Your CV and the GDPR
What is GDPR?
GDPR (General Data Protection Regulation) is a European regulation that came into force on May 25, 2018. Its purpose is to protect the rights of people in relation to their data, as well as to determine the responsibility of the subjects who process the latter.
Basically, the regulation provides that organizations process your personal data with care and do not store this information for longer than strictly necessary, and only for a specific purpose.
What app data is covered by the GDPR?
Any information that you provide during the application process is considered personal data. This could be information from your resume, a cover letter, application forms, assessment tests, psychometric tests, interviews, and even interview notes about you.
Even if you consent to the provision of personal information, your data remains protected by laws that guarantee its confidentiality.
Here are some examples of data that might be required during the application process:
Your nameYour addressYour phone numberYour email addressYour educational historyWork history
What personal data cannot be transferred?
Employers, recruiting agencies or recruiters are prohibited from processing special categories of personal data, unless there is a legal exception. Personal data of a special category is data that reveals a person’s race, religion, political opinion or health status.
Passport photo
A passport photo on a resume also falls under a special category of personal data, as it can be inferred from a photo of someone’s origin or religion.
If you, as a candidate, consent to the storage and processing of your passport photo by third parties, the employment agency or recruiter may share it with the client. This consent is valid only if the provision of the photo is voluntary and if it is not provided, there will be no adverse consequences. An employment agency or recruiter may not ask a job seeker to submit a photograph unless it is necessary to process your application.
Who can access or process your data?
When you apply through a recruiting agency or job board, the email address you submit documents to may be shared, accessible to everyone.
However, only certain people are allowed to access and process your data under the GDPR:
Recruiters Hiring managers HR services Executives you will work with Employees directly involved in the recruitment process
The employer is responsible for ensuring that access to your data is controlled and accessible only to authorized persons. Any such action must be properly recorded so that you know who sees what, how, when and for what purpose.
How can your data be used in accordance with the GDPR?
The use of your personal information is subject to strict guidelines. Whether it’s information on your resume or information you may be asked to provide later in the recruiting process, here are some of the ways we use your data:
Assessing your ability to get the job done
The data that you provide on your resume is intended solely for recruiters and potential employers to assess your skills for the job.
Personnel Management
An employer may ask you for emergency contact information if you need “reasonable adjustments” (disability adjustments) in the application process.
Access to the building
If you need a name badge to enter the company premises, you may be asked to provide a photograph; however, this is generally not required for visitor passes.
How long can your resume and other application data be kept?
Employers, recruiters and recruiting agencies may retain your data for as long as necessary to determine your suitability for an open position.
If your application is rejected, your data must be destroyed no later than four weeks after the end of the hiring process.
However, an organization may ask you for permission to store your data for up to a year if a suitable position becomes available. After this period, you may be contacted again to consent to the updating and storage of your personal data. If you do not consent, your data must be destroyed.
Your rights
You have various rights to control your personal data.
Right of access, correction and addition or deletion
As an applicant, you have the right to see what information is recorded about you. You also have the right to change your data or delete it from the database. Anyone can ask the organization to delete objectively incorrect data, incomplete data or data that are irrelevant.
The right to be forgotten
The right to be forgotten means that, in certain cases, an organization must delete your personal data if you request it. In the privacy statement, you will learn how to submit a request to change or delete your data. Once the organization receives your request, they must process it within one month.
Right to restriction of processing
This means you can restrict how an organization uses your data.
Clear privacy statement
Whether you are submitting your application through a recruiting agency or directly to an employer, a clear privacy statement must be posted on the website.
This should describe what data is collected, why it is needed and how the organization processes the data.
The privacy statement should also include information on the retention period. Companies must inform the applicant in advance what personal data will be stored, for what purpose and for how long.
What personal details do you need to include on your resume?
The level of personal information you need to provide depends on several factors, such as your country of residence and the position you are applying for. However, at a minimum, you will need to provide the following information:
Name, address, phone number, email address
In addition, you can include links to social media such as your LinkedIn URL, as well as provide your driver’s license information if relevant to the app.
Some personal details such as nationality, religion, gender and marital status add little to your resume and should therefore be omitted.