To the text

Better work, information as desired: We give you the information you really need and are committed to a better and more ecological working environment. When Book Publisher Best of HR –® with a unique book concept and eCourses we offer over 20 years of experience in Corporate Publishing - with Clients like Samsung, Otto, Governmental Institutions. Publisher Simone Janson also heads the Institute Berufebilder Yourweb, which awards scholarships and belongs to one of the top 10 female German bloggers, referenced in ARD, FAZ, ZEIT, WELT, Wikipedia .

Disclosure & Image Rights: Artwork created as part of a free collaboration with Shutterstock. 

Here writes for you:

Tobias Tiedgen is the managing director of the Hamburg recruiting company d.vinci. All texts by Tobias Tiedgen.

GDPR & data protection compliant recruiting: 2 X 6 legal tips

The EU General Data Protection Regulation (GDPR) has been in effect since June 25, 2018. Anyone who violates this will face severe penalties. What do recruiters have to consider?

Best of HR –®

DSGVO in relation to HR

The General Data Protection Regulation affects the entire processing of personal data in Company . With the entry into force of the GDPR, recruiters are obliged to record all processing activities. Using the applicant management system, all the necessary processes can be automated, and data can be stored and managed centrally in one place. In addition, the data protection-compliant handling of all data can be proven without gaps.

Nevertheless, you must ensure the permissibility of data processing through technical or organizational measures, make the technology data-friendly, be able to assess data protection consequences and report data protection violations. Find out in the checklist whether you have thought of everything. When dealing with applicant data, six principles have to be observed:

  1. Transparency: Data must be processed in a manner that is comprehensible to the data subject.
  2. Earmarking: Data from a Casting may only be used as part of the application process and must be deleted after completion.
  3. Data minimization: Only data necessary for the purpose of the data collection, ie for the recruitment process and the candidate selection, may be collected.
  4. Accuracy: All data provided must be correct and up-to-date at all times.
  5. Storage limit: Data may only be stored for as long as necessary.
  6. Confidentiality: The security of personal data must be guaranteed. This includes protection against unauthorized or unlawful processing and against unintentional loss, accidental destruction or accidental damage through appropriate technical and organizational measures.

1. Save data within the EU

Without our own IT system, compliance with the new legislation is hardly possible. Anyone who hires a provider, should make sure that this and third-party providers store the data in the EU, preferably in Germany. In addition, only the data necessary for the provision of the service should be transmitted. Check with which service providers and with which software (eg an applicant management system or a CRM system) personal data is processed. The order processing contracts should be adapted to the new provisions of the GDPR. It is best for the service provider to provide a new order processing contract that you as a customer can easily accept and secure.

Even better is if your supplier is ISO 27001 certified. This ensures that the entrepreneurial and legal requirements are met. Be aware of the scope of a certification, and verify that all processes are certified by the vendor that processes your data, not just the data center.

2. Have the data protection declaration accepted in a verifiable manner

Applicants are from 25. May ask them to accept the privacy policy. This can be solved in an IT system in that the candidates have to actively consent to the privacy policy before sending their application via a checkbox. It must contain:

Tip: Text as PDF (please read the instructions!) or to this text complete eCourse or series Download. Actions or news via Newsletter!

  • the reference to technical-organizational pollution measures,
  • Deletion periods,
  • the purpose of processing and
  • the reference to the use of cookies.

For the greatest possible transparency, I recommend resending the link to the privacy policy together with the confirmation of receipt. The easiest way to do this is via a correspondence template in the system.

But what if eMailApplications? In that case, you should email the prospective customer in advance and ask him to transfer the data to the applicant management system.

Incidentally, the consent to the data protection declaration also applies to employee recommendations: If this is not done using an extra tool, the employee who sends an application from a friend directly in the HRDepartment, whose consent can be proven. Otherwise the HR department may not accept the documents.

3. Restrict view privilege

Make sure that the view permission for applicant data is always restricted. They may only be accessible to those who are also involved in the application, such as the HR Administrator or the Works Council.

However, if the drive is open to others, leave applicant documents on the desk or use a calendar with other colleagues in which job interviews are noted by name, disclose the identity of applicants and violate them completely clear against data protection. If you use an applicant management system, the inspection of documents can be controlled with a role and rights concept. But be careful: never pass on login data!

4. delete data

In the future it must be proven that data will be deleted after a certain time. However, there is still no legally binding definition for periods. For our customers, a deletion has proven itself after four to six months. In any case, the data will remain until the expiry of the two-month period for a claim for discrimination in order to be able, in case of doubt, to refute discrimination allegations. An automated deletion period can be easily implemented in the system.

In addition, I recommend that recruiters include the reference to data deletion directly in the rejection letter in order to anticipate queries from applicants.

5. Applicant pools must also be compliant

Candidates who do not match the advertised position, but are considered for another position at a later point in time, can be saved in an applicant pool. Objective An applicant management is to support the application process and the selection IT-technically and to design the work processes largely automated and efficient.

The application management system allows in detail:

  • Increased transparency for applicants, recruiter and departments
  • the data entry by the applicant and thus time savings and error prevention
  • the shortening of reaction times through standardized processes and memories
  • the documentation of the recruiting process
  • the standardization of recruiting processes
  • an improved candidate selection
  • the optimization of recruiting channels
  • a reduction in recruiting costs
  • as well as a modern employer image inside and out.

But: The candidate must be asked in advance whether he also explicitly agrees to be included in the pool and thus a longer-term storage. In addition, he must be informed about the associated deletion deadlines.

It is advisable to use an automatic mechanism that reminds the HR department in good time to seek renewed approval for further storage in the pool. At the same time, it is also possible to query whether the data is still up-to-date (principle: correctness).

6. Privacy also applies to employees

What applies to applicants also applies to the employees. Many companies use pictures of their employees in the external appearance. Here is not enough general power. Employees must agree individually for each channel of use (website, social media, posters for eg trainee campaigns, etc.).


Due to an editorial error, references to services were incorrectly contained in the first version of this article. Since the Items However, this is a neutral technical contribution, these advertising elements have been removed. We ask for apology.

Buy text as PDF

Acquire this text as a PDF (only for own use without passing it on according to TERMS & CONDITIONS): Please send us an eMail with the desired title to support [at], we will then send the PDF to you immediately. You can also purchase text series.

3,99 Book now

Find out more - our books on the subject

Or for a little more directly buy a whole book or eCourse on this topic, read on. Here you will find a suitable selection.

Buy eCourse on Demand

Up to 30 lessons with 4 learning tasks each + final lesson as a PDF download. Please send us an eMail with the desired title to support [at] Alternatively, we would be happy to put your course together for you or offer you a personal, regular one eMail-Course - all further information!

19,99 Book now

  • book review

    book review

    book review

    book review

    book review

  • book review

    book review

    book review

    book review

    book review

  • book review

    book review

    book review

    book review

    book review

  • book review

    book review

    book review

    book review

    book review

Post a Comment

Your email address will not be published. Required fields are marked with * .

Ja, I would like to be informed about the latest promotions and offers via Newsletter be informed.

I hereby accept the Debate Rules and the Privacy policy with the possibility to contradict the use of my data at any time.