from one processor to another and the right
to object.
The third sub -chap ter offers information about the consequences of GDPR infringement. It is
important to know how bad it is for companies n ot to be GDPR compliant, what happens to them,
what fines they can get and what are the boxes that must be checked when deciding how bad the
punishment is going to be.
All in all, the second chap ter of the thesis is a highly theoretical one and it deals with con cepts that
must be known both by data subjects as well as the companies which deal wi th the regulation.
GDPR Principles
Just like the laws that preceded it, GDPR is based on a well -structured set of principles which are
meant to set the limits of the regulation and to make it easier to understand and to follow. They
can be considered the core of the regulation because it i s meant to ensure safe data protection
practices. They can also be seen as a guideline, a set of fundamental rules that helps organizations
make sure that they are GDPR compliant at all times.
There are six principles that an organization must follow when collecting and processing personal
data and they can be found in the 5th article of the law.
Lawfulness, Fairness and Transparency
The first article of the regulation is Lawfulness, Fairness and Transparency and it says the
following: (pers onal data shall be) “processed lawfully, fairly and in a transparent manner in
relation to individuals ”8
This principle is rather obvious in meaning and it means that organizations must make sure that
any personal data is processed according to the law and is mentioned clearly, fairly and
8 GDPR. (Art 5(1)/a) https://gdpr -info.eu/art -5-gdpr/
transparently to the data subject who has their personal data processed . Moreover, they must make
sure that information cannot and will not be processed – by anyone who has access to it – in an
unlawful way. In addition to that, data controllers must take into consideration the fairness concept
as well, which means that they should only use personal data in reasonable and justified ways.
However, this aspect should not be a problem as long as the personal data is accessed i n a just way
and the data subject gave their consent to have their data used. The last sentence takes us to the
transparency concept as well, because it represents the best way to inform the data subject about
the reason why their information is processed. In order to be transparent, one must be honest and
express their thoughts and mindset in an open manner which will not leave room for interpretation
or doubt. As long as the data controller is honest about their purposes, data subjects can also take
an as sumed decision regarding personal data processing.9
For example, in order to be GDPR compliant, the data controller must say to the data subject
exactly what personal data they stock and process and they must also explain why they process
that information. They are not allowed by any means to lie or to use any other details than the ones
they were given conse nt to process.
Purpose Limitation
The second principle is the Purpose Limitation one and it mentions that :
“Personal data shall be collected for spe cified, explicit and legitimate purposes and not
further processed In a manner that is incompatible with those purposes; further processing
for archiving purposes in the public interest, scientific or historical research purposes or
statis tical purposes sh all not be considered to be incompatible with the initial purposes ” 10
According to this principle, an organization can process data only as long as they have a purpose
to it and for as long as it takes to achieve their goal. They are not a llowed to make us e of personal
information unless they inform the data subject of the purpose and of course, they get the consent
9 Information Comissioner ’s Office . ico.org.uk/for -organisations/guide -to-data -protection/guide -to-the-general –
data -protection -regulation -gdpr/principles/lawfulness -fairness -and-transparency/
10 (Art 5 (1)/b) gdpr -info.eu/art -5-gdpr/
to do so. Moreover, in order to make sure that they are compliant from this point of view, they
must also save the purpose as a part of their documentation.
This principle also mentions “incompatibility” which refers to the purpose for which data is
processed. Organizations are not allowed to use personal information for purposes that are not
compatible with the original ones, not until they ob tain explicit consent from the data subject.
However, it is mentioned that there are a few purposes that are generally compatible and they refer
to stocking data for public interest, scientific, historical or statistical res earch. For any other
change of purpose, they must make sure they are just and do not break any laws. Additionally, it
must not harm in any way the integrity or safety of the people.
Data Minimization
Regarding to the third principle, it mentions that personal data must be “ adequate, relevant and
limited to what is necessary in relation to the purposes for which they are processed ”11
This principle comes with a great advantage especially for data subjects, because organizations
will be allowed to process only information that are relev ant to their purpose. Again, the purpose
must be specified and the data must only be collected until the goal is achieved. The problem that
might arise here is about the “necessary data”. It is difficult to set generally app licable boundaries,
so one must take into consideration the needs of the purpose at a specific time.
Let’s take for example the case of a person who is going to get hired in a new company. The new
employer, is allowed to ask only for the information that are necessary for the hiring pro cess. They
might be allowed to ask for the proof of the previous jobs, or for diplomas or certifications that are
relevant for the role, but they will not be allowed to ask the new employee to bring any other
information tha t are not relevant for the purpo se of the employee . For instance, for some jobs, it’s
necessary to bring a criminal record, but for others, this document is not relevant. In this care, if a
person gets hired in a company where a criminal record is not necessary, then the company is not
allowed to ask for i t. If they do, then this document will not be relevant and necessary for the given
position and they will not be GDPR compliant, from this point of view.
11 GDPR (Art 5 (1)/ c) gdpr -info.eu/art -5-gdpr/
Accuracy
The principle that describes accuracy when processing personal data stat es that personal da ta shall
be:
“…accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data that are inaccurate, having regard to the purposes for which
they are processed, are erased or rectified with out delay ”12
We can understand from this principle that any organization must track at all times the accuracy
of the information they have. It is important for them and for the owner of the information as well,
to keep an up -to-date list of data. Moreover, the data sub jects have the right to ask for the
information organizations have and replace or delete data that is not relevant anymore.
A simple example about this principle is in relation with banks, who have significant information
about their customers . At least o nce a year they ask for an updated list if information in order to
update their own database. Nowadays, customers can update their information cards themselves,
simply by using applications that allow them to change data.
Storage Limitation
According to the General Data Protection Regulation, the fifth principle speaks about storage
limitation and gives indications about the amount of time and organization is allowed to storage
personal data, as it follows:
“Personal data shall be kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the personal data are processed; personal
data may be stored for longer periods insofar as the personal data will be processed solely for
archi ving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) subject to implementation of the appropriate technical
12 (Art 5 (1)/ d) gdpr -info.eu/art -5-gdpr/
and organizational measures required by this Regulation in orde r to safeguard the rights and
freedoms of the data subject ”13
This principle is in close relation with the purpose limitation principle. Data controller is allowed
to process personal data only until the purpose is served. After that it is considered unnece ssary
and it must be erased. However, there is a question that might arise from this statement, how does
an organization know that the stored data is not useful anymore? In my opinion, there is no clear
answer to this dilemma and the solution depends on th e industry and of course, on the nature of
the organization. For example, a social media website should process data, only as long as one
person is a user of the website. The moment they require to have their account deleted, it is clear
that the purpose o f the website had been accomplished and it is not necessary to storage
information anymore. At the same time, data can be stored by a bank, only as long as one person
is still a customer. As soon as they renounce the services they are offered by the bank, personal
information must be erased.
It's important to keep personal data only for as long as it’s necessary because this way we can
reduce the risk of archiving irrelevant information that might be used incorrectly in the future and
cause harm both, for the organization and for the data subject.
Integrity and Confidentiality
The last, but not the least principle refers to integrity and confidentiality and it is meant to protect
by all means the security of the users. It mentions that
“Personal data sh all be processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorized or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organizational measures ”14
In this case as well, the organization that processes data is responsible for the information they
have. It is important for them to have appropriate methods that can assure the customer that their
personal information are safe fr om any unlawful process ing or damage. If the security system of
13 (Art 5 (1)/ e) gdpr -info.eu/art -5-gdpr/
14 (Art 5 (1)/ f) gdpr -info.eu/art -5-gdpr/
an organization is not properly p rotected, real harm can be caused. Some examples of personal
data abuse may refer to identity stealing, fake credit card transactions, exposure of personal
information to dangerous p eople and so on.
GDPR Rights of the Data Subjects
It has already been mentioned that GDPR can be seen as an upgrade of the previously updated
laws and it is a result of the rapidly developing technology and possibility of fast dat a circulation.
In order to empower individuals and assure them that their personal information can be protected
from any harm, even when using technology at its highest capacity, the European Union included
a special section in the regulation, a section wh ich informs all data su bjects about the rights they
have. Below, I will present the eight rights mentioned in the regulation that are meant to give data
subjects control over the personal data that is processed.
The Right to be Informed
The right to be informed is one of the key concepts in GDPR as it can assure the data subject of
the lawful and transparent processing of their data. This right is exemplified in articles 12, 13 and
14 and it covers topics such as the transparent communica tion with individuals, regarding the
identity of the organization and the means of obtaining and processing personal data.
In order to be GDPR compliant, it is important for the data controller to provide a list of necessary
information for the data subje ct, information that will be listed bel ow:
– “The identity of the data controller ;
– Their contact details ;
– What are the purposes of processing ;
– Are Legitimate Interests being relied upon by the controller or third parties ;
– Who the recipients of the data may be;
– If the data will be transferred out side the EU and how this is protected ;
– How long will data be stored ;
– How to exercise rights ;
– The right to withdraw consent ;
– The right to complain to the Supervisory Authority ;
– Whether data is required for contractual purposes and the consequences of refusi ng;
– Whether profiling with legal effect exists ;” 15
It is also mentioned clearly that all this information must be provided “ in a concise, transparent,
intelligible and easily accessible form, using clear and plain language, in particular for any
informatio n addressed specifically to a child. 2The information shall be provided in writing, or by
other means, including, where appropriate, by electronic means. ” 16
If the data is collected from third party sources, the data collector must inform the individual ab out
the source of the data and if it is an open and easily accessible one. Moreover, anyone who
processes personal data, must provide this information within a month.
It is mandatory to communicate efficient ly with data subjects because it will assure any
organization a transparent and effective process that will reduce the risk of being reported and
getting fines.
Right to Access
The right to access is detailed in article 15 of GDPR and it mentions that any subject has the right
to submit a request to t he data controller and to be provided all the data that is stocked about them.
17The request can be submitted in writing and the org anization has one month to prepare this
information. This right is important for data subjects because it helps them understa nd why their
data is processed, how long it will be processed and of course, if the provided data is relevant or
correct.
In order to understand this right in a better way, I will list below the information that must be
provided to the individuals:
15 Global -Z, pg 46
16 GDPR, Art 12 (1) https://gdpr -info.eu/chapter -3/
17 GDPR, Art 1 5 https://gdpr -info.eu/art -15-gdpr/
(a) “the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the pe rsonal data have been or will be
disclosed, in particular recipients in third countries or international organi zations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not
possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal
data or rest riction of processing of personal data concerning the data subject or to object to
such processing;
(f) the right to lodge a compla int with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available informat ion
as to their source;
(h) the existence of auto 1mated decision -making, including profiling, referred to in Article
22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as
well as the significance and the envisaged consequences of such processing for the data
subject ”18
Right to Rectification
The right to rectification is debated in Article 16 and it goes hand in hand with the principle of
accuracy
“The data subject shall have the right to obtain from the controlle r without undue delay the
rectification of inaccurate personal data concerning h im or her. 2Taking into account the
purposes of the processing, the data subject shall have the right to have incomplete personal
data completed, including by means of providin g a supplementary statement .”19
18 GDPR, Art 1 5 https://gdpr -info.eu/art -15-gdpr/
19 Article 5(1)(d). https://gdpr -info.eu/art -5-gdpr/
It has already been established that individuals have the right to see the personal data that is
processed by an organization. The next step for them is to ask for a rectification in case their data
is inaccurate. This way, m isunderstandings and the wrong way of processing information can be
avoided. In addition to that, people can also have the right to provide supplementary statements or
to erase information if needed.
Right to be Forgotten
This right is analyzed in Arti cle 17 of GDPR and it mentions that :
“The data subject shall have the right to obtain from the controller the erasure of personal
data concerning him or her without undue delay and the controller shall have the
obligation to erase personal data without und ue delay”20
It can be understood from this right, that individuals who previousl y given their consent to have
their data processed, can withdraw their consent at any time. However, this decision is not absolute
and it doesn’t mean that the individual’s data can never be processed again. In case someone wants
to collaborate with the or ganization again, then, they have to give their consent once more.
Additionally, data can also be erased if it’s no longer necessary, if it was processed unlawfully or
If a law forces the organization to do so .
Right to Restriction of Processing
The righ t to restriction of processing is debated in article 18 and it can be seen as a alternative to
the right to be forgotten. The right to restricted processing refers to the fact that people can allow
organizations to store their data, but they do not allow them to use them.21 Another way of
restricting the processing of personal data is to allow organizations to use information only in some
circumstances accepted by individuals. Th e reasons why people might want not to have their data
processed anymore might be because the information is not accurate and it must be verified first,
20 GDPR Art 17 https://gdpr -info.eu/art -17-gdpr/
21 GDPR Art 18 https://gdpr -info.eu/art -18-gdpr/
the data had been processed unlawfully before, or if the data is not necessary anymore but it must
be archived for legal purposes.
Right to Data Portability
The right to Data Portability refers to any data subject who might want to have their personal data
used by other controllers as well. This right is mentioned in Article 20:
“The data subject shall h ave the right to receive the personal data concerning him or her, which
he or she has provided to a controller, in a structured, commonly used and machine -readable
format and have the right to transmit those data to another controller without hindrance fro m the
controller to which the personal data have been pro vided ”22
From this paragraph can be understood that any personal data can be obtained from a controller
and it can be used by the data subject for their own purposes. They can transfer the data from o ne
controller to another as long as they had given their consent to have their data used before.
Right to Object
Article 21 is about people’s right to object, and it refers to data subject’s possibility to object the
processing of their personal data, w hich would force any organization to stop doing so, unles s they
find a legal ground to do so.23 Moreover, data controllers must inform individuals of their right to
object at any time.
However, there is a circumstance in which the right to object cannot b e contested. This right
automatically applies in direct m arketing because the organizations must stop processing people’s
personal data as soon as they are asked to. They cannot refuse doing so. “ However, this does not
automatically mean that you need to e rase the individual’s personal data, and in most cases it will
22 GDPR Art 20 https://gdpr -info.eu/art -20-gdpr/
23 GDPR Art 21 https://gdpr -info.eu/art -21-gdpr/
be preferable to suppress their details. Suppression involves retaining just enough information
about them to ensure that their preference not to receive direct marketing is respected in future .”24
GDPR Infringement
Introduction to GDPR Infringement
GDPR came into force one year ago and since then, companies tried as hard as they could to
become GDPR Compliant, however, the whole process did not go as well as planned because
obeying the rules 100% is not as simple as it seems to be.
Since the beginni ng of 2019, the European commission published on their website two
infographics about the evolution of GDPR during the past year. 25 The first one came out in Ja nuary
201926 and the second one in May 201927 – during the anniversary of the regulation. Both
infographics contain information regarding people’s awareness about GDPR and complaints, fines
and breach notifications.
If we take a close look at the statistics that the EU commission published, we can notice that in
only 4 months, the number of queries, c omplaints and breach notifications increased alarmingly.
According to this infographic, by January 2019 there were 95 180 complaints from individuals
who belie ved their data were violated. In May, however, the numbers were much larger and
registered 144 3 76 complaints and queries. However, there is one piece of information that did not
change in any of the reports, namely, the reason of the complaints. Most of t hem were registered
from people who had their personal data used by Telemarketing companies, for promotion through
e-mail or by Video Surveillance.
24 Information Comissioner ’s Office. Right to Object https://ico.org.uk/for -organisations/guide -to-data –
protection/guide -to-the-general -data -protection -regulation -gdpr/individual -rights/right -to-object/
25 europa.eu/dataprotection
26 https://ec.europa.eu/commission/sites/beta -political/files/190125_gdpr_infographics_v4.pdf
27 https://ec.europa.eu/commission/sites/beta -political/files/infographic -gdpr_in_numbers_1.pdf
Another example of irregularities regarding GDPR are the breach notifications. The EU
Commission explains that whenever the personal data of people are accidentally or unlawfully
disclosed, companies are forced to report this to their national data protect ion authority within 72
hours. In January were registered, 41 502 breach notifications and 4 months later , the number
doubled, meaning that 89 271 breach notifications were reported.
When it comes to fines, there were many companies that had to face the consequences of infringing
the regulation. Th e most pricy fine mentioned in the infographic is the one tha t was issued by
Google, who received a fine of 50 000 000 of euros. According to BBC News28, Google was not
compliant with GDPR because it was not as t ransparent at it should have been and it did not comply
to users’ right to be informed. In this case, use rs were not informed about the reasons why their
data were processed or how long their details were going to be used by Google. This allowed the
compa ny to juggle with the advertisements they showed to their users.
Ever since Google had this unpleasant ex perience, other fines were issued for companies which
did not comply to GDPR. Facebook also infringed the regulation and did not protect the personal
data of its users. The social network stored hundreds of millions of passwords in unscripted servers
that could be accessed by over 20 000 of employees, who had access to these servers. The problem
here is that the Facebook accounts of so many people coul d easily be hacked and users’ personal
data could easily leak.29
However, the largest penalty under the pri vacy rule is faced by British Airways. In an article by
CNN Business, it is mentioned that the airline’s “ website failure compromised the personal det ails
of roughly 500,000 customers. ”30 The hackers could access information such as log ins, payment
cards, and travel booking details . £183.4 million is the fine the airline had to pay for its mistake.
This amount of money represents 1.5% of its annual rev enue.
All these examples show that GDPR infringement has serious consequences and companies are
not always 100% compliant and moreover, if their security system is weak, personal data might be
28 Fox C. BBC News , “Google hit with £44m GDPR fine over ads ” https://www.bbc.com/news/technology -46944696
29Hanbury M. Business Insider “Facebook is looking down the barrel for a $2.2 billion fine for storing millions of
passwords in securely” https://www.businessinsider.com/facebook -faces -2-2-billion -fine-email -contacts –
harvesting -ireland -data -protection -2019 -4
30Riley C. CNN Business “British Airways faces $230 million fine. It would be a record under Europe ’s tough data
privacy law ” https://edition.cnn.com/2019/07/08/tech/british -airways -gdpr -fine/index.html
leaked and used in unlawful ways. The law regarding GDPR infrin gement is very strict and it s
only purpose is to make companies even more responsible and aware of the ri sks they take if they
don’t follow the necessary steps to become compliant. For a better understanding of this concept,
I will present below the legi slation on infringement.
The most important aspect about unlawful behavior is that GDPR was created for a ll types of
businesses. It doesn’t matter whether they are small or large companies, they will all face the
consequences if they are not compliant. Ho wever, it is important to mention that fines are issued
after analyzing a large set of criteria.
Lower Le vel Fines
In Article 83(4), it is mentioned that less severe infringements can result into fines of 2% of the
company’s total revenue in one year, which can be up to 10 000 000 euros. There are certain laws
that fall under the less severe penalty rule, na mely:
• “Controllers and processors (articles 8, 11, 25 -39, 42 and 43) — Organizations that
collect and control data (controllers) and those that are contracted to process data
(processors) must adhere to rules governing data protection, lawful basis for proc essing,
and more. As an organization, these are the articles you need to read and adhere to ;
• Certification bodies (articles 42 and 43) — Accre dited bodies charged with certifying
organizations must execute their evaluations and assessments without bias and via a
transparent process ;
• Monitoring bodies (article 41) — Bodies that have been designated to have the
appropriate level of expertise must demonstrate independence and follow established
procedure in handling complaints or reported infringements in an i mpartial and
transparent manner .”31
31 GDPR.EU “What are GDPR Fines ” https://gdpr.eu/fines/
Upper Level Fines
The upper level fines can charge companies with much larger amounts of money that can go up to
4% of their annual revenue and up to 20 000 000 euros32. Companies who have to pay so much
money are the ones that do not manage to protect their users’ personal d ata. It have already been
mentioned above examples such as Google, Facebook and British Airways. All of them were
charged according to the more severe law of infringement.
Fine Issuing Criteria
In or der to establish the severity of the infringement, the state supervisory authorities must take
into consideration large list of criteria.
• Nature of Infringement. This is the point where the authorities decide whether the
infringement is a lower level one or an upper level one. They must see in which way the
was not followed, how many people were affected and how long it has been going on.
• Intention. There are times when companies become uncompliant by mistake. They were
negligent or maybe their security s ystem was compromised without their knowing.
However, There might be situations when people break the was intentionally; therefore
deciding whether it was done intentionally or not, might be a key fact when deciding upon
the fine.
• Mitigation. The infringe ment had already been done, so another aspect that is very
important is the behavior of the company when they find out about their deed. It is
important for them and for data subjects as well to try to mitigate the damage that has been
done.
• Preventative measures . It is true that GDPR is still new to many of us and there are things
that must be discovered and implemented. However, all companies had enough time to
prepare for the regulation, which is why preventive measures must be checked before
32 GDPR Art 83 (5). https://gdpr -info.eu/art -83-gdpr/
issuing th e fine. Some companies had a better protection system than others, some were
more prepared than others and this is what makes a difference.
• History: This point refers to the past behavior of the company. If they committed other
infringements under GDPR , the fines might be higher than the ones companies get at their
first mistake. This does not only include past fines under GDPR, but also warnings or bans.
• Cooperation . At this point, it is also mandatory for the companies to cooperate and try to
rectify the damage that has been done.
• Data type: It was mentioned in the first chapter of the thesis that there are numer ous types
of personal data that can be s tored and processed by companies. In this case, it is important
to know what kind of data was used when infringi ng GDPR.
• Notification . As it h as already been mentioned before, whenever companies disclose
personal data or infringe the l aw, they must report their infringement. However, sometimes
these unlawful deeds are reported by third parties. In this case, it matters who reported the
issue .
• Certi fication: All co mpanies must be qualified and they must have approved certifications
in order to be GDPR compliant. This is why codes of conducts and certifications are
verified when deciding fines for GDPR infringement.
• Other: other aggravating or mitigating factors may include financial impact on the firm
from the infringement
Chapter III: GDPR in the Recruitment Branch
The third chapter of the thesis is about the way GDPR affect s recruitment . It mentions the way in
which recruitment changed and what recruiters must do in ord er to be GDPR compliant and offer
their candidates a correct and transparent view upon the whole r ecruitment process.
This chapter is divided into seven sub -chapters, each of them diving deeper into the topic of
recruitment , showing the wa y GDPR a pplies in this branch. The first sub -chapter in a n introduction
of GDPR in recruit ment. The second one deals mention s the impact of the regulation, while the
third one deals with the changes that occurred when GDPR was enforced , while mentioning some
of the key pri nciples of the regulation. The fourth sub-chapter speaks about the funda mental rights
of the candidates. The rights mentioned here are the ones that are the most re levant to the
candid ates, namely the right to be informed, right to access, right to rectification and the right to
be forgotten. After explaining these fundamental rights, I decided to speak in the following sub –
chapter about GDPR consent. It is mandatory for recruiters to have the con sent of their candidates
and th is is why most of a recruiter ’s activity revolves around consent. However, when this detail
is missing, recruiters decide to act under legitimate interest, which is another conc ept that is used
very often by recruiters. It allows them do source for candidates and even more importantly, it
gives recruiters the right to contact candidates in order to ask for consent. This is why I spoke
about legitimate interest in the sixth sub-chapter . The last one is about active sourcing of
candidates. For a recruiter, active sourcing is the key to a successful hiring process, which is why
recruitment would be nearly impossible without this step, especially in processional branches
where job applicants are not en ough for the jobs that are available in the market.
All in all, this chapter is meant to offer an overview of the way G DPR affects recruitment and how
it can be applied in this area.
Introduction to GDPR in Recruitment
I mentioned in the previou s chapters the importance of technology in our lives and explained why
it was necessary to adopt a law that would help us protect our personal data, in a techno logical
world that has access to too many of our personal information.
As it can already be not iced from the second and the third chapters, the General Data Protection
Regulation, issued in May 2018 is meant to guide companies through their process of str engthening
their security regarding personal information and it is also meant to protect people from having
their data processed unlawfully, either intentionally or simply by mistake. The regulation is very
well structured and it does not leave much room f or interpretation and not being GDPR compliant
can bring severe consequences and high fines.
For users, GDPR is a great way of controlling the access to their personal details, giving them a
feeling of security.
GDPR covers all types of businesses and it can be applied to everything, from random websites
people access, to banks or hospitals, since all of them hold our personal information within their
private servers.
The impact of GDPR in Recruitment
GDPR changed the world of recruitment as well. In their day -to-day lives, recruiters process the
data of hundreds of candidates every day. They hav e access to general details such as name,
gender, address, phone number, e -mail, employment history or previo us interview history. In some
particular cases, they might also be able to see some more specific information, namely religion,
sexual orientation, marital status or political affiliation. The last type of details should not be
relevant to recruitment, yet they might be present in a company’s database. Now the question is,
what do recruiters do with those details? Are they allowed to use them? How ca n they use them?
How long can they be processed and so on.
Before GDPR it was easier to source, contact and process the personal data of people, in order to
fill in vacancies. As soon as GDPR was enforced, the whole way of doing recruitment changed.
Compa nies had to adopt new rules of managing the information they possess, they had to think
about new ways of app roaching passive candidates and overall, they had to pay more attention to
details and protect their candidates’ data.
The first step in underst anding GDPR for recruitment and the changes it imposed, is associating
the key concepts of the regulation, wi th the items used in recruitment.
Candidates as Data Subjects
In recruitment Data Subjects are the candidates themselves . They fall under this c ategory because
they share various personal details through their CVs. All CVs have information such as name,
phone number, e -mail, physical address, job history and sometimes they might even hold
information such as previous salaries, salary expectations, gender, mar ital status or nationality. All
in all, when opening the CV of a candidate, the recruiter ca n identify the candidate through many
other channels and the personal details they have access to could give them the opportunity to use
this data in va rious unlawful ways. If we move even further and think about this category even
deeper, we realize that employees and even the members of the recruitment department can be
seen as Data Subjects. However, the context here is different the processing of thei r personal data
is different.
Employers as Data Controllers
It was mentioned in the second chapter th at data controllers are people who possess personal data
and decide how information will be used. In the context of recruitment, those people are the
employers, or the recruiters. All job applications and the details of the sourced candidates can be
access ed by recruiters. They are the ones who decide if they can start a recruitment process with a
certain candidate, decide what personal information they n eed and how they are going to use it.
All in all, recruiters are responsible for the personal data they possess and they have the duty to
protect their candidates’ data. Moreover, they are allowed to use them only in accordance to the
GDPR rules.
Recruitm ent Platforms as Data Processor
Data Processor was defined previously as a third party that processes personal data on behalf of a
data controller. In the recruitment context, data processors can be software that help recruiters
process their candidate d ata, databases or even recruitment agencies. Data processors can be a
good proof that recruitment is don e in a GDPR compliant manner or not, therefore, the software
must always be up to date and it must always contain information that were previously agree d on.
Changes in Recruitment
Some of the changes that appeared in every recruiter’s activity, along with GDPR are the
following:
– Genuine Interest in processing a candidate . According to Article 5 of GDPR, personal
data can be collected for “ specified, e xplicit and legitimate purposes ”, therefore the
personal data of the candidates can only be collected for recruitment purposes. Moreover,
the only information recruiters can collect are the ones that are relevant for the process.
Before GDPR, recruiters co uld create candidate pools only in order to enrich their database.
Those people were not contacted when their personal details were found. However, they
could have been contacted sometime in the future. However, now this is not possible
anymore. Candidates ’ details must be collected and processed only if there is a genuine
interest in them. If they end up in a company’s database though active sourcing, they must
be contacted within thirty days.
– GDPR Consent . In order to process candidate’s personal data, recruiters must gain their
consent. This must be done explicitly and candidates must also be informed about ways of
withdrawing their consent, if they wish to stop interacting with the company forever or for
a limited period of time.
– Transparent processin g of personal data . It’s import ant that recruiters are transparent
when talking to their candidates about the recruitment process and most importantly about
the use of their personal data. Right from the first call, candidates must be informed about
the pe rsonal data that are going to b e used, about their rights, about the place that their
details are going to be stored and about the purpose for which their personal details are
kept in the database.
Candidates’ Fundamental Rights
GDPR proposes eight dist inctive rights that can be applied to data subjects, namely:
– Right to be informed;
– Right to access ;
– Right to rectification ;
– Right to erasure or right to be forgotten;
– Right to restriction of processing;
– Right to data portability;
– Right to object;
– Right to automated, individual decision -making.
All these rights were described previously, in chapter two and all of them can be applied in
recruitment as well. However, some of them are more relevant and recruiters must mana ge them
more often than others. This i s why I will further discuss the pithiest of them.
Right to be Informed in Recruitment
The right to be informed is the most important one when starting a recruitment process with a new
candidate, or when sourcing candidates. During the first interaction with them, or within thirty
days after starting to process their data, recruiters must gi ve them all the information regarding
their data processing. First of all, data subjects must be informed that their personal details are
going to be processed for re cruitment purposes. They must also know how recruiters got their
personal details and they must inform them about the information they possess. They must also
become aware of all the rights they have as candidates. Another detail that should not be forgott en
is how long personal data is going to be processed.
Right to Access in Recruitment
Similarly, to any other area that deals with GDPR, the right to access is important in recruitment
as well. All candidates have the right to access their data upon reque st. It’s important to mention
that they cannot be charged for requesting their personal da ta and readable files must be sent to
them within thirty days.
Right to Rectification in Recruitment
The right to rectification is linked closely to the right to a ccess. As soon as data subjects see an
error in the information a company holds, they have the right to rectify it. Now we might wonder
about the errors people might find in the database of a company. It can be a past salary that was
mentioned to a recruit er, a job title, a past employer, the phone number, e -mail address and so on.
It’s importa nt to the recruitment department to keep their database clean and well structured. It
must always be accurate and hold only relevant information about candidates.
Right to erasure or Right to be Forgotten in Recruitment
As article 17 of GDPR says, people have the right to have their personal details erased. In theory,
any recruiter who receives such a request must stop processing the candidate’s data, and delete
their personal details from every place where they were stored. This action must also be done
quickly, in thirty days at most. However, in practice, things are more complicated than that because
there are times when personal details don’t just disappear fore ver. Let’s take for example a
candidate who was in the database and wanted to have their personal data erased. If it is simply
deleted by one rec ruiter, another one, who did not know about the request, might try to reintroduce
the person into the database . In this case, there must be found a way to have everyone informed
about the people who revoked their consent for having their data processed.
There are other situations in which personal data must be deleted. Let’s take for instance a person
whose data was collected, but it was never used. The recruiter did active sourcing, wanted to
contact the candidate and changed their mind. In this case, the recruiter must erase the information
that were introduced into the database
Another situation is related to t he purpose of storing personal information. Most of the time, a
candidate’s personal data is used during the recruitment process. If it is a posit ive one, the
candidate will become an employee and their details will still be used according to the GDPR
principles. However, if the recruitment process ends with a negative feedback, then th e personal
data of that person should not be stored anymore, bec ause it will not be useful. However, most of
the time, recruiters choose to keep the data for future opportuni ties, when it will be necessary to
use the information again. However, in this case, candidates must give their consent for this
purpose.
Wheneve r a candidate wished to be forgotten, recruiters must keep in mind that they must delete
all the personal data that belong to someone and moreover, they are not allowed to contact them
anymore. However, how long are they forbidden from contacting candidate s? Is it forever? The
answer to this question is “not necessarily”. There are times when people are not intere sted in a
certain company at all. In this case, they might never change their mind and they will always block
any contact with the company. Even s o, there are candidates who might want to be forgotten for a
limited period of time. For example, if a candida te is rejected at an interview and they get hired
somewhere else, they might want to be forgotten until they decide to change their job again. In this
case, they must be the ones who contact the company and apply for a job. This way, they prove
that they g ive their consent to have their personal data stored during the new recruitment process.
GDPR Consent
Article 6 of GDPR, regarding the lawfu lness of processing, states that one of the six legal grounds
that allows the processing of personal data is i f the data subject “has given consent to the
processing of his or her personal data for one or more specific purposes”
Since GDPR compliance is ve ry important in the recruitment field, obtaining candidate’s consent
is one of a recruiter’s main attributes. However, when thinking about consent, there are a few
questions that might arise :
– Does a recruiter have to gain explicit consent from every candid ate they interact with?
– Do job applicants count as people who have already given their consent?
– Can recruiters still source candidates actively?
– Do candidates automatically give consent if they post their CVs on websites or on social
media like Linkedin?
– Can recruiters still store candidates’ data within their personal spread sheets?
– How long does consent last?
– What happens with the GDPR consent after the recruitment process end?
– What happens when a candidate withdraws their consent?
This subchapter will analyze all the aspects of GDPR consent, while trying to answer to all the
questions above. However, in order to give the proper answer to these questions, the first matter
that must be discussed, is the definition of consent itself.
According to the Cam bridge Dictionary33 consent simply means “permission or agreement”. In the
context of GDPR, it means that data subjects, must agree to have their personal data processed by
data controllers. In this case, data controllers must be transparent and inform the subjects about
the information that are going to be processed, about the way they are going to be used and mos t
importantly, about the purpose for which processors need to use such information. It is mandatory
for data processors to be genuine and inform people about all th eir rights, because being sincere,
helps people have an idea about what is going to happen t o their personal data and it bring
processors one step close to being one hundred percent GDPR compliant.
If we go further and think about recruitment, GDPR consent is usually required in the context of
the hiring process. Some of the most common personal information recruiters possess are :
– Name;
– Gender;
– Date of Birth;
– Nationality;
33 https://dictionary.cambridge.org/dictionary/english/co nsent
– Contact Details (phone number, physical address, zip code, e -mail addres s, link to certain
social media platforms such as Linkedin)
– Employment history;
– Previous salaries;
– Salar y expectations;
However, there are times when recruiters have some more personal data such as
– Sexual orientation ;
– Political views ;
– Marital status.
It was also discussed previously the principle of data minimization, according to which, data
processors a re allowed to keep only relevant information for the purpose they serve. In this case,
there is another question that might arise. Are all the personal data mentioned about necessary
during a recruitment process? The answer is simple and it is “no”.
In co untries like Romania, where the labor law forbids companies from discriminating people
according to their gender, political views, age or marital status , such information should not be
processed. Therefore, when th is information are not in a CV simply by c hance, then a recruiter
should never ask for such information, because they would be unnecessary, therefore unlawful.
Therefore, after making sure that the candidate knows the purpose for having their data processed,
knows their rights and decide to agree to these terms, they must give their consent explicitly, in
writing, so that it could serve as a proof for the agreement.
However, there is a category of candidates that is exempt from giving their explicit consent. Here
we are talking about job applican ts. As soon as someone applies to a job, it is obvious that they
are interested in the company, in the job and they are aware that their CV will be stor ed and the
information inside will be used by recruiters. Even so, when applying to a job, candidates sh ould
still be notified about the processing of their personal data.
To summarize, it is mandatory for recruiters to ask for permission to store and pro cess their
candidates’ data. They must give people all the information they need about the way there per sonal
details will be used. The only category of people who do not needs to provide consent, are job
applicants.
However, processing candidates usually means adding them to a data base and storing their CVs
there. Now, the question is the following: “How long can someone’s personal data be stored?” The
answer to this question should be simple. Recruiters can keep the data during the recruitment
process. As soon as it ends, they should not keep it anymore. But even so, it is necessary for
recruiters to buil d a strong data base, that could be used in the future as a source of future
candidates. In this case, if a recruiter still wants to keep the CVs in the database, they must follow
one simple rule. They must ask for consent again. When first entering a recr uitment process,
candidates give their consent to have their data used for that particular recruitment process, because
they are interested in getting h ired on a certain vacancy. If they are rejected the first time, they will
most likely continue searching for a job and they will eventually get hired somewhere else,
meaning that they would not be interested in changing their jobs again for some time. In t his case,
it is mandatory that recruiters ask for consent for future opportunities. This procedure shoul d be
followed with all candidates at the end of the recruitment process.
Legitimate Interest
Legitimate interest is the second legal basis recruiters use very in their relationship with the
candidates. It is mentioned in GDPR in article Article 6 (f) and it states the following:
“Processing is necessary for the purposes of the legitimate interest s pursued by
the controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subje ct (…)”34
According to this statement, personal data can be processed in a reasonable way as lon g as there
is a legitimate reason behind it and the other rights of the subjects are not broken. The simple
conclusion that can be drawn from this, is that legit imate interest is a simpler alternative for getting
consent. In practice, it would be easier to process candidates’ data without asking for consent. For
example, it was mentioned above the case of candidates who might be kept into the database for
34 GDPR Article 6 ( 8)
future j ob opportunities. In this case, it would be easier to use legitimate interest as the basis for
processing candidates’ data over and over again, instead of re -requesting consent every time they
end a recruitment process without being hired.
Nonetheless, le gitimate interest should not be an alternative of a way of escaping from requesting
consent. In recruitment, it should be an ice breaker for trying to start a recruitment process with
candidates. In order to exemplify my statement, I will enlist below a fe w relevant examples.
Example #1:
Legitimate interest should be the basis of active sourcing. In some of the recruitment areas,
vacancies rely on active sourcing. However, because of GDPR, recruiters or sourcers must only
contact people they have a legiti mate interest on. As long as they can prove that storing and
processing a candidate’s data will help them close a vacancy, it’s okay for them to get in touch
with that person. Even so, they cannot go on with the recruitment process without asking for
conse nt afterwards .
Example #2
It was mentioned above the case of candidates who were unsuccessful during the recruitment
process and recruiters wanted to keep their personal data into the database for future opportunities.
Here, again, legitimate interest shou ld be the basis of keeping their personal data. In a short time
a new vacancy might appear and this way the recruiter might recontact the candidate from the past.
However, keeping a candidate into the database without them knowing is not GDPR compliant.
They should be notified abou t that and moreover, they should be asked for consent.
Active sourcing of Candidates
In an ideal labor market, vacancies are closed with candidates who apply to jobs via different
channels, such as job boards, career websites, job fairs and so on. This way recruiters would know
for sure that they are GDPR compliant and they don’t have to worry about approaching their
candidates and establishing a transparent relationship with them. However, in the real world things
are different . There are professional b ranches with lack of labor force and there are roles that are
not easy to occupy because of several, objective reasons. In this case, the recruitment department
must start sourcing candidates actively.
The purpose of active sourc ing is finding the most su itable candidates for the open vacancies and
ideally, it should end with the hiring of the candidates.
According to a guide by Beamery35, there are three steps of sourcing:
1) Searching for and finding prospective candidates (prospe cts).
In order to find ne w candidates, recruiters use various websites, recruitment tools and applications.
For example , they may use job boards and websites (eJobs, Best Jobs, Hipo), social media like
Linkedin and other applications such as Amazing Hirin g. All these channels represent a source of
candidates for recruiters. They upload their CVs there, or they create profiles on those websites
and recruiters use them to approach the suitable candidates.
2) Contacting prospects that have been found
The need to contact candidates takes me to the second step of active sourcing, namely the act of
getting in touch with them.
Before GDPR, it was easier to do active sourcing, However, this process is more complicated now
because of the need to receive consent. If r ecruiters could approach only candidates who had
already given their consent, then, they could only process their applicants and sourcing wouldn’t
be possible. However, as it has been mentioned before, legitimate interest can be the basis o f
sourcing. The goal of closing the open vacancies can be the legitimate purpose to start sourcing
and it re -opens the doors to several candidates such as:
– Potential candidates who haven’t given their GDPR consent yet, but who can become
suitable candidates;
– People who a re not in the database of the company, but are present of various job -boards
or professional social networking websites
35 Beamery. “GDPR: The Complete Guide for Recruiting Tea m.” Beamery, beamery.com/academy/gdpr -for-
recruiting -teams.
As it has already been mentioned before, legitimate interest is only the basis of active sourcing and
recruiting. If a candidate’s CV is on several job boards, for example, they might expect to be
contacted by companies even if they did not apply for a certain job. However, it’s possible that
they do not want to be contacted by a certain company which is why, consent must be asked for,
before starting a recruitment process. Another challenge for recruiters is when they source
candidates and they find a profile that has not been updated for a long time. In this case, people
might not even expect to be contacted, because their profile is not relevant anymore. In this case,
as well, they should be notified as from where their CV was taken and they must give their consent
before being asked for a more relevant CV.
There is also the challenge of Linked in. This platform is seen nowadays as a so cial media website
for professionals. Having a profile there, means completing it with information about one’s career,
skills or professional interests. Moreover, Linkedin, gives their users the opportunity to download
their own profile in the format of a CV, which can easily be processed by companies during
recruitment. People are usually on Linked in for various reasons: some of them might want a job,
others might want to find out news from the business domain , other might want to find business
partners and others might simply want to connect with other professionals or to share their
experience. The various possibilities of using Linkedin, does not automatically give recruiters the
right to contact and download the profiles of people who might be suitable for their roles. Many
of them might not be open to new opportunities, which means that they do not expect to be
contacted by recruiters. In this case, again, recruiters must make sure they ask for consent prior to
processing their personal data.
3) Managin g prospect relationships
The third step, according to the article by Beamery is to manage relationships with the candidates.
The purpose of this step is to find the best vacancies for them, to keep them interested during
recruitment and to try to turn the m into employees. Even if sourcing is the part of candidate
selection when recruiters try to find suitable candidates on different channels, this step is also liked
to GDPR and it’s still a part of a headhunter’s daily job. Managing the relationship with t he
candidates, also means respecting their rights in relation with the directive. It means that, recruiters
must monitor GDPR consent at all times, they must only keep relevant information in their
database, they must correct the information if mistakes ar e made, they must give people the
opportunity to check and correct their profiles themselves and last, but not least, they must inform
people about their rights at all times. Keeping candidates informed, means being one step closer
to being completely comp liant with GDPR.
Processing candidates outside EU
GDPR did not only affect EU citizens, but it affected all organizations who deal with people from
the EU, no matter where they are based.
Being GDPR compliant became a challenge for all companies who hav e offices all around the
world and deal at some poin t with EU citizens. When it comes to recruitment, things are no
different. According to the regulation any company who processes candidates from the EU, must
obey the rules imposed by GDPR.
Let’s take fo r example a company from the USA, who wants to hire people from Romania, for
example. Romania is a country from the EU and the citizen from there complies to the rule every
day. In this case, the company must do the same and they must follow the same steps when
recruiting the Romanian candidate. They must a sk for recruitment consent first, they must only
keep the necessary data, in the database, they must give the candidate the permission to check their
data and to correct them if there is anything wrong. M oreover, they are allowed to withdraw their
consent at any point and they can ask for their data to be deleted.
The rule goes the other way around as well. If a country who has an office in Romania, wants to
hire someone from Moldova, for example, the can didate, in this case, must have his data processed
according to the GDPR rules.
To summarize, even if a candidate or a company is based in the EU, they must be GDPR compliant.
Chapter IV. Practical Analysis
The last chapter of this the sis represents the practical analysis and it is meant to check the impact
of GDPR in recruitment.
It can be noticed for the previous chapters that GDPR is seen by everyone as a stricter law that is
meant to keep people and their information safe, in a wor ld that developed so much from a
technological point of view. It affected all companies, no matter the field they belong to. However,
this thesis is meant to deal with recruitment, there fore, the practical part of it involves interaction
with professionals who work in recruitment.
The purpose of this interview is to find out what recruiters think about GDPR and how it influences
their professional activities. It is known that the Data Pr otection Directive was active before GDPR
and even if it was there to protect the personal data of people, it was not as strict as the directive
that is available now. Moreover, the rapid changes of technology made it not be able to keep up
and some of the laws became outdated. This is why it was necessary to set a law that could apply
to the present times.
Before GDPR recruiters did their job differently and they had to change their routine and their
every day activities, while putting much effort in bei ng GDPR compliant. In order to find out the
way they used to work and the way GDPR impacted their lives, I decided to interview people who
work within the recruitment department in multinational companies.
The reason why I chose the interview was that it gives a more personal touch to the study. It
allowed me to talk freel y to the interviewees and to find out more about their way of thinking and
approaching the changes that occurred the previous year. The topics that were covered within the
interview were related to:
– Changes that occurred along with GDPR ;
– Candidates’ right s;
– Changes in active sourcing and cold calling;
– Obtaining consent.
Another reason why I chose interviews is that I could personalize my questions, depending on the
way the answers I received from people . In order to have an explanation to all the topics I wanted
to approach, I created two sets of questions: the standard questions that applied to e veryone and
the follow up questions, which helped me clarify aspects that were not explained in the first place.
Therefore, there are 19 base questions related t o the influence of the directive, consent, sourcing
and candidates’ rights. Below, I will enl ist the questions:
1) What is your occupation?
2) How long have you been doing it?
3) How was recruitment before GDPR?
4) What changed when GDPR was issued?
5) How do you ask fo r explicit GDPR consent?
6) How do you do active sourcing?
7) How do you ask for consent while doin g cold calling?
8) What do you do when people revoke consent?
9) Do you ask for consent from job applicants?
10) What is the purpose why you process personal data?
11) How lon g do you process personal data?
12) What kind of personal data do you process?
13) Do you share per sonal data with someone else? If yes, with whom?
14) What do you do after a recruitment process ends up with negative feedback – in terms of
GDPR?
15) Have candidates eve r asked to see their personal data?
16) What do you do when people ask to see their data?
17) Does t he company you work for have offices outside of Europe?
18) What happens to the European candidates who want to work in one of your offices
outside of Europe?
19) Do you think your company is GDPR compliant?
When it comes to the additional questions, I must men tion that they were asked spontaneously,
according to the answers I received from the interviewees. I will also add them to the list, in order
to have a clear view upon the way interviews went:
1) Have you encountered people who did not want to be in your database before GDPR?
2) How come candidates got lost into the database?
3) How did you react when people mention that they did not want to be into your database?
4) What ha ppened with people who were irrelevant to your database?
5) How do you approach people o n linkedin?
6) Do you always keep the most updated CV into your database? Or do you store all of them?
7) Do people always complete the GDPR form after the negative feedback o f a recruitment
process?
8) What do you do when people ignore it? (the GDPR form)?
9) Have y ou done sourcing before GDPR? (question asked to a junior)
10) How much sourcing do you do and how much do you encounter GDPR?
11) Do you think it’s okay to contact people who are in your database but have not given their
consent?
12) Do you think asking for GDPR consent on the phone is time consuming?
13) Can you give me an example of statistics that are relevant for recruitment?
14) Don’t you have any way of re -registering consent after a negative recruitment process?
15) Do you think the recruitment tools you use are GDPR c ompliant?
It is also important to notice that I interviewed five people who have been working in recruitment
for at least one year. Only one of them has not worked before GDPR.
The following step is analyzing the results. In order to have the best interpre tation, I am going to
analyze people’s answers while categorizing the questions.
The influence of GDPR
Firstly, I will comment upon the influence GDPR had upon the inte rviewees. The questions that
helped me find answers to this topic are “How was recruit ment before GDPR” and “How was is
recruitment after GDPR?”
All respondents admitted that they were affected by GDPR. Before it, they felt that sourcing was
easier becaus e they could build candidates’ pools very easily. They could add people into the
datab ase, only thinking that they could be useful one day. However, this is not possible now, as
they must have people’s consent before trying to keep them into the database. As the theory
confirms, legitimate purpose should only be the basis of sourcing. It sh ould give recruiters a reason
to contact their newly found candidates. Unfortunately, they could not keep their data without
contacting them. However, there was one respo ndent who did not feel much affected by GDPR
because their company have a large number of applicants. When it comes to people who apply, it
is obvious that they are interested in the company as well as they are interested in job changes.
Another aspect th ey mentioned is that their companies prepared hard for the issuing of GDPR.
Two of the m mentioned that they went to intensive trainings that prepared them for the regulation
and for the issues that were about to appear.
At the same time, the policies of t he companies changed, the databases changed and some of them
became cleaner and more organized because irrelevant people got deleted from them
automatically. When we say irrelevant people, we say people who don’t fit into the specific of the
company, peopl e who had not been active for a long time and could not be found anywhere online,
people who reconverted professionally.
Another change was the attitude of the candidates. One of the interviewees, said that she noticed
that the people they got into contac t with were interested in the source recruiters found their
profiles, they wanted to know what information companies keep and how long. Some of them took
this chance to revoke their consent via phone or e -mail.
In concl usion, GDPR is a major change into the life of recruiters and it took a long time to get used
to them. Moreover, I believe that the change is not complete yet and there mist still be things
recruiters must get used to, because technology is still evolving, people get into various situations
that must be managed and rules can change any time.
GDPR Consent
Consent is the pillar of GDPR. All companies must ask for consent and they cannot process
people’s data, without having it. In recruitment consent is al so mandatory. It is the detail tha t
made recruitment so much more difficult because there were old candidates in databases that could
not even be contacted because they did not give consent and because their data is not available
anywhere else. In order to be able to analyze this situatio n, I asked several questions about GDPR.
I asked how they obtained consent, if they re -asked for consent, what they did with people who
revoked consent.
First of all, it’s important to know how consent is obtained in rec ruitment. I noticed that 4 out of 5
people mentioned that they send e -mails with their privacy policy, where they ask possible
candidates if they can process their data with recruitment purposes. Some of them had to complete
boxes with certain messages, w hile other simply had to check the box that either gave or revoked
consent. After the form is completed, the answer automatically is registered into the company’s
database.
The only exception was the company which required candidates to sign a piece of pa per with their
company’s privacy po licy. In the last example there are several issues that I believe must be taken
care of. For example, what happens with candidates who do not come to interviews and do not get
the chance to sing the paper? In this case, c andidates are processed under legit imate interest, which,
I believe is a risky way for the long run.
When asked if they require consent from job applicants, they mentioned that the process they
follow is automatic, which means they ask for consent via e -mail, but they don’t ask for it duri ng
the first call. It is implied that job applicants are interested in changing their jobs and they would
like to join the company, recruiters process their data for. This means, requiring consent is not
mandatory for job applicants.
However, when the rec ruitment process ends, things change. If the candidates get hired, they must
have already given their consent and their dat a will be processed differently. But, if the process
ended in a negative way, then according to the theory, recruiters must ask for c onsent again. Just
the fact that one person was interested in a company and in a job once, it doesn’t mean they will
be int erested again. This is why, it must be clear to everyone that it’s okay to store and process
candidates’ data for future opportunitie s as well. Our interviewees ask for consent while sending
the negative feedback. However, they don’t have a way of re -regis tering consent. They leave
comments or simply process their candidates’ data under legitimate interest.
When consent is revoked, t hen, according to the theory, recruiters should delete the data of their
the database. All the interviewees mentioned that they reduce the data they store to the minimum
and move those people to black lists or to other lists that inform them that they cann ot get in touch
with the people who revoked consent. They could not delete the data completely because another
colleague m ight find the profile of the forbidden person and contact them, not knowing that they
just revoked access to them. This is how recrui ters would get into more trouble.
Reducing data to a minimum, gives recruiters the opportunity to inform their colleagues about the
preference of the data subject and most importantly, it can be seen as a way of identifying the
forbidden candidates.
It can already be said that legitimate interest is their secret weapon and sometimes they might over –
use it.
Active Sourcing
GDPR consent affected the processing of job applicants, but not as much as it affected the activity
of sourcing. This action is vital to companies which don’t have enough applicants. In Romania,
for example, it can be said that there is a crisis in the lab our force, and there are not many
companies, not fields that can fill their vacancies just by processing the data of the people who
apply. Most of them count on sourcing to fill their positions successfully. The problem is that
GDPR does not allow them to contact people who were not found on job webistes or other open
platforms that are at the same time, GDPR compliant.
As the intervie wees mentioned as well, it is obvious that people who are active on job sites are
interested in changing their careers and they expect to be contacted by companies. Despite of that,
it doesn’t mean they want to store their data within the servers of all co mpanies. They have the
right to pick the companies they want to start a recruitment process with, which is why it is
mandat ory to ask for their consent.
Linkedin, on the other hand, seems to be the most popular tool among the interviewees. This is
where a ll processionals gather and their profiles look like CVs as well. This social network is the
greatest source of candidates. Even if people are active there, it doesn’t mean they expect to be
contacted by recruiters. They might have other purposes of being active on linkedin. This is why,
people there should be asked for consent before proposing them jobs. However, recruiters s aid that
they usually do both things at the same time when messaging people from this platform. They
mention GDPR and at the end of t he message they add some vacancies. The reason why they ask
this way is that it’s faster to find out the intentions of the linked in users. They can either revoke
consent, accept consent but reject jobs or they can give consent and accept job opportunities as
well. The ideal way of managing candidates on linked in should be asking for their written consent
first, then, after t he answer is given, recruiters could propose job to them. Unfortunately, this way
is very time consuming and time is vital to recruit ers who want to fill their vacancies. Unluckily,
people are not always active on this platform, which is why they could rep ly to consent today and
to the job offer one week later, or even later than that.
Another way of sourcing is cold calling. In this c ase, recruiters and sourcers tell people of GDPR
right at the beginning of the call. This is, in fact, a more efficient way of dealing with GDPR in a
compliant way. It takes them a few seconds to ask for consent and then they can move forward
and propose j obs to their potential candidates. At the same time, they can ask for written consent
via e -mail or online forms.
Candid ates’ Rights
Rights are vital to candidates. This is how they know for sure that their data are protected and they
are kept safe wi thin the servers of the company. I tried to find out answers to the most important
rights candidates have. I wanted to find out the purposes for which recruiters keep candidates’
data, how long they do it and if they allow people to see their data and to r ectify it. Regarding
people’s right to be forgotten, I have already analyzed it at the GDPR sub -section.
All recruiters p rocess candidates’ data for recruitment reasons and for statistics. When asked about
the data they store they mentioned candidates CV s, their names, contact details, address,
employment history, job interviews history and feedback, salary expectations and previous
salaries. I believe these are necessary information for recruitment. The details that should not be
kept are more personal a nd sensitive. Recruiters should not keep information such as sexual
orientation, political views, marital status, number of children, medical situation or other
information about their families.
Another aspect is related to the period of time they process information for. Out of five mentioned
that they keep data for an unlimited period of time. They only erase them if they are not relevant
anymore or if consent was revoked. One of the interviewees said that they keep information for
three years, but the y only erase it after this time, if the details are not relevant anymore.
Rights to information and rectification don’t se em to be very exploited by candidates. As one of
the interviewees mentioned they asked for their details when GDPR was issued. Now, a year later,
they don’t seem to be as curious as they used to be. Other recruiters mentioned that they were
barely asked fo r information ever. However, if candidates are curious about the data that are
processed by companies that can write to a special dep artment which deals with this kind of issues.
Only in one case, the company had a platform where candidates could see some of their data
themselves. I believe it should me mandatory for candidates to ask about their data. They should
make sure companies ar e up to date, they are not misinformed and they do not possess information
that are illegal or that are not comfortable for the candidates’ privacy.
It can be considered a right, the fact that EU citizens’ data should be treated according to GDPR,
whereve r they might want to relocate and by any company they ever apply to. Luckily, all
interviewees knew that no matter where th ey go, their company must be GDPR compliant when
interacting with people form the EU.
The conclusion of this practical analysis is that companies developed detailed privacy policies and
they try hard to be GDPR compliant. However, it is not enough to write laws and rules. It is also
important to hire and train people who will comply with th em. One mistake made by employees
can lead to leak of data and unlawful processing of candidates. When speaking about my
interviewees, they are aware of GDPR and they try to be compliant at all times. However, I believe
they rely a bit too much on legitim ate interest, but unfortunately this happens because of the
pressure that is put on them at all times.
Conclusion
The thesis above deals with GDPR and it was meant to show the influence it had from the
perspective of recruitment. As it could be seen, despite of the fact that the regulation affects people
and it is meant to keep their personal data safe, while punishin g those who don’t respect the
regulation, it also meant a big change for the companies who had to upgrade their security systems
and their way of working.
Therefore, this thes is start ed from a general topic, which is GDPR and we saw how it affected all
companies who deal with citizens of the EU. We saw that the previous laws were not efficient
because they couldn’t keep up with the technological development and they did not have rules
which protected people’s data within the virtual environment This is why GDPR appeared and it
set a large pool of principles, rules and rights that had to be followed in order to keep everyone
safe, because personal data are a sensitive and the leak of any information about everyone could
lead to disastrous outcomes.
For recr uitment, GDPR means a complete change in the daily activities of the recruiters. Now they
have to take care of the rights of their candidates and they must only act in a way that is GD PR
compliant. This is why we moved forward to the theoretical part of GD PR in recruitment. We liked
the principles and rights of the candidates with the principles and rights mentioned in the general
presentation of GDPR. It was mandatory to understand the way GDPR works and how it applies
in recruitment.
The last part of the thesis was the practical analysis, for which I interviewed people who work in
the recruitment department. I asked questions related to GDPR consent, active sourcing and rights
of the c andidates. From the practical analysis, I noticed that GDPR truly was a challenge for
recruiters because they had to clean their databases and keep only people who were relevant to
their field of activity, they always have to ask for explicit consent from their candidates and they
must respect their rights. If there are reques ts from candidates regarding their own data, recruiters
must obey them.
I believe that the biggest challenge of re recruiters is GDPR consent. Sometimes they are pressured
by the nee d of finding the perfect future employee for their role and they might p ostpone the
request of GDPR consent. Let’s take for example e -mail and message approach online. Sometimes
recruiters talk about their jobs and they just mention consent just briefly. This is an issue and there
should be found a way to get consent before s peaking about active vacancies. Unfortunately, the
only way here is to emphasize the importance of consent. Candidates might not understand how
much it means for the activity of a recr uiter. Unfortunately, they think that it might just be enough
to give ve rbal consent, but there must be a proof consent was given. The solution companies found
was to send e -mail that will be replied by candidates, this way, giving explicit consent. I beli eve,
recruiters should insist more when candidates postpone giving writt en consent.
Another key factor is transparency. I believe recruiters should be more transparent and even if they
think they might bore their candidates while speaking about rules and rights, they must still do it.
It’s mandatory for candidates to know wha t they can see, access and rectify their data. They must
know how their data is store, how long and what the purpose is.
In the end, I believe that being transparent and sincere is th e key to having a good rec ruiter-
candidate relationship, while being GDP R compliant as well.
From the answers I received, I realized that companies are not always GSPR compliant, despite
of the fact that their privacy policies are meant to be compliant. Employees working in recruitment
have a direct impact on that. They must be hones and they must follow the rules first. Even if it’s
easier to hide under legitimate interest, this should not represent anything more than the basis of
starting a recruitment process.
Annexes
INTERVIEWS
INTERVIEW NUMBER 1
1) What is your occupation?
I am a recruiter in an IT company
2) How long have you been a recruiter?
I started working as a sourcer in 2015, when I graduated from college and then I was
promoted as a re cruiter. I have been a recruiter for three years, but I hav e done recruitment
for almost 4 years.
3) Follow up comment: that means you experienced life with and without GDPR, right?
That’s right. Life was much easier before GDPR
4) How was the recruitment life before GDPR?
As I said it was easier. In IT, sourcing is mandatory. You must do it if you want to have
candidates, so before GDPR, it was easier to build a pool of candidates found online, on
different websites. Using the database was also easier. For e xample I could easily contact
people who hadn’t applied for our jobs. I had their contact details from previous
encounters, and I could just call them or e -mail them.
5) Have you encountered people who did not want to be in your database before GDPR?
Yes, th ere were people who did not want to be contacted by us.
6) What did you do with them?
I did not erase them from the database, but we had a “comments” section in every
candidate’s card and I used to leave a comment there, saying that they did not want to be
contacted by us ever again. This is how me and my colleague s knew that the candidate was
not interested in our company. After a few months, let’s say, they would get lost into the
database and nobody could find them ever again.
7) How come the candidates got lost into the database?
When we search for candidates int o the database, we scroll through pages. If a candidate’s
card is not updated or used for a long time, then it goes further and further and it ends up
on the last pages of the database. Then, of co urse, nobody used the last pages of the
database.
8) What cha nged when GDPR was issued?
I remember that it was crazy at first. The company I worked for got prepared long before
May 2018. They prepared the database, they offered us trainings, to know what t o expect,
but even so, it was a major change for us. For a few weeks, we contacted thousands of
people to inform them about GDPR and to ask for their consent. It was like spring cleanup.
This is how we started sorting the candidates who wanted to keep in t ouch with us, from
the candidates who wanted to be left alo ne. We also eliminated from the data base irrelevant
people and kept only those who were relevant for our vacancies.
9) What happened to the people who revoked their consent?
Something similar to what happened before GDPR, when people did not want to be
conta cted. As far as I know, if someone, for example, doesn’t want to have their data
processed, they must have their data erased. So, we had to find a way to let everyone know
that those people did not give us their consent. We could not go from one person to another
and tell them, before we deleted their data, because they could forget or because some
people left the company, while new members joined. This kind of action would have been
pointless. So, we created a list, within the database, where we added all those people. We
deleted most of their data, and kept only the essential ones, such as the name and the e –
mail address. This way, we could identify them, if we randomly found them on job boards,
for example.
10) What happened to people who were irrelevant?
They were automatically added to the same list, while reducing the data we own, to the
minimum.
11) Do you ask for GDPR consent from your applicants?
Yes, because we must have it written into the datab ase. It’s important.
12) How do you source now?
As I used to do before, but I am more careful now. I usually use linkedin, because I find it
the most useful nowadays and I approach people there. I send friend requests to them, or I
send Inmails and I tell t hem there about our vacancies. I also search through the database
and contact people who gave us their consent. I use job websites, too, and when I find
someone relevant there, I call them or e -mail them and when we talk, I tell them where I
found their CV s and I ask for their consent, before telling them about our vacancies.
13) How about the people you contact on linkedin? Do you tell them about GDPR first,
or about your vacancies?
I am usually in a hurry. I work with targets, and I must find candidates. I cannot afford to
waste time on telling them a bout GDPR first. I mention it at the beginning of the e -mail,
but I also include job descriptions in the same message. It’s more efficient that way.
14) How do you proceed when you mention GDPR to them? Do you tell them all their
rights yourself, or do you us e a link to a privacy policy page?
I use a link to our website. As you said, there is a privacy policy page there.
I say something like: “Hello X, I am Andra, from the Y company. I found your profile
while brow sing on linkedin, and I am writing to you abo ut our vacancies. I must mention
that we use your linkedin profile for recruitment purposes only. You can find more details
here. Regarding our vacancies, we have the following ones…” and then I tell them about
our roles.
15) How do you mention GDPR while co ld calling?
Similarly. I tell them who I am, where I found their profile and I tell them that I will use
their GDPR profile for recruitment purposes only. Then I ask them if it’s okay. If they say
yes, then I te ll them about our roles.
16) How do you obtain explicit GDPR consent?
We send an e -mail to them, where we tell them all about GDPR. Then, they have to
complete a few boxes with their names and think a box with the agreement or disagreement
with GDPR. Then, we have in our database, a GDPR section, and if they say yes, then we
will be notified, if they say no, then their profile will automatically go on the list I told you
about.
17) What kind of personal data do you process?
Their names, e -mail address, phone n umbers, links to social networks if they prov ide any,
CVs, nationality and the city where they live. I think that’s it.
18) What is the reason why you process personal data?
In my department, we process data for the recruitment process and sometimes for stat istics.
The marketing department might use it as well, but I think they have other rules and data
bases.
19) How long do you keep personal data?
We keep personal data for an unlimited period of time.
20) Do you share your candidate’s personal Data with anyone e lse?
Yes, we share them with our managers and technical interviewers. Other than that we share
them with our customers, because we are an outsourcing company and we must pr ovide
the data to them, if the candidates get into the final steps of the recruitmen t process or if
they are hired there.
21) What do you do after the recruitment process if the answer for the candidate is
negative, in terms of GDPR?
I tell them that we would like to keep their data for future opportunities and I ask them if
it’s okay. I do this in writing, while sending the negative feedback e -mail. If they say it’s
okay, then I print -screen the e -mail and add it to the database as a proof.
22) Have candidates ever asked to see their personal data?
It hasn’t happened to me since GDPR. They onl y asked what kind of data we store, but
they did not ask to see them.
23) If they ask for it, what do you do?
I know we must show them and we must let them correct their data, if necessary. So, I give
them the e -mail of the department who deals with GDPR. The y will help them from there.
24) Does the company you work for, have offices outside of Europe?
Yes, it does have offices all over the world.
25) What hap pens to the European candidates who want to work in one of your offices
outside of Europe?
I don’t know, be cause I have never dealt with this kind of situation, but as far as I
remember, recruiters from there must comply with GDPR, if their candidates are European.
26) Do you think your company is GDPR compliant?
Maybe not 100%, because I think this is really dif ficult to achieve in recruitment, but it is
mostly compliant. I think our candidates’ data are safe with us.
INTERVIEW NUMBER 2
1) What is your occupation?
I am a recruiter.
1) How long have you been a recruiter?
I started working as a junior recruiter 5 year s ago.
2) Follow up comment: that means you experienced life with and without GDPR, right?
Yes, I did.
3) How was the recruitment life before GDPR?
It was not much different. We had more freedom when processing candidates’ data, but we
still had to respect th eir decisions and wished, if, for example they wanted to have their
data deleted or if they did not want to keep certain informati on about them, such as their
phone numbers, for example.
4) Have you encountered people who did not want to be in your database before GDPR?
Yes. Not many, but some of them wanted to be deleted.
5) What did you do with them?
We have a blacklist and we inserted them there. This way, if another colleague wanted to
contact that person, they couldn’t do this because they found the cand idate on the blacklist.
6) What changed when GDPR was issued?
We deleted a lot of the old informat ion we had in our database. I also remember that there
were many e -mails notifying us about people who gave or revoked their consent. After
that, we had to men tion GDPR in every first call we had with people and we had to obey
the GDPR rules.
7) What happene d to the people who revoked their consent?
They were automatically sent to the black list.
8) What kind of data do you process?
We process all the information we find in people’s CVs, plus results of their previous
interviews if any.
9) Do you always keep the most updated CV, or do you keep them all?
We keep all of them, unless they ask us to delete any information.
10) Have candidates ever asked to see their data or to have them deleted?
Yes, they have, but they can access some of their personal data through a web portal we
have. If they have ever been in a recruitment process with us, they can have an account and
they can access some of the data, such as their names , contact details and j ob history. If
they want to see any other details, they must contact us and we will provide the information
to them. If they want to have their data deleted, they must also contact us.
11) What is the purpose why you process their data ?
Recruitment, obvious ly.
12) How long do you keep personal data?
I know we keep it for three years. And if after that it’s irrelevant or consent is withdrawn, we
delete it.
13) Do you share your candidate’s personal Data with anyone else?
As a company, we don ’t share it with anyone else.
14) How do you ask for explicit GDPR consent?
We send a form, online and people complete it and tell us if they agree to have their data
processed or not.
15) Do you ask for GDPR consent from your applicants?
The online form is se nt automatically to any one who ends up in our database, so yes.
16) How do you source now?
I only use apps and websites I trust. I use our national job websites, like E -Jobs and Hipo
and likedin . But I always mention GDPR when talking to people.
17) How about th e people you contact on linkedin? Do you tell them about GDPR first,
or about your vacancies?
I think they expect to be contacted by recruiters on linkedin, especially when they become
conne cted there, so I just tell them about our vacancies and at the sa me time, I send the
GDPR form to them via e -mail.
18) How do you mention GDPR while cold calling?
I call them, I tell them why I called and I mention the website where I found their profile.
I ask them if it’s okay to continue the conversation and in the mean time, I send the e -mail
with the form, of course. At the end of the call, I tell them again about the e -mail and I
kindly ask them to complete it.
19) What do you do after the recruitment proces s if the answer for the candidate is
negative, in terms of GDPR?
After giving the negative feedback, we resend the GDPR form, and start all over again with
the consent issue.
20) Do they always complete the form after a negative feedback?
No, sometimes they wonder why they receive it again. Other times, they simply ignor e it,
because they know they completed it again. When I mention to them the reason why it was
resent, they either complete it again, revoke their consent or ignore it.
21) What do you do about p eople who ignore it?
We keep them into the database for a while. It is mentioned in our privacy policy that we
keep the data, if their CVs are relevant to us, to connect them with future opportunities.
22) Does the company you work for, have offices outside o f Europe?
Yes, it does have offices all over the world.
23) What hap pens to the European candidates who want to work in one of your offices
outside of Europe?
They have their data processed according to GDPR, because they are EU citizens.
24) Do you think your company is GDPR compliant?
I think we are compliant. There might be tiny errors, we, recruiters make, but our privacy
policy is done well.
INTERVIEW NUMBER 3
1) What is your occupation?
I am a recruitment sourcer.
2) How long have you been a recruitment sourcer?
One year and a few months.
3) Follow up question : Have you d one sourcing before GDPR?
No, I joined the company soon after GDPR was issued.
4) How was it when you joined the company, in terms of GDPR?
I don’t kno w what it was like before, but when I joined everyone was going to trainings.
We had trainers who taught us about GDPR and its importance.
5) How much sourcing do you do and how much do you encounter GDPR ?
I do sourcing almost half of the working day. The ot her half, I schedule interviews or help
my candidates with other issues. There are days when I only do so urcing or days when I
only take care of the administrative part, even if I am a sourcer. However, I deal with GDPR
all the time.
6) How do you do sourcin g?
I use all kinds of tools and websites, the company provided me access to. I use the database,
job web sites, Linkedin, Amazing Hiring, Github. When I search into the database, I contact
people who gave us their consent or people who are present on job w ebsites. I tell those
people about our jobs. If they are in the database but they are not on other websit es, I
mention GDPR first. When I contact them on linkedin, or job websites, I tell them about
our jobs directly.
7) Do you think it ’s okay to contact peo ple who are in your database but have not given
their consent? Afterall, it means you process their data, without them allowing you
to.
I think it’s okay under the legitimate interest law. Also, the first thing I do is ask for their
consent.
8) How do you ask for their explicit consent?
We send an e -mail with our privacy policy and they choose whether they w ant to have our
data processed or not.
9) Do you ask for consent from your applicants?
Yes, we ask for it through the e -mail we send, but when we have o ur first phone call, we
do not ask for it.
10) How do you ask for consent while cold calling?
I call people, I introduce myself and I tell them where I found their profiles and then I tell
them a bit about GDPR. I tell them we use their profiles for recruitment and I ask if they
are still interested in talking to me. Most of them are, so I go forwa rd and talk to them about
jobs.
11) Do you think asking for GDPR consent on the phone is time consuming?
It can be, especially if people are in a hurry. But it’s necessary.
12) What kind of data do you process?
What we find in their CVs, sometimes information t hey send via e -mail. Anyway, we keep
their names, contact details, the city where they live, their employment history, information
about their certifications, salary expectations .
13) How long do you keep personal data?
We keep them as long as they are rele vant to us and to our vacancies. If people give us
their consent, then, that’s great, but if they just don’t say neither yes, nor not, then we keep
it under legitimate interest until their profile is irrelevant to us, or until they revoke their
consent.
14) What is the pur pose why you process their data?
We process data when people are in a recruitment process, when people are not in a
recruitment process but their data is valuable for our future vacancies. In this case, I think
we can say we only store it. W e also process them when we do statistics that are relevant
for recruitment.
15) Can you give me an example of statistics that are relevant for recruitment?
Yes, for example, we want to open a new project in our office in Bucharest, but we don’t
know if we can find candi dates for that role. In order to find out if the project is “doable”,
we check the profiles we can find online or in our database and make sta tistics that will tell
us whether there are enough specialists in Romania, or not.
16) Do you share personal data wi th anyone else?
If you mean with people outside of the company, then yes, we share it with our customers.
17) Have candidates ever asked to see their data or to have them deleted?
No, I think they know all the information are from their CVs.
18) If they ask fo r it, how can they access it?
There is an e -mail address they need to send a request to. But nobody has ever asked me
for it so far.
19) What do you do after the recruitment process if the answer for the candidate is
negative, in terms of GDPR?
If I give the negative feedback via phone, I ask them if it’s okay to keep in touch. If I tell
them via e -mail, then I mention there that we might keep the ir data for future opportunities
and I ask them to if it’s okay.
20) Don’t you have any way of re -registering consent after a negative recruitment
process?
Not really. If they give us their consent the first time, then it stays given. However, if they
change their mind, they can simply tell us or re -complete the e -mail we sent initially.
21) Does the company you work for, have offices outside of Europe?
Yes, it has offices in other countries as well.
22) What happens to the European candidates who want to work in one of your offices
outside of Europe?
I haven’t worked with candidates who are not from Romania, or who want to w ork
somewhere else, but they must be pr ocessed according to our law.
23) Do you think your company is GDPR compliant?
I think we try to be as compliant as we can..but I don’t know for sure if everything is
compliant.
INTERVIEW NUMBER 4
1) What is your occupati on?
I am sourcer in an IT company
2) How long have you been a recruitment sourcer?
It’s been nearly two years. I started working as a sourcer in October 2017.
3) That means you did sourcing before and after GDPR. How was sourcing before
GDPR?
I think it was a bit easier because I did not have to worry so much about contacting people
and adding people into our database. Other than that, I think back then, their personal data
were as safe as they are now.
4) Could you just add anyone into your data base? Without e ven contacting them?
I have never added people into our database without contacting them. The reason why I
added them into the database, was to match them with our open roles. But, I admit I added
people who applied for jobs, but did not fit the roles. I t hought they might be relevant at
some point.
5) What changed when GDPR was issued?
I remember that our team got ready for GDPR long before it was officially issued. When I
joined, I was already advised to be careful when I do sourcing, when I collect person al
information and of course, when I processed them. However, starting with May 2018, I
remember that we really started to take things more seriously. There was also a time when
people asked us about GDPR with every occasion.
6) What kind of information did they ask for?
They asked where we got their data from, even if they had been to interviews before and
knew we had their data. They also asked about the information we store and some of them
even wanted to see themselves what we know about t hem.
7) What did y ou tell to the people who wanted to see their data?
We have a special department which deals with GDPR. We gave people their e -mail and
our colleagues from that department helped them.
8) What kind of personal data do you process?
We store a nd process their names, e -mail, phone numbers, sometimes their address, their
CVs with their previous jobs, their previous salaries and salary expectations, the results of
their previous employment in our company, if there is any, the results of their inte rviews
and some personal comments of ours about them.
9) How do you do sourcing?
We have recruiter licenses on Linkedin and I use it very often, I even use Facebook
sometimes, because I am a member of different job groups and I search for people there,
and I post informati on about our roles, I use job boards, our internal database and a few
months ago I discovered Amazing Hiring which is like google for recruitment. I find people
using these means, I check if they are in our database and I contact them if ev erything is
okay . I either call them or I send e -mails to them.
10) Do you think the recruitment tools you use are GDPR compliant?
I think they are. On job websites, people post their CVs so they know they will be contacted
by recruitment teams, Amazing hirin g simply shows t he profiles of people and public ways
of contacting them, but you cannot send messages though Amazing hiring. And linked in
can be used without any problems, especially if people activate the tag “open to new
opportunities”
11) How do you ask for their expl icit GDPR consent?
Via e -mail. We sent it to candidates and they have two options. To give or to revoke
consent.
12) Do you ask for consent from your applicants?
Yes, we ask for it via the same e -mail I mentioned before.
13) How do you ask fo r consent while co ld calling?
I tell them that I contacted them while sourcing on a the website where they have their data
published and I tell them that I would like to know if they are interested in having their
data stored and processed for recruitment purposes. Verbal consent allows me to tell them
about our jobs. After that, I send them the e -mail.
14) Do you think asking for GDPR consent on the phone is time consuming?
Well…it’s easier to simply tell people about job offers without boring them on the phone.
But if we got to do it, we just do it.
15) How long do you keep personal data?
I don’t think there is a time limit. We keep if for as long as they allow us to, or for a s long
as we need it.
16) What is the purpose why you process their data?
For recruitment purposes, either now or in the future.
17) Do you share personal data with anyone else?
Only with our customers.
18) What do you do after the recruitment process if the answer for the candidate is
negative, in terms of GDPR?
I have a feedback template I complete for them and it mentions GDPR at the end of it.
19) Does the company you work for, have offices outside of Euro pe?
Yes, we do.
20) What happens to the European candidates who want to work in one of your offices
outside of Europe?
They are processed under the same law.
21) Do you think your company is GDPR compliant?
I think we are.
INTERVIEW NUMBER 5:
1) What is your occupation?
I work as a recruiter.
2) How long have you been a recruiter?
It’s been 4 years.
3) What was recruitment like before GDPR?
I don’t think it was so much more different. It’s true that we did not have to worry so much
about adding people into our database and about finding out things about them, but we
have always respected their privacy. Now I just think there is a strict law t hat is meant to
make us more careful.
4) What changed when GDPR was issued?
We had to inform everyone about GDPR, we cleaned up our database and erased irrelevant
people, we started keeping the data base really up to date and I think there is one interestin g
thing we had to take care of. It says in our privacy policy that we store people’s data in our
internal database, so we were asked to erase people’s CVs for example from our computers,
every day.
5) What kind of personal data do you process?
Everything tha t is helpful for our recruit ment process and can be found in a CV. We process
only the data they offer us.
6) Can you give me an example of information you store?
Yes, we store their CVs with their cover letters, names, contact details, previous jobs, job
interests, address, nationali ty, specialization and salaries if available.
7) How do you do sourcing?
I don’t do much sourcing, because we don’t do volume recruitment. We only have a few
roles opened. We have a few applicants, but when we do souring, we do it on linked in and
job websi tes.
8) How do you ask for their explicit GDPR consent?
When people come at the first interview, we give them a piece of paper where they have
the privacy policy and they sign it.
9) Do you ask for consent from your applicants?
Not on the phone, but we give them the papers I told you about when they come at the
interview.
10) How l ong do you keep personal data?
Until they become irrelevant. And of course, we delete them when people revoke consent.
11) What is the purpose why you process their data?
For recruitmen t purposes
12) Do you share personal data with anyone else?
No.
13) What do you do after the recruitment process if the answer for the candidate is
negative, in terms of GDPR?
I don’t think we do anything specifically here. But we ask them if it’s ok to keep in touch.
However, if an employee resigns, we give them the GDPR paper to sign again.
14) Does the company you work for, have offices outside of Europe?
Yes, but only in a few countries in Europe.
15) Do you think your company is GDPR compliant?
I think we are i n the most part. Maybe we do some things wrong, but we are mostly
compliant.
Bibliography
Ankers, Damon. “The Ultimate Recruitment Guide to GDPR Compliance.” The Ultimate
Recruitment Guide to GDPR Compliance , 12 Feb. 2019, blog.talent vine.co.uk/the –
ultimate -recruitment -guide -to-gdpr-compliance.
Beamery. “GDPR: The Complete Guide for Recruiting Team.” Beamery ,
beamery.com/academy/gdpr -for-recruiting -teams.
Bhatia, Punit. “GDPR Data Subject Rights – 8 Fundamental & Additional Rights.”
EUGDPRAcademy , advisera.com/eugdpracademy/knowledgebase/8 -data-subject -rights –
according -to-gdpr/.
Bika, Nikoletta. “GDPR Compliance Guide for Recruitment: Workable.” Recruiting Resources:
How to Recruit and Hire Better , 2 July 2018, resources.workable.com/tu torial/gdpr –
compliance -guide -recruiting.
Blanchard, Simon, and Rosemary Smith. “The General Data Protection Regulation. A Practical
Guide for Business.” Global Z , Opt4 Ltd, 2018, globalz.com/wp –
content/uploads/2018/09/GlobalZ_eBook_GDPR_Practical_Guide_For _Global_Busines se
s.pdf.
Comission, European. GDPR in Numbers . 2019, ec.europa.eu/commission/sites/beta –
political/files/190125_gdpr_infographics_v4.pdf.
Comission, European. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL on the Protection of Indiv iduals with Reg ard to the Processing of Personal
Data and on the Free Movement of Such Data (General Data Protection Regulation) .
2012, web.archive.org/web/20121203024154/http://ec.europa.eu/justice/data –
protection/document/review2012/com_2012_11_en.pdf.
Foulsham, Mark, et al. “GDPR: How to Achieve and Maintain Compliance.” Google Carți ,
Routlege, 2019, books.google.ro/books?id= –
_eCDwAAQBAJ&pg=PT12&dq=history%2Bof%2Bgdpr&hl=ro&sa=X&ved=0ahUKEwj
koNvqn7viAhWOKlAKHbSyBBsQ6AEIOzAC#v=onepage&q=history%20of%20gd pr&f
=false.
“General Data Protection Regulation (GDPR) Compliance Guidelines.” GDPR.eu , gdpr.eu/.
“How Did We Get Here?” EUGDPR , eugdpr.org/the -process/how -did-we-get-here/.
Information Comissioner's Office. Guide to General Data Protection Regulation (GDP R). 2
Aug. 2018 , ico.org.uk/media/for -organisations/guide -to-the-general -data-protection –
regulation -gdpr-1-0.pdf.
Irwin, Luke. “The GDPR: Understanding the 6 Data Protection Principles.” IT Governance Blog ,
14 Aug. 2019, www.itgovernance.eu/blog/en/the -gdpr-understanding -the-6-data-
protection -principles.
Jobvite. Is Consent Required . Jobvite.com.
Jugastru, Catalina. “Dreptul La Portabilitatea Datelor.” Revista Universul Juridic , 17 Jan. 2018,
revista.universuljuridic.ro/dreptul -la-portabilitatea -datelor/.
Lord, Nate. “Wha t Is the Data Protection Directive? The Predecessor to the GDPR.” Digital
Guardian , 12 Sept. 2018, digitalguardian.com/blog/what -data-protection -directive –
predecessor -gdpr.
Paterson, Katie. “GDPR: What's the Differe nce Between Consent and Legitimate Intere st in
Recruitment?” Firefish Recruitment Blog – Recruitment Tips & Free Resources , Firefish
Software, 16 Oct. 2018, blog.firefishsoftware.com/whats -the-difference -between -consent –
and-legitimate -interest -in-recruitme nt.
PWC. Technology's Role in Data Protec tion – the Missing Link in GDPR Transformation . Jan.
2018, www.pwc.com/gx/en/issues/regulation/technologys -role-in-data-protection -the-
missing -link-in-gdpr-transformation.pdf.
Savescu, Andrei. “JURIDICE.ro » Datele Cu Caracter Personal Se Șterg Foarte Greu , Aproape
Deloc.” JURIDICE.ro , 8 Jan. 2019, www.juridice.ro/621685/datele -cu-caracter -personal –
se-sterg -foarte -greu-aproape –
deloc.html?fbclid=IwAR0oxiduiaXgT82l6PJnjFoVwUbRSOmBmNh9gJ1dsSio9gfngGolb
r3X730 .
Schofield, Jack. “GDPR: How Can I Email Data Securely to Comply with the New
Regula tions?” The Guardian , Guardian News and Media, 29 Mar. 2018,
www.theguardian.com/technology/askjack/2018/mar/29/gdpr -email -data-protection –
regulations -secure.
Solon, Oli via. “Facebook Faces $1.6bn Fine and Formal Investigation over Massive Data
Breach.” The Guardian , Guardian News and Media, 3 Oct. 2018,
www.theguardian.com/technology/2018/oct/03/facebook -data-breach -latest -fine-
investigation.
Thorpe, Greg. “The GDPR Impa cts on the Future of Recruitment.” TheHRDIRECTOR , 2 May
2018, www.thehrdirector.com/fe atures/gdpr/gdpr -impacts -future –
recruitment/?fbclid=IwAR2RO4C1 -_H0l3cfJwkL707Ce70k9GZZ –
P0vFwdRSv1L2YAdbC4_ -XqnC -w.
Voigt, Paul, and Axel von dem Bussche. “The EU General Data Protection Regulation (GDPR).”
Google Crți , Google, 2017,
books.google.ro/books?id=cWAwDwAAQBAJ&pg=PA110&dq=history%2Bof%2Bgdpr
&hl=ro&sa=X&ved=0ahUKEwjkoNvqn7viAhWOKlAKHbSyBBsQ6AEIKDAA#v=onep
age&q=history%20of%20gdpr&f=false.
Zoho Recruit. Everything Recruiters Need to Know about GDPR .
www.zoho.com/recruit/images/recruit -gdpr-guide.pdf.
Copyright Notice
© Licențiada.org respectă drepturile de proprietate intelectuală și așteaptă ca toți utilizatorii să facă același lucru. Dacă consideri că un conținut de pe site încalcă drepturile tale de autor, te rugăm să trimiți o notificare DMCA.
Acest articol: UNESCO Chair in Inter -cultural and Inter -religio us Studies [627602] (ID: 627602)
Dacă considerați că acest conținut vă încalcă drepturile de autor, vă rugăm să depuneți o cerere pe pagina noastră Copyright Takedown.