Published on

GDPR Compliance

Authors

Starting from 25th May  2018, organisations that collect personal data of EU residents must become compliant with the General Data Protection Regulation (GDPR). GDPR is a new law that aims to strengthen people’s right to privacy and protect their personal data.

GDPR places the burden of ensuring compliance on your organisation, especially functions like recruiting which rely heavily on collecting applicants personal data.

Please note that OneRecruit is not a law firm and cannot provide legal advice. All information provided is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements. Organisations should take independent legal advice regarding their own provisions for data protection.

To comply you need to create a privacy policy for recruiting

Your company must have a transparent privacy policy in place explaining how it collects, processes and protects data and giving instructions to data subjects on how to ask your company to delete and rectify their data. In addition to this privacy policy, your company may find it useful to have a privacy notice for recruitment. This note will address candidates directly and should include all information required by GDPR Article 13 and Article 14.

  • Include the name and contact details of your organisation. If you have appointed a Data Protection Officer (DPO), include their contact details as well.
  • A statement that any data requested will be used for recruitment purposes only. You need to explain your legitimate interest too.
  • The types of information about a candidate that reside in your company’s files. These could be contact details, social and professional profiles, education and work experience.
  • Who you will share the data with. For example, if you are a recruitment consultant, you may share this data with your clients.
  • Where you find candidate data. It’s important that you mention you use your sources lawfully.
  • Where the processing is based and where you store data. This is especially important if you transfer data outside the EU.
  • How long your organisation intends to store each candidate’s data. If this isn’t possible, you need to explain with what criteria you determine this period.
  • The applicants’ rights. These include the right to be forgotten, to rectify or access data, to restrict processing, to withdraw consent, to be kept informed about the processing of their data.
  • Instructions on how applicants can take action on the processing of their personal data. Let them know how to access their data or request that you delete, rectify or restrict processing of their data.
  • How you protect applicant data. You could sum up or link to your company’s general privacy policy which should include all the ways your company protects data (e.g. encryption, privacy by design.)

With OneRecruit you can change the default consent text and set-up automatic deletion of applicants in Settings > Compliance.