Here's how employers ensure applicant privacy

A successful job application process is, of course, primarily about creating a match between an employer and an employee. But it also involves the careful processing of personal data. After all, you want candidates and employees to trust your organization and you want to comply with laws and regulations.

The transparency principle of the AVG: what's the deal?

The principle of transparency is a core component of the AVG. In the context of a job application process, transparency is about the employer's obligation to the person about whom the organization processes personal data. According to Articles 13 and 14 of the AVG, the person must be actively informed about the data processing. The AVG also specifies what information must be provided in the process. For example, the data subject must know the reason the data is being processed and who is responsible for it.

The AVG lists some exceptions to the transparency obligation in Article 14:

The data subject is already aware of the processing of personal data.

It is impossible to inform the data subject.

It takes disproportionate effort to comply with the information requirement.

The organization has a compelling interest in withholding information about data processing.

These situations are expressly exceptions. In most cases, your organization faces the task of notifying the individuals involved in a job application process of the personal data being collected and stored for that purpose.

Transparency for applicants and other stakeholders

The transparency obligation of the AVG means that every organization must report to the data subject the processing of personal data that takes place around the job application process. The disclosure obligation applies to job applicants as well as to the people the applicants refer to as a reference or contract person.

It is possible that referees and contact persons do not themselves provide data for an application process: sometimes an applicant shares this data with the (future) employer. In that case, the organization is also obliged to inform these persons within thirty days of the start of the data processing.

Points of interest for practice

In practice, we quite often see organizations processing the personal data of third parties, such as referees and contacts, without informing them. In doing so, most organizations wrongly invoke one of the exceptions of Article 14 of the AVG.

Informing all of an applicant's contacts may be difficult in some cases. But the AVG is designed to protect fundamental rights and freedoms of citizens. Therefore, the duty to inform is not an optional step. The law expects you as an organization to be serious about the rights of data subjects, including the right to information.

Practical Tips

European privacy regulators have guidelines prepared for the interpretation of the transparency obligation of the AVG. Among other things, it explains the way in which - under Article 12 of the AVG - as an organization you provide information to a data subject. The guidelines also provide practical tips on the protection of personal data in a job application procedure.

Be clear. Clarify to applicants (and any references and contacts) in clear and simple language the collection and storage of data, and the why and how.

Inform in a timely manner. Make sure you inform a data subject within the prescribed thirty-day period. This can be done, for example, via a standard e-mail message explaining what happens to the personal data.

Consider using tooling. Is your organization dealing with large numbers of job applications? Then systems that automatically send notifications to contacts can be a godsend.

Avoid misunderstandings. Make sure contacts know their specific role in the application process. For example, specify that a contact will only be called in an emergency situation. This prevents unintended delays and unpleasant situations.

Privacy beyond legal obligations

Forward-thinking employers have long known it: a job application process is not simply an administrative process, where compliance with AVG requirements is a legal obligation. There are also opportunities to communicate your organization's values. By properly informing applicants (and other stakeholders, such as contact persons) about the processing of personal data, you show that you respect privacy and are a trustworthy organization.

Privacy is much more than a legal obligation. A careful handling of personal data gives the employer the opportunity to build a relationship of trust with (potential) employees - and to present the organization as distinctive. Given the tight labor market, these are opportunities you don't want to miss, right?