"Impact of the new GDPR on the recruitment and selection process"

When your association recruits and selects candidates or employees, it receives, collects and processes their personal data for the purpose of assessing their candidacy to the job or position being offered and / or creating a recruitment reserve.

By now - unless if you lived in the North Pole for the last 18 months - you know that the GDPR imposes far more stringent obligations to the processing of one’s personal data such as the extended rights of the data subject including the right to be forgotten, the right to the portability, the obligation to keep the data accurate, the principle of privacy by design, the impact assessment, etc

Obviously the GDPR therefore has a dramatic impact on the recruitment and selection process.

One usually kept dozens of cv’s, notes or e-mails containing personal data of the candidates stored in multiple locations (laptop of all the managers and HR people involved, smart phones, cloud, etc) for very long period of times and without caring too much.

These blessed days are over and unless if you want to get a taste of the very expensive new sanctions imposed by the GDPR, you should better take some actions such as :

(i)                 analyzing your needs, the flow of data and number of persons involved both inside or outside the association;

(ii)               inform the candidates of their (extended) rights and provide the required information re the processing;

(iii)              inform the persons involved in the process of the legal insigts and in particular on what kind of data / questions should not be requested / asked;

(iv)              if possible centralize the processing of the personal data;

(v)               keep them in a separate data base;

(vi)              ensure that you keep them accurate and delete them after 12 – 24 months unless if you also got the consent to the processing for building up a recruitment reserve that arguably allows to keep the data for a longer period;

(vii)            setup the required procedures for complying with the data breach reporting obligation, requests of the data subject for portability or deletion and automatic deletion;

(viii)          involve IT;

(ix)              discuss with your partners (head-hunters, interim companies, etc) and agree on the terms of the processing or sub processing of the data; and

(x)                document your decisions on the processing of the persona data and how to ensure compliance with the legislation.

And this while ensuring at the same time compliance with the collective labour agreement n°38 concluded at national level which sets forth the rights and obligations of the employer and candidate such as the right to confidentiality, to be informed of the nature and specifics of the function, to a smooth treatment of the candidacy, to be informed of the reasons justifying the decision to reject the candidacy; etc