In every HR/personnel department, vast amounts of personal data are processed. Not only employees of the company are affected, but also applicants in the application process.
Where do the boundaries of data protection run here?
Consent to the processing of personal data during application
The first big question about data protection in the application process is: Do applicants have to consent to the processing of their data or may their data also be processed on the basis of another legal basis?
As is so often the case, the lawyer here responds with, "It depends!"
The processing of personal data in the application process may be lawful under Section 26 I 1 BDSG if the data is required for the decision on the establishment of an employment relationship. In this case, no separate consent is required.
For all other data, a corresponding consent must be obtained in accordance with the GDPR. It should be noted that this consent can be revoked by the applicant at any time.
Deletion of personal data after application
Once the data is available, another important data protection issue is when to delete it.
If an applicant is rejected, the corresponding personal data must be deleted immediately, Art. 17 I lit. a DSGVO. An exception exists only if the data is required for the defense of legal claims (e.g., if it is foreseeable that the applicant intends to assert that his or her rejection is not compatible with the AGG). The data controller can regularly no longer rely on this exception after six months have passed since the rejection.
Information on the processing of personal data during the application process
According to Art. 12 ff DSGVO, the controller must inform the applicant about the processing of personal data. In principle, this information must be provided at the time of collection. Appropriate data protection notices must be provided depending on the application channel.
What happens in the event of unlawful processing?
If there is a breach of the GDPR in the processing of personal data in the application process, the supervisory authorities may initiate appropriate measures and impose fines. In addition, affected applicants can assert a claim for damages under Art. 82 GDPR. In addition, the company may suffer major damage to its image.
To avoid such damage, it is particularly important to use the Train personnel in the HR/personnel department accordingly.
Do you need advice or assistance on the subject of data protection in your company? Our team of experts will be happy to help you! We also offer appropriate employee training tailored to your company. Contact us Contact up!