Is your data protection policy already as it should be? Since the GDPR (general data protection regulation) came into force, rules are stricter and there will be fines up to several million euros for companies that do not adapt them properly. For organisations, it is important to communicate why and in which way personal data is being proceeded. The GDPR demands certain requirements to the transparency about the processing and the communication with the person concerned (in our case, the candidate). This can be communicated in a privacy statement. But what exactly is a privacy statement and what should it look like?
Which requirements need to be met by a privacy statement?
A privacy statement must have the following characteristics:
- easy to understand
- easy to access
These requirements should ensure that the candidate knows exactly where (s)he stands according to the protection of his or her data. Additional and more specific requirements may apply, depending on the way data is being collected. Data can be collected in a direct or indirect way. When it comes to direct data collection, the candidate inserts his data himself, for example via an application form. When data is stored via an external source, one speaks of indirect data collection. We talk of the latter when a recruiter takes data, for example, from a candidate’s LinkedIn profile.
Direct processing of personal data
In case that the data is being collected directly from the candidate, the privacy statement needs to be provided before or at the moment the data is being transferred. You can manage this by inserting a link to the privacy statement in the application form. The privacy statement should at least contain the following information:
- the data processor’s identity and contact information
- the goal and legal foundation for the processing
- the data processor’s legitimate interest
- the possible recipients (or categories of recipients) of the personal data
- information regarding the forwarding of personal data to a third country (outside the EU), if that’s the case
- the storage period or the criteria that are being used to determine the storage period
- the person concerned needs to be informed about his/her rights
- the person concerned needs to be informed about his/her right to withdraw his/her approval for the processing of data
- the person concerned needs to be informed that he/she has the right to file a complaint
- it needs to be declared if automated decisions will be made
Indirect processing of personalised data
If data are collected indirectly, for example via LinkedIn, the same requirements as illustrated above apply. Additionally, it needs to be indicated which type of data (category) were processed and which source has been used.
Within an appropriate timeframe (in any case, within one month after proceeding), the person concerned needs to be informed about the information shown above. If the personal data are being proceeded with the goal to communicate with the person concerned, this information needs to be provided at the moment of the first contact.
Also, if the personal data is being forwarded to third parties, the person concerned needs to be informed. At the latest when the data is being shared with third parties.
Identity and contact information
Both the identity and the contact information of the person who is in charge of the data processing need to be stated in the privacy statement. In case that the organisation also employs a data protection officer, the contact information of that person needs to be added to the privacy statement as well.
Legal basis of the processing
In order to process personal data, there needs to underlie a legal basis for the processing. The following mentioned requirements need to be fulfilled:
- the person concerned has given their approval for the data processing
- the processing is necessary for the execution of a contract and happens upon the person’s express request
- the processing is necessary for the data processor’s compliance of legal obligations
- the processing is needed for the protection of the parties’ vital interests
- the processing is necessary for the execution of a task of general utility
- the processing is necessary for the heeding of the legitimate interests of the person in charge of the processing
Personal data may not be stored any longer than for the sole purpose of the collection. If an exact storage period can’t be determined, criteria need to be set that define the storage period. For example, the rejection of a candidate could be a criterion for the deletion of the person’s data. By the usage of an anonymisation script, there can be set up automated processes that control the storage and the timely deletion of data according your own internal guidelines.
In the frequently published guidelines of the Article 29 Data Protection Working Party (which includes one representative from the data protection authority of each EU member state), there are rules regarding the storage period of data that are collected during the recruitment process. In general, they need to be deleted as soon as it becomes clear that the candidate won’t be hired. (see also http://ec.europa.eu/newsroom/document.cfm?doc_id=45631, Article 5.1)
In case you want to store the candidate’s data for future offers, you need to inform them beforehand. However, you need to provide the candidate the opportunity to revoke their approval after which the data are deleted.
Layered Privacy Statement
If you want to include more information than usual in the privacy statement, you can make use of a so-called ‘layered privacy statement’ to keep it clear. In the first layer, you can place the main points and add links in a second one. In doing so, you can create a succinct privacy statement and still provide all the necessary information to the visitor.
Examples of privacy statements