When gathering information about an applicant, data is collected that may directly or indirectly lead to the identification of the applicant. The digital collection, recording, storage, retrieval, use, and even mere consultation of this data constitutes processing of that data. In short: the GDPR applies.
As is well known, the automated processing of personal data in connection with a job application, where the purpose is to gather information about that applicant, must also have a legal basis for that processing. After all, the legal basis makes the processing lawful. The legal bases are described in Article 6 of the GDPR. Recitals 40 to 47 of the GDPR provide further explanation of the legal text. At least one of the legal bases must be present. In the case of the University of Leiden's job application procedure, the legal basis of "consent" is used.
During the proceedings, the university indicated that it would use the application code of the Dutch Association for Personnel Management & Organizational Development (NVP) as a starting point. The text of the NVP code, insofar as relevant here, reads (and still reads):
“5.1
If the organization wishes to obtain information about the applicant from third parties, via the internet such as social media and/or other sources, it will request the applicant's consent in advance, unless this is not required by law or generally binding regulations. The information to be obtained must be directly related to the vacancy to be filled and must not disproportionately infringe on the applicant's privacy. Information obtained from third parties and other sources, including websites (including social media), will, if relevant, a) be communicated to the applicant, with explicit mention of the source, b) be discussed with the applicant.
A member of the appointment advisory committee in the application procedure for a professor of English language learns information about one of the applicants during a university reception. This information gives him pause for thought and, outside the committee, he decides to obtain further information from four academics, not being the references previously provided by the applicant, who work or have worked with the applicant. Two academics respond by telephone, one academic responds in writing (r.o. 2.12: "In this case, I am afraid it is rather difficult to be positive") and one does not respond at all.
The committee member does not initially use the information until it becomes apparent that the advisory committee cannot unanimously agree on a suitable candidate. He then uses the information he has obtained to convince those who do like the applicant in question that he is not the right candidate after all. Nevertheless, this does not lead to a different assessment of the suitability of the candidates. A salient and juicy detail: the applicant's wife is a PhD student. She is conducting PhD research with one of the committee members, namely the committee member who does approve of the applicant, i.e. her husband.
Now that the committee is unable to reach a unanimous decision and the executive board has been informed of what has happened, a new appointment advisory committee will be appointed with the aim of repeating the procedure. The applicant in question has not responded to the request to indicate whether he wishes to participate in the procedure again. However, he has engaged a lawyer and filed a claim for damages.
Based on the claim for damages submitted, the court considers that it is clear that information about the applicant was obtained without his knowledge or consent. That information was ultimately used in the proceedings without being shared with or discussed with the applicant. This constitutes a violation of the NVP application code. This makes the university's actions (after all, the advisory committee acted under the responsibility of the university) unlawful.
The university defended itself by arguing that the NVP application code is only a code and not legislation. Furthermore, consent would not be required because the basis for obtaining further information could be based on another ground, namely legitimate interest (it should be noted that the case was still pending under the Personal Data Protection Act, but the grounds of consent and legitimate interest from Article 8 of the Personal Data Protection Act have been incorporated into Article 6 of the GDPR). The court dismissed the university's arguments. By committing itself to the NVP application code, the university has regulated itself. In other words, it has obliged itself to comply with the code. The appeal to legitimate interest, which according to the text of the law means that the interest in obtaining information must outweigh the applicant's right to privacy, was rejected. The argument for this is that if the university wants to obtain other information in addition to the information obtained with consent, this would have to be based on an exceptionally compelling interest. This is not the case here. In addition, the university can always reject the applicant in case of doubt. The latter always seems to be the case to me, which means that there could never be a compelling interest. It is also remarkable that no consideration is given to the fact that consent is not the correct basis.
On June 8, 2017, still under the Wbp but already focused on the GDPR, the Article 29 Working Party, now called the European Data Protection Board (EDPB), adopted guidelines on data processing at work. Section 5.1 mentions processing during the application procedure. The working party explicitly recommends using the legal basis of legitimate interest (Opinion 2/2017 17/NL/WP249). On April 10, 2018, a specific guideline on consent was revised. It states thefollowingabout the legal basis of consent in the employment relationship:
“Given the dependency that results from the relationship between employer and employee, it is unlikely that the data subject would be able to withhold his or her consent to data processing without fear or real threat of adverse consequences as a result of a refusal. It is unlikely that the employee would be able to respond freely to a request for consent from his or her employer (...) Given the imbalance between an employer and its staff, employees can only freely give consent in exceptional circumstances, namely when there are no negative consequences whether they give consent or not (...) Consent is not free in cases where there is any element of coercion, pressure, or inability to exercise free will" ( WP259 Guidelines on Consent under Regulation).
Consent must be given of one's own free will (Article 4(11) GDPR). You must be informed in clear, understandable, and simple language, for example about the purpose of the processing. In situations of dependency or subordination in legal relationships, there is no such thing as informed consent. The Article 29 Working Party has explicitly stated that consent is not the correct legal basis for such situations. The Article 29 Working Party explicitly recommends the legal basis of legitimate interest (see also recitals 42 and 42 of the GDPR). The relationship between a potential employer and a job applicant is even more unequal than the relationship between an employer and an employee. In the latter case, you still have a job with an income at that moment (in any case, there are still two obligations, namely the payment of wages in exchange for the performance of work). As a job applicant, on the other hand, you have nothing yet and are completely dependent on a "yes" or "no" from the potential employer for your income and social status. If consent is not the correct basis for the employment relationship, then this should certainly apply to the application procedure.
The court also devotes a passage to this. If the applicant refuses to give permission to obtain further information, the appointment advisory committee may draw its own conclusions. Recital 42 of the GDPR specifically states that refusal to give consent should not have any adverse consequences. The court indicates that such adverse consequences may well arise in this case if consent is refused. All the more reason to rule that consent should not be used as a basis.
Based on the above, legitimate interest seems to me to be the only correct basis for requesting information about an applicant. However, there are certain requirements attached to this basis. First, the employer must have an interest in obtaining the information. That interest must then outweigh the applicant's fundamental rights and freedoms. The employer will also have to consider whether gathering this information will achieve their goal, whether that goal could be achieved in another, less intrusive way, and whether the means are proportionate to the goal to be achieved. These requirements essentially mean that the employer cannot trawl through all Facebook pages when considering a random job application. LinkedIn profiles, which are more business-oriented, are more obvious. It is also more obvious to collect further information for positions where a risk analysis or the integrity of the person is important.
It seems as if the applicant would be better off with the basis of consent. At least then he would know where he stands and be involved in the process himself. However, this is an illusion. After all, there is no freedom to refuse. Because then the employer can "draw the conclusion that seems appropriate to him," according to the court. But that is precisely what is not allowed. In the case of a legitimate interest, the employer must inform the applicant during the application procedure that he can obtain further information and that he has an explicit, specifically mentioned compelling interest in doing so. After all, the applicant must be well informed.
In short, consent is not the correct basis for obtaining information during application procedures. Legitimate interest is the only correct basis. It would seem advisable to amend the NVP application code accordingly. Unfortunately for Leiden University, the court saw things differently. This has unpleasant consequences, as the court has yet to rule on the amount of damages the university will have to pay the candidate. Admittedly, the proceedings will not take into account the fact that the applicant might still have obtained the job if no additional information about him had been known. After all, he refused to participate in the further application procedure. He cannot therefore claim damages for not getting the job, "but that does not mean that he has not suffered any damage at all," according to the court. The amount of compensation will be determined in damages proceedings, to which the court has referred the case. To be continued, then.
This article can also be found in the Privacy in the Workplace file
