GDPR and data protection-compliant recruiting: 2 X 6 legal tips

Work well, plant 500 trees! About us make the Working World more Human and Ecological, so we donate Revenue for Certified Afforestation. As Publisher Best of HR - Berufebilder .de® you can unique Book Concept, on Demand eCourses and News Service we share 15 years of Experience with our Customers (Samsung, Otto, State Institutions). By the Top 20-Blogger Simone Janson, referenced in ARD, ZEIT, WELT, Wikipedia .
Artwork created as part of a free collaboration with Shutterstock. ,

The EU General Data Protection Regulation (GDPR) has been in effect since June 25, 2018. Anyone who violates this will face severe penalties. What do recruiters have to consider? GDPR and data protection-compliant recruiting: 2 X 6 legal tips GDPR and data protection-compliant recruiting: 2 X 6 legal tips

Here writes for you:

Tobias Tiedgen is Managing Director of the Hamburg recruiting company d.vinci.


DSGVO in relation to HR

The General Data Protection Regulation concerns the entire processing of personal data in companies. With the entry into force of the GDPR, recruiters are obliged to record all processing activities. Using the applicant management system, all necessary processes can be automated, data can be saved and managed centrally in one place. In addition, the data protection-compliant handling of all data is completely demonstrable.

Nevertheless, you must ensure the permissibility of data processing through technical or organizational measures, make the technology data-friendly, be able to assess data protection consequences and report data protection violations. Find out in the checklist whether you have thought of everything. When dealing with applicant data, six principles have to be observed:

  1. Transparency: Data must be processed in a manner that is comprehensible to the data subject.
  2. Earmarking: Data from an application may only be used as part of the application process and must be deleted after completion.
  3. Data minimization: Only data necessary for the purpose of the data collection, ie for the recruitment process and the candidate selection, may be collected.
  4. Accuracy: All data provided must be correct and up-to-date at all times.
  5. Storage limit: Data may only be stored for as long as necessary.
  6. Confidentiality: The security of personal data must be guaranteed. This includes protection against unauthorized or unlawful processing and against unintentional loss, accidental destruction or accidental damage through appropriate technical and organizational measures.

1. Save data within the EU

Without our own IT system, compliance with the new legislation is hardly possible. Anyone who hires a provider, should make sure that this and third-party providers store the data in the EU, preferably in Germany. In addition, only the data necessary for the provision of the service should be transmitted. Check with which service providers and with which software (eg an applicant management system or a CRM system) personal data is processed. The order processing contracts should be adapted to the new provisions of the GDPR. It is best for the service provider to provide a new order processing contract that you as a customer can easily accept and secure.

Tip: Text as PDF (please read the instructions!) or to this text complete eCourse Download. Actions or news via Newsletter!

Even better is if your supplier is ISO 27001 certified. This ensures that the entrepreneurial and legal requirements are met. Be aware of the scope of a certification, and verify that all processes are certified by the vendor that processes your data, not just the data center.

2. Have your privacy statement verified

Applicants are from 25. May ask them to accept the privacy policy. This can be solved in an IT system in that the candidates have to actively consent to the privacy policy before sending their application via a checkbox. It must contain:

  • the reference to technical-organizational pollution measures,
  • Deletion periods,
  • the purpose of processing and
  • the reference to the use of cookies.

For the greatest possible transparency, I recommend resending the link to the privacy policy together with the confirmation of receipt. The easiest way to do this is via a correspondence template in the system.

But what if eMailApplications? In that case, you should eMail the prospective customer in advance and ask him to transfer the data to the applicant management system.

Incidentally, the consent to the privacy policy also applies to employee recommendations: If these are not achieved via an extra tool, the employee who submits a friend's application directly to the HR department must be able to prove his or her consent. Otherwise, the HR department may not accept the documents.

Tip: Text as PDF (please read the instructions!) or to this text complete eCourse Download. Actions or news via Newsletter!

3. Restrict view privilege

Make sure that the view permission for applicant data is always restricted. They may only be accessible to those who are also involved in the application, such as the HR Administrator or the Works Council.

However, if the drive is open to others, leave candidates' documents on their desks, or share a calendar with other colleagues, which lists job interviews by name, disclose the identity of applicants, and clearly violate privacy. If you use an applicant management system, you can control access to documents with a role and rights concept. But beware: never pass login data!

4. delete data

In the future it must be proven that data will be deleted after a certain time. However, there is still no legally binding definition for periods. For our customers, a deletion has proven itself after four to six months. In any case, the data will remain until the expiry of the two-month period for a claim for discrimination in order to be able, in case of doubt, to refute discrimination allegations. An automated deletion period can be easily implemented in the system.

In addition, I recommend that recruiters include the reference to data deletion directly in the rejection letter in order to anticipate queries from applicants.

5. Applicant pools must also be compliant

Candidates who do not fit in with the advertised position, but may be eligible for another post at a later date, may be placed in an applicant pool. The aim of applicant management is to support the application process and the selection IT-technically and thereby to make the work processes largely automated and efficient.

Tip: Text as PDF (please read the instructions!) or to this text complete eCourse Download. Actions or news via Newsletter!

The application management system allows in detail:

  • Increased transparency for applicants, recruiter and departments
  • the data entry by the applicant and thus time savings and error prevention
  • the shortening of reaction times through standardized processes and memories
  • the documentation of the recruiting process
  • the standardization of recruiting processes
  • an improved candidate selection
  • the optimization of recruiting channels
  • a reduction in recruiting costs
  • as well as a modern employer image inside and out.

But: The candidate must be asked in advance whether he also explicitly agrees to be included in the pool and thus a longer-term storage. In addition, he must be informed about the associated deletion deadlines.

It is advisable to use an automatic mechanism that reminds the HR department in good time to seek renewed approval for further storage in the pool. At the same time, it is also possible to query whether the data is still up-to-date (principle: correctness).

6. Privacy also applies to employees

What applies to applicants also applies to the employees. Many companies use pictures of their employees in the external appearance. Here is not enough general power. Employees must agree individually for each channel of use (website, social media, posters for eg trainee campaigns, etc.).


Due to an editorial error, references to services were incorrectly contained in the first version of this article. Since the Article However, this is a neutral technical contribution, these advertising elements have been removed. We ask for apology.

Tip: Text as PDF (please read the instructions!) or to this text complete eCourse Download. Actions or news via Newsletter!

Offline download: Download this text as PDF - Read usage rights, Because we do not automatically submit the title of this text for privacy reasons: When buying in "interests" the title register if support is needed. After buying text exclusively Download at this URL (please save).

3,99 Book now

Your eCourse on Demand: Choose your personal eCourse on this or another desired topic, As a PDF download. Up to 30 lessons with each 4 learning task + final lesson. Please enter the title under "interests". Alternatively, we are happy to put together your course for you or offer you a personal regular eMailCourse including supervision and certificate - all further information!

19,99 Book now

Consultant packages: You want to increase your reach or address applicants as an employer? For these and other topics we offer special Consultant packages (overview) - For example, a personal phone call (price is per hour).

179,99 Book now

occupations pictures

You want to comment here? Please the Debate Rules comply, contributions must be unlocked. Your eMailAddress remains secret. More information on the use of your data and how you can counter this can be found in our Privacy Policy.

  1. To follow debate on this post
  2. All debates follow

Post a Comment

Your eMail address will not be published. Required fields are marked with * .

JaI would like to be regularly informed about the latest promotions & offers Newsletter be informed.

I hereby accept the Debate Rules and the Privacy policy with the possibility to contradict the use of my data at any time.