DSGVO in relation to HR
The General Data Protection Regulation concerns the entire processing of personal data in companies. With the entry into force of the GDPR, recruiters are obliged to record all processing activities. Using the applicant management system, all necessary processes can be automated, data can be saved and managed centrally in one place. In addition, the data protection-compliant handling of all data is completely demonstrable.
Nevertheless, you must ensure the permissibility of data processing through technical or organizational measures, make the technology data-friendly, be able to assess data protection consequences and report data protection violations. Find out in the checklist whether you have thought of everything. When dealing with applicant data, six principles have to be observed:
- Transparency: Data must be processed in a manner that is comprehensible to the data subject.
- Earmarking: Data from an application may only be used as part of the application process and must be deleted after completion.
- Data minimization: Only data necessary for the purpose of the data collection, ie for the recruitment process and the candidate selection, may be collected.
- Accuracy: All data provided must be correct and up-to-date at all times.
- Storage limit: Data may only be stored for as long as necessary.
- Confidentiality: The security of personal data must be guaranteed. This includes protection against unauthorized or unlawful processing and against unintentional loss, accidental destruction or accidental damage through appropriate technical and organizational measures.
1. Save data within the EU
Without our own IT system, compliance with the new legislation is hardly possible. Anyone who hires a provider, should make sure that this and third-party providers store the data in the EU, preferably in Germany. In addition, only the data necessary for the provision of the service should be transmitted. Check with which service providers and with which software (eg an applicant management system or a CRM system) personal data is processed. The order processing contracts should be adapted to the new provisions of the GDPR. It is best for the service provider to provide a new order processing contract that you as a customer can easily accept and secure.
Even better is if your supplier is ISO 27001 certified. This ensures that the entrepreneurial and legal requirements are met. Be aware of the scope of a certification, and verify that all processes are certified by the vendor that processes your data, not just the data center.
2. Have your privacy statement verified
- the reference to technical-organizational pollution measures,
- Deletion periods,
- the purpose of processing and
But what if eMailApplications? In that case, you should eMail the prospective customer in advance and ask him to transfer the data to the applicant management system.
3. Restrict view privilege
Make sure that the view permission for applicant data is always restricted. They may only be accessible to those who are also involved in the application, such as the HR Administrator or the Works Council.
However, if the drive is open to others, leave candidates' documents on their desks, or share a calendar with other colleagues, which lists job interviews by name, disclose the identity of applicants, and clearly violate privacy. If you use an applicant management system, you can control access to documents with a role and rights concept. But beware: never pass login data!
4. delete data
In the future it must be proven that data will be deleted after a certain time. However, there is still no legally binding definition for periods. For our customers, a deletion has proven itself after four to six months. In any case, the data will remain until the expiry of the two-month period for a claim for discrimination in order to be able, in case of doubt, to refute discrimination allegations. An automated deletion period can be easily implemented in the system.
In addition, I recommend that recruiters include the reference to data deletion directly in the rejection letter in order to anticipate queries from applicants.
5. Applicant pools must also be compliant
Candidates who do not fit in with the advertised position, but may be eligible for another post at a later date, may be placed in an applicant pool. The aim of applicant management is to support the application process and the selection IT-technically and thereby to make the work processes largely automated and efficient.
The application management system allows in detail:
- Increased transparency for applicants, recruiter and departments
- the data entry by the applicant and thus time savings and error prevention
- the shortening of reaction times through standardized processes and memories
- the documentation of the recruiting process
- the standardization of recruiting processes
- an improved candidate selection
- the optimization of recruiting channels
- a reduction in recruiting costs
- as well as a modern employer image inside and out.
But: The candidate must be asked in advance whether he also explicitly agrees to be included in the pool and thus a longer-term storage. In addition, he must be informed about the associated deletion deadlines.
It is advisable to use an automatic mechanism that reminds the HR department in good time to seek renewed approval for further storage in the pool. At the same time, it is also possible to query whether the data is still up-to-date (principle: correctness).
6. Privacy also applies to employees
What applies to applicants also applies to the employees. Many companies use pictures of their employees in the external appearance. Here is not enough general power. Employees must agree individually for each channel of use (website, social media, posters for eg trainee campaigns, etc.).
Due to an editorial error, references to services were incorrectly contained in the first version of this article. Since the Article However, this is a neutral technical contribution, these advertising elements have been removed. We ask for apology.
Offline download: Download this text as PDF - Read usage rights, Because we do not automatically submit the title of this text for privacy reasons: When buying in "interests" the title register if support is needed. After buying text exclusively Download at this URL (please save).
Your eCourse on Demand: Choose your personal eCourse on this or another desired topic, As a PDF download. Up to 30 lessons with each 4 learning task + final lesson. Please enter the title under "interests". Alternatively, we are happy to put together your course for you or offer you a personal regular eMailCourse including supervision and certificate - all further information!
Consultant packages: You want to increase your reach or address applicants as an employer? For these and other topics we offer special Consultant packages (overview) - For example, a personal phone call (price is per hour).