3. Juli 2018 - Online recruiting platforms

Handling of applicant data: data protection in e-recruiting


The digitization of industry and public sector also includes the process of recruiting new employees. Applicant data is increasingly reaching the HR department via e-recruiting platforms. What does this mean for data protection?

E-Recruiting geht auch datenschutzkonform Applicant data: Companies that advertise jobs online must pay special attention to data protection (Image: NicoElNino / iStock / Thinkstock)

Companies are increasingly relying on digital communication. As a result, communication with applicants is increasingly becoming more and more digital. Online platforms, i.e., e-recruiting or online recruiting platforms, are especially popular.

However, the trend towards digital application documents must not result in insufficient protection of applicant data.

Therefore, the following principle applies: Digital application documents must receive at least the same protection as conventional,  hard-copy applications. In doing this, it is important to consider the specific features of the different online application platforms.

Legal bases

What is the legal basis for data protection in e-recruiting?

  • Section 32 of the Federal Data Protection Act (BDSG; data collection, processing and use for employment purposes) was in force until May 25, 2018.
  • As of May 25, 2018, Article 88 of the General Data Protection Regulation (GDPR, Processing in the context of employment) is applicable.
  • In addition, the national implementation of this article in Section 26 (data processing for employment-related purposes) of the new BDSG must be taken into account.

According to this article, controllers, i.e., public or non-public bodies or companies, may process personal data of employees for employment-related purposes where necessary for hiring decisions or for establishing the employment contract. According to data protection law, „employees“ also include applicants.

E-recruiting: special data protection requirements

This does not mean e-recruiting is not subject to privacy rules, however. In fact, the law requires that an applicant be guaranteed all the rights of a data subject granted under the GDPR.

These include

Recommendations by supervisory authorities regarding online recruiting

In recent months and years, the data protection supervisory authorities have repeatedly stressed the importance of data protection in e-recruiting.

These notices specify key requirements for applicant management:

Special categories of personal data:

If the e-recruiting solution does not guarantee that special categories of personal data will be properly processed in applications, the job advertisement on the web must contain a clear reference to this fact.

If the controller, i.e., the public or non-public body, does not rectify this deficiency, the supervisory authorities require that applicants be permitted to use the postal service so that they can send their applications in compliance with data protection laws.

Data minimisation / purpose limitation / privacy notice

During a web-based online application process, controllers are required to collect only data that is necessary to determine eligibility, aptitude, and performance for the advertised training programme, post, or job.

The online forms in the recruiting system, usually extensive questionnaires, must explain the purpose for which the company or public body will collect the applicant’s data.

Security of processing

Applicant data must be protected against misuse, loss and unauthorised access with the appropriate level of security.

Order processing

E-recruiting platforms operated by service providers fall under the category of order processing. If these service providers come from third countries, controllers must also examine the legal basis for international data transfer.

Erasure / storage

If the controller hires the applicant, the application documents usually become part of personnel records. However, not all the data may be included in the records, but only the data necessary for executing the employment contract.

The remaining data for the selection process must be deleted or returned to the applicant.

Talent pool

If a controller decides to use application portals and to allow applicants to be included in a talent pool (for future vacancies), the controller must create specific privacy notices for this purpose. In particular, the supervisory authorities require controllers to explain that consent can be withdrawn at any time.

Links to profiles in social networks

Some e-recruiting platforms offer to „enhance“ applicant data with data from social networks. Such data may not be collected from the private online profiles of applicants.

Document e-recruiting as a procedure!

All these points show the importance of data protection in processes such as e-recruiting. Therefore, the procedure must always be reviewed and included in the record of processing activities.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.