Anyone applying for a job discloses quite a bit of their privacy. For example, your curriculum vitae (resume) includes your first and last name, place of residence, address and contact information. Information about your employment history, avocations and education are also often listed on resumes. Job applicants sometimes also include confidential information in their resume or cover letter, such as nationality, religion, driver's licenses they hold or marital status.
In addition to resumes and cover letters, employers often gather information about job applicants in other ways. If recruiters have several potential candidates in mind, they may search the Internet for additional background information. Sometimes they screen candidates. At an introductory or follow-up interview, they often ask the job seekers all they want to know. Finally, examinations can be part of the application procedure. These might include a medical examination or psychological test.
All in all, human resource workers get to see and hear a lot of personal and privacy-sensitive information from job applicants. For good reason, there are all kinds of laws and rules to protect the privacy of job applicants when they apply to a company or organization. In this article, we consider these ground rules. We cover four topics:
Processing and retention of personal data.
Screening applicants.
What recruiters should not ask during a job interview.
Rights and obligations in an appointment inspection.
A resume can be thought of as an applicant's business card. It says something about who he is and where he comes from, but also what education, courses and workshops he has attended, for which companies and organizations he has worked and where his knowledge and expertise lie. Sometimes applicants also mention their achievements, publications, side activities or testimonials. In short, a resume is an anthology of someone's (employment) past.
There are five special rules or situations to watch out for:
A resume is chock-full of personal information. Such information should not be kept longer than necessary for the purpose for which it was collected and processed, or so it sounds in legal jargon. How long this retention period is varies by situation. If a job applicant receives a rejection, according to the Autoriteit Persoonsgegevens , it is common for all data to be destroyed within four weeks of the application process ending. This also applies to any written or digital notes a recruiter takes.
The data breach at Homerun makes painfully clear why the retention period is so short. Due to a vulnerability in Apache Web server software, hackers managed to get their hands on Amazon Web Services (AWS) access tokens. This allowed them to access the customer data of some 1,500 customers. Follow-up research by VPNGids.nl revealed that companies such as Amac, Blendle and Tony's Chocolonely stored personal data of job applicants for years, which is obviously not the intention.
If an employer sees leads, he can ask the applicant if he can keep his data longer. In that case, a retention period of one year is maintained. If an applicant joins the company, his personal data may be kept for up to two years after the termination of his employment. This also applies to things like appraisals, sick leave data and employment contracts.
During the application process, an employer may not ask applicants for a copy of a passport or other proof of identity. The reason is simple: these documents contain information that is not relevant to the job application. For example, what does an employer need a citizen service number or ID number for?
Identity cards also include a passport photo. Such a photo gives away more information than you might think at first glance. The way someone dresses can say something about their religious beliefs. The same goes for skin color or health. Skin color may give away someone's ethnicity or ancestry. A visible disability, such as blindness in one eye, says something about a candidate's physical condition. Therefore, potential employers should not ask for a copy of an ID.
That changes the moment an applicant enters the workforce. Then an employer is bound by the identification requirement. This consists of three parts:
Duty of verification: the employer must verify and establish the authenticity and validity of the ID.
Retention obligation: the employer has a duty to make a copy of the ID and keep it in the personnel records. Should the validity expire during employment, the employer does not have to ask for a copy again.
Duty of care: this means that an employer must enable its employees to comply with their duty of identification while at work. An employer must remind his employees that they must carry a valid ID even while at work.
The retention period for a copy of an ID is five years after the employee leaves employment.
Ethnicity, health, religion: this type of data is what the General Data Protection Regulation (GDPR) calls special personal data. Membership in political or civil society organizations, sexual orientation, genetic and biometric data are also examples of special personal data. European privacy laws prohibit employers from collecting and processing such data. There are some exceptions, such as if the processing is necessary because of a "substantial public interest.
What about when an employer asks applicants to apply via webcam? The basic principle is that an employer may not require a candidate to apply via webcam. The same principle applies here as with a copy of an identity document, namely that special personal data can be collected via a webcam. The company or agency may, however, present the applicant with the choice of applying via Zoom or Skype. If the applicant agrees to this, he or she is consenting to the processing of special personal data.
Job applicants have a variety of rights during and after their job applications. First, they may ask what personal data an employer has processed about them. We call this the right of inspection. The basis for this is found in Article 15 of European privacy legislation. Should job seekers notice that some information is incorrect, they may have it changed. This is also called the right to rectification (Article 16 AVG).
Relatedly, job applicants may ask employers to delete their data. After all, after a rejection, an employer no longer needs this data. This right is called the right to oblivion and is regulated in Article 17 of the AVG. Job seekers can also exercise the right to restrict processing (Article 18 AVG). They then ask the company where they applied to process less data. The latter no longer needs the data for the purpose for which the company initially kept the personal data.
Furthermore, job applicants have the right to transfer their personal data. The right to data portability is also known as data portability (Article 20 AVG). The idea behind this is that job seekers can request their personal data from the company they applied to, and then transfer it to another party that has a vacancy open. Job seekers can also request that the company transfer this data directly to another organization.
If job applicants are signed up for a newsletter or other form of direct marketing after they have applied, they can object. The company may then no longer process personal data to send advertising. Article 21 of European privacy regulations governs the right to object.
Finally, job seekers may demand that they not be subject to automated decision-making (Article 22 AVG). This means that someone personally looked at the application and weighed their resume and cover letter against those of other applicants. Companies that allow a computer program or algorithm to automatically make a decision often use profiling. If an applicant is not invited to an introductory interview for this reason, he can claim that the system may have given an incorrect outcome. He can then force the company to look at his application again and for the potential employer to make a new consideration.
If employers value anything, it is that their employees are trustworthy. This is for good reason. Suppose a day care center is looking for a teaching assistant. Then you want someone of impeccable conduct. As a parent, you probably don't trust the care of your son or daughter to someone who has a sex offender history. And you don't want cops or special investigating officers (boas) to bend the rules because they are bribed, do you?
For this reason, for some positions it is required by law to pre-screen candidates. In addition to teaching assistants and police officers, teachers in education and professional drivers, for example, are also pre-screened.
Screening means that an employer investigates the integrity of an applicant. In practice, a recruiter tries to gather more information about potential employees, such as by studying their resume, approaching references, running their name through a search engine, or requesting a Certificate of Good Conduct (VOG).
We discuss 5 aspects of screening below:
Screening can be quite invasive to the privacy of job applicants. Therefore, strict conditions apply. First, an employer must have a legitimate interest in screening candidates.
Article 6 of the AVG lists six bases on which the processing of personal data is lawful: if the data subject gives consent, if it is necessary for the performance of a contract, to comply with a legal obligation, to protect the vital interests of the data subject, to carry out a task of public interest or public authority (such as guarding public health), or to protect legitimate interests (think of fraud with taxpayers' money). The company the applicant is applying to determines which basis applies.
Salient detail: screening of new staff members cannot be based on the consent of those concerned. In fact, European law requires that applicants must freely give this consent. If coercion is involved in any way, the person's consent is not legally valid. Since job applicants are in a dependent position, they may feel pressured to consent.
The second condition is that screening is necessary. Whether it is depends on the position. It goes without saying that an employer will pay more care and attention to the selection process if employees work with small children or vulnerable young people, have access to large sums of money or regularly come into contact with confidential or secret information. This is when an employer wants to be sure that the person they hire can be trusted.
And third, an employer must inform an applicant in advance if screening is part of the application process. He must explain why he considers screening necessary, what data he is examining and why this information is relevant to the position for which the candidate is applying. Afterwards, the employer must share the results of the screening with the applicant.
Note that during the screening process, employers may only look at necessary data. Issues such as an applicant's health may not, in principle, play a role unless a medical examination is required by law or a general condition. This is the case with professional football players, professional drivers, firefighters and police officers. We discuss this in more detail in the section "Rights and Obligations in Appointment Examinations.
For some positions, employers require a Certificate of Good Conduct, or VOG. In fact, a VOG is nothing more than a statement certifying that a candidate does not have any serious criminal offenses on their criminal record that might interfere with performing a specific job. Some offenses or crimes can pose a problem for a job: consider a cab driver whose driver's license has been confiscated multiple times in the past, or someone who wants to work at a financial institution but has been convicted of help desk fraud in the past.
An employer can require job applicants and employees to present a VOG. In fact, since March 1, 2018, it is a legal requirement for teachers, professional drivers and anyone working with children to show a valid VOG. Even for professions or side jobs where this legal obligation does not apply, an employer may ask for a VOG.
A background check, or pre-employment screening, has several similarities to a VOG, yet is substantially different. The main difference is that a VOG focuses on the accuracy of personal and contact information and a candidate's criminal history. A background check, on the other hand, is much broader in scope. In addition to name and contact information and criminal history, it also looks at the authenticity of identification documents and diplomas, financial data (BKR registration), resume, references and online activities. A background check takes a thorough look at a person's past, as well as their current activities.
A VOG is issued by the municipality or Justis, the screening authority of the Ministry of Justice and Security. An employer can initiate a background check itself or have it conducted by a commercial party. Because these parties perform detective work, they have a license requirement under the Private Security Organizations and Detective Agencies Act (Wpbr). In this way, the government wants to protect the privacy of citizens.
The same rules apply to a background check as to a screening. There must be a legitimate interest, the investigation must be necessary for the position, applicants must be informed about the investigation in advance, and health data may not be part of a background check.
For employees working through a secondment or temporary employment agency, they do not have to be screened again for each new employer. Organizations can request a screening; secondment and employment agencies in that case only have to show the results of the previous screening. There is one exception: if a new client imposes additional requirements or can demonstrate that a new screening is necessary for some other reason, employees may be re-screened.
The Autoriteit Persoonsgegevens has listed a number of tips for employers who want to screen candidates. First, the regulator advises employers to conduct a screening only if they have a legitimate reason to do so. Should an employer come to the conclusion that screening is necessary, it is important to determine what questions they want answers to and what data are relevant.
The privacy watchdog points out that applicants should be informed in advance if screening is part of the job application. The AP recommends stating this in the job posting. The regulator emphasizes that health falls outside the screening process, unless an appointment examination is required by law. Finally, employers should realize that not all the information they find on the Internet about a person has to be true. If they want to use their findings in the application process, they must give the candidate an opportunity to respond to the information found. Thus, employers should be careful about things they find on the Internet.
For job applicants, the Autoriteit Persoonsgegevens has one additional tip: screen profiles on social media from strangers through privacy settings. This will prevent a future employer from poking around in the messages they once posted.
Job applicants who are invited to an introductory interview are one step closer to a (new) job. Chances are they are overjoyed because they get to come in and present themselves. Perhaps they are about to answer all the questions of their future boss.
While it is nice that candidates are willing to do so, several rights apply at this stage of the application process. These are devised to safeguard applicants' privacy and eliminate discrimination. Below we discuss some aspects that should not be covered in a job application.
It is worth remembering that recruiters may not actively inquire about the topics listed below. However, applicants are free to bring this up during an interview, for example because they feel it is important to be open and honest about their limitations. In doing so, however, there is a chance that they could be breaking their own windows. Be aware of this.
We discuss below six issues regarding what, if any, should or should not be discussed:
For starters, a potential employer should not ask applicants questions about private matters. What candidates do outside working hours is none of his or her business. Questions such as whether someone practices an (extreme) sport, whether they use drugs or drink alcohol at the weekend and what they do in their free time are not allowed. These things are not relevant to a person's performance.
An employer also may not ask questions about a person's religion or ethnicity. Questions such as "Do you want to return to your country of origin?", "How often do you pray daily?" or "Do you object to your supervisor being a woman?" may be considered discriminatory by job applicants. Therefore, these types of questions are not allowed.
Asking about a person's political affiliation is also prohibited. Applicants applying to a municipality or other government agency are not required to say anything about any membership in a political party. An argument such as "you are going to work for a PvdA alderman and we need to know if you are loyal to him as a VVD member" should not play a role in recruiting an employee.
Questions about a desire for children are also taboo. Employers are not allowed to ask new employees if they would like to have one or more children. Such questions were often asked of women in the past. Due to social developments such as secularization, women's emancipation and equal treatment in the workplace, this is now outdated.
What about pregnancy? May an employer ask if an applicant is pregnant? The answer to that is no. He may only ask questions about aspects relevant to the job. An applicant is under no obligation to bring up pregnancy or to give an honest answer if an employer inquires about it. Being pregnant or having a desire to have children belongs to the private domain, an employer may not select candidates on that basis.
There is another good reason why a woman should not be asked about her desire to have a child or become pregnant during a job application process: an employer runs the risk of discriminating on the basis of gender. If he does ask about this and therefore rejects a woman, he violates article 1 of the Constitution. That article prohibits discrimination on the basis of religion, belief, political affiliation, race or sex.
Another hot topic in a job application process, is health. An employer naturally wants to hire someone who is in good health and where the chances of sick leave are minimal. He is looking for someone who is productive and at the same time does not cause undesirable costs or other problems because he is frequently sick. He wants a candidate he can depend on and who will not call in sick at the first sign of a cold.
This is all very understandable. But asking directly about a person's physical or mental health is not allowed for privacy reasons. Nor is an employer allowed to ask about past sick leave. So candidates do not have to report if, for example, they have been home for a while due to back pain, burnout or other ailments. Inquiries about medication use or hospitalization in the past are of course also not permitted. Should these questions nevertheless be asked, candidates are not required to answer them.
There is a flip side to this coin. A job applicant has a duty to inform an employer if he knows that medical complaints may cause problems while working. This is for good reason: after all, an employer is responsible for the safety of its employees. If a new employee's condition puts workplace safety at risk, that is something he needs to know. Not so much to reject the candidate, but to judge whether additional (safety) measures should be taken.
If an employee becomes disabled due to his illness or disability and has concealed this during the application process, this can have serious consequences. His employer may then decide not to continue paying his wages during illness. Concealing a medical condition relevant to the job may even be grounds for immediate dismissal.
There are two exceptions where an employer may explicitly ask about an applicant's health. First, this is allowed if an appointment examination is part of the application procedure. In practice, we only see such a medical examination in occupations where additional health and safety requirements apply, such as professional athletes or police officers.
A job applicant who is offered a job may still face health issues after some time. An employee who has been employed for two months or more may be asked if he is eligible for the no-risk policy under the Sickness Benefits Act. This is a scheme that employers can claim if they hire an employee with an illness or disability. They then receive a Sickness Act benefit if an employee falls ill.
Also, an employer can apply for premium discounts and subsidies. He therefore has the right to know if his employees qualify for the no-risk policy. Employees must answer this question honestly; however, they need not provide details about the illness or limitations they have.
If an applicant does not start talking about his health on his own accord and a personnel recruiter is not allowed to actively inquire about it, how does an employer determine whether someone is physically or mentally fit for a position? The answer is simple: during the introductory interview, he can mention or describe specific tasks and ask if the candidate can perform them.
Take the owner of a moving company looking for a new employee. He tells a candidate that he has to lug heavy furniture for hours at a time and asks if he can do it. From the answer, he gets the impression of whether the person opposite him has the right qualities.
"Are you able to stare at a computer screen for much of the day?" could be a relevant question for a call center employee. And "Can you get behind the wheel for four hours without stopping in between?" should be a truck driver's resounding yes. In short, by asking questions about the job, employers can learn a thing or two about applicants' health without directly inquiring about it.
The coronavirus has occupied minds for some time. The virus is highly contagious and the breeding ground for serious health problems. For people with weakened immune systems, COVID-19 can even be life-threatening and deadly. Because employers must ensure safe working conditions in the workplace and for clients under the Occupational Health and Safety Act, they may need to know whether or not someone has been vaccinated against the coronavirus. Are they allowed to ask job applicants this?
Yes, they may, the government says. However, job seekers are not required to answer this question. Vaccination status may not be recorded or shared in any way. The AVG considers health data to be special personal data. In principle, such data may not be recorded unless there is a legal exception. Legal experts argue that this is not easy for employers to find.
Nor may an employer require job applicants to be vaccinated or immunized against coronavirus. Vaccination is voluntary and should not be enforced by potential employers. They must devise ways to reduce the risk of infection for employees, co-workers and customers. Examples include a modified work schedule, setting up the workplace in such a way that one and a half meters distance can be guaranteed, placing disinfectant soap or offering personal protective equipment, and working from home. The fact that a candidate is not vaccinated may be grounds for rejecting him for a position.
A medical examination or appointment examination may be part of a job application process. This applies to professions where specific requirements are imposed on the medical suitability of candidates. Normal occupational health and safety measures are often not enough to avoid health and safety risks. Professions where applicants must participate in an appointment examination include firefighter, police officer, professional football player, professional soldier, pilot or train driver.
This is for good reason. A firefighter, police officer or soldier must be able to do heavy physical work for long periods of time. A professional football player should have good fitness and stamina. A footballer who sits on the reserve bench all season because of a medical ailment is of no use to a club. A pilot is responsible for the safety of hundreds of passengers in the air. If he has a history of epileptic seizures or some other medical condition that could compromise the safety of passengers, it is unwise to let him fly a plane. And a train driver must not be color-blind, or take medication that could affect his driving ability and ability to concentrate.
It is not the case that a disability or physical complaint automatically means that an applicant is rejected. In the past, back problems might have been grounds for rejecting an applicant to a healthcare facility. After all, this could make lifting patients difficult or lead to sick leave. Nowadays, healthcare institutions may no longer reject a candidate on that basis: there are plenty of aids available to move clients. If a healthcare facility does not want to invest in them, that is no reason to reject someone for the position.
We discuss the following below:
There are all kinds of rules employers must comply with for an appointment examination. These assessment criteria are laid down in the Medical Examinations Act (W mk) and the Appointment Examinations Decree. For example, an employer may not surprise an applicant during an introductory interview with the announcement that he must undergo a medical examination in order to be considered for the position. The vacancy must clearly state that a medical examination is a mandatory part of the application procedure. An employer may not order an examination to estimate the likelihood of sick leave or possible disability in the future.
A second condition is that a candidate may not be medically examined until he has gone through the application process and the employer is about to hire him. Earlier is not allowed. An employer must inform an applicant in writing about the purpose of the examination prior to the appointment examination. In the letter he must also tell what questions the candidate can expect, what examinations are part of the test (stamina, psychological test) and whether laboratory tests will be performed (blood and urine tests).
The examination must further be performed by a registered (company) physician. He may only ask questions about an applicant's health if they are relevant to the position. Questions about pregnancy or the desire to have children are therefore not permitted. Finally, the doctor may not investigate incurable diseases, hereditary conditions or HIV. Exactly what a doctor may and may not do during an appointment examination is laid down in the Guide to Appointment Examinations of the Dutch Association for Occupational Health and Safety (NVAB) and the Protocol on Appointment Examinations of the Social and Economic Council (SER).
Upon completion of the appointment examination, the doctor must first inform the applicant of the results of the examination. The applicant then decides whether the doctor may pass on the results to his future employer. In this case, the doctor advises, based on his findings, whether the candidate is medically suitable or unsuitable for the position for which he has applied. The doctor may not disclose medical information to the employer unless the candidate gives explicit consent.
Applicants have the right to an independent re-examination, for example if they disagree with the results. The cost of this is borne by the employer, but he may charge the candidate a contribution of his own. A request for a re-examination must be submitted within one week of receiving the results.
The health data the doctor collects during a pre-employment examination may only be used to determine whether a candidate is medically fit for a position. Once the examination is completed , the doctor may keep the results for a maximum of six months. He has a legal obligation to delete examination files of job applicants within six months. Without the candidate's express consent, the doctor may not share medical examination records with others.
Job applicants who have complaints about the use of their personal data during the application process would do well to express their dissatisfaction to the employer. By mutual agreement, they may be able to resolve the issue.
Do the candidate and employer not come to a joint agreement? Then the applicant can file a complaint with the Dutch Association for Personnel Management & Organization Development (NVP). A condition is that the employer subscribes to the Job Application Code of Conduct. This code of conduct describes the basic rules of a fair and transparent application process.
It is worth remembering that the NVP statement is not legally binding. Instead, it is a code of conduct created in cooperation with employer and employee organizations. Should an applicant decide to go to court, he will take the NVP's advice into account in his decision.
Job applicants who have complaints about a preemployment medical examination can contact the Committee for Complaint Handling Pre-Employment Medical Examinations (CKA). This committee assesses whether the rules that apply to a pre-examination have been complied with. The committee's decision, like the ruling of the NVP, is not binding or legally binding. Should a case go to court, the CKA's opinion will be heavily considered in its ruling.
Another option is for them to file a privacy complaint with the Autoriteit Persoonsgegevens. The regulator then looks into whether the employer in question is violating European privacy rules. Keep in mind that handling a complaint now takes more than six months.
Finally, job applicants can file a petition or subpoena with the court. Applicants who ask a potential employer to rectify or delete their data, or do not receive a response to that request at all, can file a petition. They then ask the court to order an organization to delete their personal data. Job applicants can start a subpoena procedure if they believe they have been harmed by a company or organization's unlawful use of their personal data.
Anyone looking for a (new) job has many rights. This applies not only before, but also during and after the application process. For example, an employer may not force a candidate to hand over a copy of his identity document, or force him to apply via webcam. An employer must also make it clear in advance if a screening or appointment examination is part of the application procedure. And asking questions about private matters, a desire to have children, pregnancy, coronavaccination or other health issues is something employers can write off.
All these rules were devised to ensure the privacy of job seekers. It is good to know that they do not have to pick and swallow everything from a prospective employer during their job hunt.
However, job applicants also have some duties. They are required to provide a VOG if an employer requests it. Employers may also require applicants to agree to a screening or appointment examination. And if an illness may interfere with the performance of a job, an applicant must tell a prospective employer.
Despite applicants having a wide range of rights, it is sometimes a challenge to strike the right balance between what they are and are not willing to reveal. Candidates may experience some pressure to reveal certain information that they would really rather have kept to themselves. With a (new) job on the horizon, they may succumb to the pressure and disclose privacy-sensitive details.
Job seekers who have a complaint after a job interview about how their personal data was used during the application process can go to various agencies to seek redress.
