IMPACT OF THE GENERAL DATA PROTECTION REGULATION (RGPD) ON THE RECRUITMENT AND SELECTION PROCESSES
The EU Regulation 2016/679 introduces significant changes to the personal data protection rules in force, applicable in Portugal from 25 May.
The EU Regulation 2016/679 introduces significant changes to the personal data protection rules in force, applicable in Portugal from 25 May. Avoiding fines and reputational damage from non-compliance should be a present concern.
Companies should pay attention to their procedures for processing personal data in the workplace, namely, with regard to recruitment and selection processes.
Let’s look at some points that require changes:
- Consent of Candidates for the processing of their personal data: if in the past the tacit consent of candidates for the collection and use of data was assumed when they delivered their CV for a recruitment process, now, with Under the current regulation, companies must seek consent from applicants for this purpose. If they intend to keep the candidates’ data for use in future processes, they must also have their consent.
- Procedures for Spontaneous Applications: a procedure must be created through which the HR department obtains consent for the conservation of resumes, indicating the purpose for which they will be processed and the deadline for their file.
- Procedures with CVs already existing in the company: as for CVs already contained in the databases, a notice should be sent requesting candidates to keep their data, as well as the expiration date for this consent.
- Contacting potential candidates: Contacting candidates will only be legitimate with those who are in the database, making an exception to the LinkedIn platform where possible candidates are a priori they can expect to be contacted, and later consent must also be requested.
- Data conservation period: data can only be kept if they are up to date. The idea that HR must have a procedure for eliminating CVs and additional documentation (as a result of recruitment processes) is implicit. The National Data Protection Commission understands that applicants’ data is out of date after one year of collection.