What should HR look out for in a job application process AVG technical?

General Data Protection Regulation (AVG).

The AVG (1) has specific requirements for processing personal data, which apply without prejudice to the application process. The organization must have a purpose and basis. There are multiple bases for processing personal data for recruitment and selection. The processing of the application (CV and motivation) falls under Article 6 paragraph 1 sub b AVG: processing is necessary for the performance of a contract to which the data subject is a party, or in order to take measures at the request of the data subject prior to the conclusion of a contract. However, this only applies if it actually concerns a position (contract) for which the data subject has applied.

For processing activities in the context of online recruitment and headhunting, an organization must invoke legitimate interest as a basis (Article 6(1)(f) AVG). An organization may never collect more data than necessary for the purpose of filling a vacancy. There is also a duty of information towards applicants. Inform applicants of their privacy rights in order to comply with this information obligation. A link to your privacy statement in the vacancy is certainly advisable.

Application data processing.

As an organization, during the application process, you may not process special personal data of applicants such as the BSN, information about health, race and religion. Unless there is a statutory exception such as when an applicant must undergo a medical examination. This is subject to strict conditions and is only allowed if the open position has special requirements according to the Autoriteit Persoonsgegevens (AP) (2). So it is not standard for a regular vacancy.

Only when the applicant is hired and thus becomes your employee are you required to process special personal data such as the BSN and copy of the identity document to give effect to the agreement between employer and employee. In doing so, you may also process the curriculum vitae, any cover letter and any screening in your new employee's personnel file. Processing data about health, race and religion is not necessary to give effect to this agreement.

Screening of applicants

Often applicants are also screened when they are in the application process. In doing so, it is important to take a number of things into account.

Clearly state in the job posting what the application process looks like. Perhaps there are several interviews, or an assessment is part of the application procedure. It is necessary to state when a screening is part of the application procedure.

Screening can be completed in several ways.

• Screening of diplomas; this is possible under the basis of consent. The applicant can request a diploma overview through DUO and share it with you;

• Screening for criminal records and/or fraud in the EFTA Registry;

• Applying for a VOG; more information can be found in this article (3);

• Following up with former employers when the applicant has given them as references. The applicant consents to the issuing of personality and performance data, which in practice is considered a light version of a certificate;

• Screening of social media accounts such as Facebook; this is possible on the basis of consent. This consent must be given in advance and also make it clear in advance in the application process that the information can be discussed at a later time. This remains a sensitive and tricky issue, as it is only allowed when it is necessary for a specific position and is therefore not standard practice.

Retention of application data

The recommended retention period for application data is 4 weeks, as stated by the AP here (4). After the application process is completed or the candidate is rejected, this 4 weeks should be used. It is possible to keep application data for up to a year, which is considered a reasonable period. For this, organizations must obtain permission from the applicant. Often this is a digital consent sent via an e-mail message and the consent should be requested again annually.

When an applicant is hired, the curriculum vitae and any cover letter may be included in the personnel file, as may the VOG or other application data processed during the application process. Ensure timely and complete disposal of the data, according to the appropriate retention periods established.

Issues that are easily overlooked

• Note that this processing, the assessment of job applications and selection processes, should also be in the organization's Register of Processing so that you as an organization are in compliance with AVG accountability.

• In doing so, a Data Protection Impact Assessment (DPIA) may be necessary for this processing, because especially with screening, there is a high privacy risk present.

• If personal data is transferred outside the European Economic Area (EEA), ensure that appropriate safeguards are in place, such as the use of model contractual clauses or Binding Corporate Rules. For more on this see this article (5) & also this article (6) which we wrote earlier.

• It often happens that the recruitment system in question is provided by a supplier. Therefore, it is important that there is an agreement with this external supplier and that security is adequate and appropriate. Additionally, access within the organization should also be restricted according to an information security policy.

• It is also important to once again name retention periods. Make sure a retention period policy is in place and the retention periods established are also implemented in practice in HR files, any recruitment systems, or mailboxes, etc.

  • General Data Protection Regulation

  • https://www.autoriteitpersoonsgegevens.nl/themas/werk-en-uitkering/sollicitaties/gegevens-over-gezondheid-bij-sollicitaties

  • How reliable is a Certificate of Good Conduct (VOG)?

  • https://www.autoriteitpersoonsgegevens.nl/themas/werk-en-uitkering/sollicitaties/persoonsgegevens-van-sollicitanten

  • Privacy Shield invalidated: what can you do?

  • New adequacy decision for data exchange between Europe and the U.S.