by victorkab on 5/27/18, 3:53 PM with 1 comments
by weinzierl on 5/27/18, 5:06 PM
The GDPR is in a sense modeled after the German Data Protection Act (Bundesdatenschutzgesetz, BDSG) and in many respects very similar. So it might be interesting how candidate data has been and is handled in Germany. The following are my personal takeaways from when I did hiring for a small business. I'm by no means an expert so take them with a grain of salt:
1. If you can outsource the hiring process, do it. It will save you a lot of headaches.
2. Keep correspondence with applicants separate from your other business correspondence. The reason is that data retention rules are very different for both types of correspondence. As a rule of thumb: Ordinary business mail has to be archived for at least 10 years in Germany.
3. You cannot keep applicant data at will. You need a reason. Valid reasons are:
- the data is needed for the application process
- the applicant has given you consent to keep the data
At any point in time you have the applicant data you need one of those reasons, you don't need both. At first you are covered because you need the data to conduct the hiring process.
Consensus is that you can keep application data for a maximum of six months after the application process has ended. The end of the application process is determined in most cases by the date of the rejection letter.
The six months isn't arbitrary but determined by the maximum of various periods for filing suit. If I remember correctly the anti- discrimination law (Allgemeine Gleichbehandlungsgesetz, AGG) is the determining factor.
You can ask your candidate in the rejection letter for consent to keep their data for a specified amount of time and I've heard that some companies do this. We decided against this because keeping track of the additional deadlines for deletion would have been to complicated for little benefit.
Deletion of application data means erasure of all personally identifiable information. This includes backups.
One last thing. The original post states the following question:
> Can you quickly and efficiently respond to an employee’s data subject rights request?
I think this is misguided. Yes, sure, you should be able to respond to this request, but in practice it will never happen. As long as the candidate is in the application process (plus 6 months) they will never ask for their data and even if they did it would be easy to answer. After that you have no personally identifiable information of the candidate and the answer is also easy.