GDPR-compliant recruitment, or what to include in your resume?
GDPR changed a lot in data processing regulations, but these changes were absolutely necessary. Since May 25, 2018 – the moment the new regulations came into effect – HR departments have had to slightly change their recruitment policies. Check which of the changes directly affect you.
What personal data can be collected during recruitment under GDPR?
The GDPR requires personal data processing activities in accordance with the principle of adequacy. This means that during recruitment, you can collect those candidate data that are absolutely necessary for the recruitment process. The scope of such personal data is regulated by Article 22 of the Labor Code – these are:
- first and last name,
- parents’ names,
- date of birth,
- residence,
- education,
- previous employment history.
And nothing more. Only in justified cases the employer may request a certificate of no criminal record, if such mandate is provided by law. For example, in the case of recruitment of employees for the civil service.
Sometimes psychological tests are conducted in the further stages of recruitment. Their purpose is to determine a person’s predispositions, as well as the qualities that are crucial to the employer for a particular position. The employer is obliged to ask the person to make a statement, fill out a questionnaire or an aptitude test only if this does not violate their personal rights, and the information thus obtained is relevant to the establishment of cooperation. It must also inform the candidate of the purpose of the test and the nature of the questions. The candidate must also be informed of the name of the person who will analyze the test or questionnaire in question. After analyzing the test measuring the personality as a whole, the results should be made available to the person concerned. This person has the right to ultimately decide whether the given results can be provided to the person(s) who conduct the entire recruitment procedure. In the case of a test measuring only the employee’s abilities, such consent does not have to be obtained.
What clause should you include to confirm your consent to the processing of personal data in the recruitment process?
Any applicant sending their resume to a potential employer should include consent for the employer to process their data in the recruitment process. Such a clause may read as follows:
„I consent to the processing of my personal data by company X for the purpose of recruitment in accordance with Article 6(1)(a) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)”.
If you want to make your resume available to a particular company also for future recruitments, for reuse, you must also include an additional clause in the document that reads:
„I consent to the use of my resume in future recruitment processes organized by Company X.”
GDPR vs. photo included in resume
The catalog of data that is listed in the Labor Code does not include the candidate’s image. To legally obtain the candidate’s image, you need to obtain voluntary consent from the candidate, which will meet the general requirements of the GDPR in this regard.
Employers often set the inclusion of a photo in a resume as one of the key conditions to be met. It also happens that the system used in the recruitment process does not let a resume through without a photo attached. Since the new regulations came into force, this practice is against the law. The inability to submit a resume without a photo can be considered a sign of unfavorable treatment and discrimination.
How will employers store recruitment documents?
Recruitment documents (resumes, cover letters and letters of reference) may be reviewed and filtered by the employer in order to select candidates. However, the employer is obliged to maintain organizational, technical and physical measures to protect the personal data contained in such documents. Candidates’ personal data should be accessed only by persons authorized to do so. The documents must be duly protected, for example, by placing them in metal locked cabinets. If the candidate has not included an additional clause in the resume allowing the document to be reused in future recruitment processes, then such printed resumes should be effectively destroyed. And in the case of electronic circulation of documents, the employer is obliged to ensure their secure circulation, so that they reach only authorized personnel. Emails that contain personal information should be encrypted, while the password to decrypt the documents should be sent through another communication channel.