The General Data Protection Regulation (GDPR) of the EU shall be mandatory and directly applicable in all Member States, including Hungary, from 25 May 2018. In light of this it is crucial for data managers and processors to review the legal framework of their data management practices and adjust it to the new data protection requirements. The review should pay special attention to the management of personal data in connection with employment. However, an employer obtains personal data not only during employment, but even before the employment relationship is established. This article summarises the most important rules on job advertisements and applications as well as data management in relation to the viewing of profiles created on social media, paying particular attention to the practice of the National Authority for Data Protection and Freedom of Information (NAIH) in Hungary.
Management of personal data – no anonymous job advertisements, and requirement to provide appropriate (preliminary) information
According to NAIH procedures, anonymous job advertisements should definitely be avoided, apart from a few exceptional cases justified based on the employer’s economic (market) interests. A job advertisement is anonymous if it does not indicate the company’s name. An applicant’s right for informational self-determination includes receiving appropriate information regarding the management of personal data even prior to submitting the job application. This means knowing to whom and to which company they are providing their personal information. It is especially important for the job advertisement to have an email address and a phone number, enabling applicants to exercise their rights in relation to the management of personal data, e.g. they can request the deletion of their personal data.
Viewing a personal profile created on social media
According to NAIH procedures (and the recommendation of Data Protection Work Group No. 29), at least the following data protection requirements have to be complied with during a recruitment process when viewing social media profiles:
- Preliminary information must be provided for applicants (disclosing that during the recruitment process the employer will view the content of the applicant’s social media profiles that is accessible to the public).
- The employer cannot see information whose access is limited for the public (e.g. acquisition of information disclosed in closed groups by another member of that group).
- Only data that qualifies as material and relevant for the purposes of the given job application can be viewed.
- The applicant’s public social media activity can be viewed and conclusions can be drawn based on it, but no further data management of any kind is allowed (i.e. the applicant’s profile cannot be saved and forwarded).
Unsuccessful application – employers must give notification
The notification requirement regarding an unsuccessful application is related to the applicant’s right for informational self-determination. According to NAIH procedures in Hungary, it is not acceptable to indicate such a stipulation (or similar provision) in the job advertisement which says that “if the applicant does not receive any notification within 8 days of the expiry of the application deadline, the application should be considered rejected”.
Keeping applications on record
Once the applicant has been selected and the position has been filled, the data management purpose ceases to exist and so the personal data of the unselected applicants must be deleted, or at the applicants’ request, the application documents have to be sent back to them. It is important to emphasise that any conclusions drawn regarding the applicant based on this data also qualifies as personal data. This means that if the employer takes notes on the applicant, these qualify as personal data too, and also have to be deleted when the selection process is closed. Applications can only be managed legitimately in the future in the event of the applicant’s voluntary, specific and explicit consent based on receipt of appropriate information. For example, an employer stating that “if you do not respond to our letter within 8 days we will continue to manage your personal data” (or any similar statement) is not acceptable any more.
So given that the management of personal data already starts in these early phases, due care should be taken when posting job advertisements and managing applications, and the rules on data protection must be complied with.
As long as you are interested in whether your company’s data management practices meet the GDPR requirements, get in contact with us, we revise your current situation!