If you are looking for qualified personnel, you will often receive a few dozen applications. Digital mail traffic is taking over more and more, which means that the new data protection rules will also apply in this area. So if a convincing cover letter arrives with a proper CV, this from the beginning is not suitable for the advertised job, but for another position, this application may then be stored for the future? – These and other questions we clarify in this article once!
The new data protection legislation (DSGVO)
Privacy laws are not necessarily among the most entertaining. To deal with them and to understand them can take a lot of time and nerves. This is probably the reason why so many companies do not or only partially know and obey them. But with the DSGVO of the EU in connection with the new Federal Data Protection Act (BDSG-new), the current legislation should be considered a bit closer. Because these two laws replace the previous data protection laws.
These 6 points must be adhered to on the basis of the new regulation!
# 1: If it is possible, each company should give its applicants the opportunity to send the application documents in encrypted form. The very personal data can otherwise be easily read by others. An encrypted channel through which documents can flow should be provided by any company!
# 2: As soon as a letter of application reaches the company, be it digital or physical, the applicant must be informed about the type of data collection. In doing so, the purpose of the processing, the retention period and the department that has access to it must be clearly communicated. For example, this can be done quickly and easily with an automatic confirmation of receipt. This regulation is set out in Art. 13 of the GDPR.
# 3: Like before! – The storage of personal data may only take place in conjunction with a valid purpose, as is the case with an application procedure. This was already represented in the old Data Protection Act and it is also an integral part of the BDSG-new and DSGVO. Specifically, this means that when the application process is completed and the position has been filled by a specialist, all the data is either returned (physical application) or deleted (digital application). Although there is no uniform regulation for this, the cancellation / return should nevertheless have taken place no later than 6 weeks after the placement of the job. If the data is still to be stored for a longer term,
# 4: Just like the clients of a company, now the applicants have the right to get a comprehensive information about the stored data. For each storage should therefore be taken to ensure that the appropriation is well documented in each case. A quick note like “Applicant Pool Approval” helps keep track of things.
# 6: With the new General Data Protection Regulation as well as with the BDSG-new, the fines increase drastically in addition to the regulations! Lack of documentation and an in-depth review of security can result in up to four percent of the company’s global sales being penalized. Maximum such a violation can cost up to 20 million euros!
What do these data protection laws mean specifically for the future?
In the digital world, privacy is now becoming more important. With the entry into force of the two new laws, the regulations have once again been significantly tightened. A violation of this means a sensitive shock to the liquidity of the company. Furthermore, future recruiting processes are made much more difficult, since the reputation can also be damaged by a violation.
Applicant data management of any company must therefore be fully reviewed. Insofar as the standards are not met, new processes should be introduced if necessary to keep these sanctions away. It does not necessarily mean that ten new employees have to be hired. It is necessary to adapt the measures to the size of the company. A realistic budget framework should be made available for this. The following steps show how the changes of the DSGVO as well as the BDSG-neu can be fully complied with:
It is therefore necessary to check the technical conditions. If possible, the managing director, the works council and the human resources department as well as an IT consultant should be present at this inventory. An external data protection officer can additionally help to ensure that all regulations are observed and that data protection risks are recognized at an early stage.
It should be ensured that only the authorized persons can access candidate e-mails and documents. No one else should get these access rights or shares at random as well. The automatic acknowledgment of receipt must also be set up if one has been installed. In addition to the storage, the deletion of personal data must also be guaranteed after the expiration date. How exactly everything looks like can be found in Art. 13 of the GDPR.
Each individual process must be documented and recorded, so that the current status can always be communicated and occupied on request. To ensure that this understanding is fully accepted and followed in the human resources department, it is worthwhile to offer regular training courses. Awareness of privacy plays a significant role in this!
At first glance, these rules and regulations may seem a bit daunting. But after a good organization and planning, this results in a manageable process that adheres to all data protection regulations with flying colors. The risk of a financial sanction of this magnitude is a blow between the legs for every company! The appropriate preparations can eliminate a possible legal dispute from the outset!