CNIL Recruitment Guidelines for Employers: Best Practices for Data Protection

data protection
Written By Nathalie Pouderoux

The Commission Nationale Informatique & Libertés (CNIL), (the French data protection watchdog), published new guidance for recruiters to help them remain compliant with the General Data Protection Regulations (GDPR). In this blog post, we will highlight the key points.

Why Is It Important to Think About Data Protection During Recruitment Processes?

It’s important for every department within an organisation to comply with the GDPR regulations, particularly operations teams which are often in charge of recruitment processes. Throughout the recruitment journey, candidates entrust their personal information at two critical stages: during the initial application and the processing phase. 

For example, candidates' resumes/CVs may contain sensitive details like their names, physical addresses, and phone numbers. The GDPR is in place precisely to safeguard this type of information. Consequently, it becomes vital for companies to establish clear and transparent privacy guidelines, and recruiters bear the responsibility of ensuring that candidates have access to these policies.

When Can You Use Information Gathered for Recruitment?

GDPR requires recruiters to gather information for “specified, explicit, and legitimate purposes" only. In practical terms, this means that recruiters can gather candidate data as long as the information collected is directly related to the position, and there is a clear intention to contact the applicants within a defined time frame.

Additionally, recruiters must get consent before processing any data, including information related to a person's disability, cultural, genetic, or biometric identity. In these situations, recruiters are required to request consent in a clear and understandable way and provide applicants with explicit instructions on how to revoke their consent, should they so choose.

The following examples would be considered unfair ways of gaining information:

  • During a job interview, asking for a candidate's place of residence would be unlawful, except in cases where they need to participate in an on-call or standby program.

  • Filming or recording a job interview without prior notice would be unfair collection of their personal data.

Recruiters will also need to indicate that they will only use applicant data for recruiting purposes and details as to where they store the information as well. This is particularly significant, given many large enterprises use Applicant Tracking Systems (ATSs) to streamline their recruitment procedures. It's worth noting that these ATS software solutions are typically supplied by third-party companies, and consequently, if these contractors fail to adhere to legal requirements, the recruitment company bears legal liability as well.

4 Key Points to Consider When Collecting Data for Recruitment

The CNIL’s guide for recruiters contains extensive guidelines on how recruiters may collect and process data. The guidelines have been divided into 19 fact sheets explaining the do’s and don’ts of recruiters while complying with the GDPR. We have broken this down into 4 simple steps for easy understanding.

1. Collecting Personal Data

Candidates' personal information must only be used to evaluate their suitability for the job being offered and to gauge their professional aptitude during the recruitment process.

For example, CNIL says that recruiters shouldn’t ask for information such as the following:

  • Social security number and banking details (except in the specific case of temporary employment agencies acting as employers)

  • Information about family members

  • Whether they plan to have children

  • Their measurements, weight, hair colour, etc, except for certain specific job types (models, racecar drivers, jockeys, etc.), in such cases, the job posting should specify the desired characteristics.

The requested information should be used to determine which candidates are most suited for the open positions and to confirm the candidates' knowledge, expertise, and interpersonal skills in addition to the credentials needed for the role such as diplomas and degrees.

Recruiters have the option to use tools for personality analysis of applicants, but it is crucial that the information collected stems directly from a clear connection with the assessment and the specific job being offered.

2. Exchange or Sharing of Personal Information

To meet specific requirements, the data collected on candidates may, at times, be shared either internally or with external parties beyond the organisation. 

For example, information from resumes, cover letters, and interview materials may be distributed among key stakeholders, including the hiring manager, the human resources manager, and the manager(s) overseeing the prospective applicant.

Unless the workforce is exceptionally small, and employees or agents have broad roles that grant them the necessary competence to manage everything in-house, not all employees within an organisation are automatically authorised to access candidates' resumes and cover letters.

Additionally, in certain cases, recruiting firms may share profiles of qualified applicants, selected from their candidate pool, with prospective employers in specific industries like marketing, banking, or information technology, in order to fill positions.

3. Reusing Personal Data

Reusing the data gathered during the hiring process is possible, especially for additional objectives. An agency may want to go through applicants’ personal information again for the purposes of statistical analysis and process optimisation to assess what type of candidates they are attracting and how they can become more diverse for instance. 

Additionally, you might be able to ask for and/or send to potential governing bodies the candidate's personal information at the end of the recruiting process, which may be required for things such as mutual insurance, illness, unemployment, and other insurance.

4. Retaining or Erasing Personal Data

Candidates' personal information must be kept on file for a predetermined amount of time. However, they have to be destroyed at the end of this period.  

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Previous

Amazon Introduces a New “Sovereign” Cloud to Protect EU Data
Next

TikTok Regulation: Freedom of Speech vs National Security Risk Management