How to comply with GDPR in your recruitment process

April 29, 2019
English Language

A recruitment process for an organization will always involve contact with personal data. But have you ever considered whether your recruitment processes live up to what is required by the General Data Protection (GDPR) in the EU? If not, then keep reading and gain insight into some of the aspects that you need to consider in order to comply with the law and ensure GDPR compliance in your recruitment process.

Obtaining References

You may be thinking; ”I would like to obtain a reference from the applicant’s previous place of employment, but am I even allowed to do this?” This is a good question and the answer is not straightforward.

As a starting point, obtaining information from previous or current place of employment must only be done with the consent of the applicant. An organization must not pass on the information that the applicant is applying for a position - unless the person has given his or her consent to do so. Therefore, an applicant’s consent is crucial, if an organization wishes to gather that kind of information during a recruitment.

However, there is nothing wrong with obtaining information that the applicant has made publicly available himself – for instance, on a website. Albeit, the organization must always abide by its duty of disclosure, if it chooses to do so. This means that the applicant has the right to be informed of which information the organization is obtaining and the purpose of this.

Personality Test

Many organizations use personality tests in their recruitment process in order to make sure that the candidate has the right qualities. In situations like these, there is no need to obtain consent since the applicant voluntarily chose to take the test.
However, the results of the test must be regarded as data, which means that the handling of these must comply with the General Data Protection Regulation.

Obtaining criminal records and statements of no previous convictions in respect of children

In connection to a recruitment process, it may be relevant to gain information about an applicant’s criminal offenses. In such cases, it is important for an organization to assess whether it is factual and proportionate to obtain a criminal record. In other words; An organization is only allowed to ask for information regarding an applicant’s criminal offense, if the person is eligible for the position, and if it is considered a relevant aspect to take into account. Thus, it cannot be a demand to attach one’s criminal record when applying for a job.

If the position involves direct contact with children under the age of 15, it will be mandatory for the organization to obtain a statement of no previous convictions in respect of children - however, this must always be done with consent from the applicant.

Information from Social Media

In this era of Social media, you can find a large amount of information online and, contrary to the belief of many, it is okay for an organization to look and process information from Social Media platforms. Although, the duty of disclosure compels the organization to inform the applicant, if this kind of information is being obtained. At the same time, the organization must assess whether it is factual and proportionate to do so.

Applicats who are not hired: Storing of their personal data afterwards

When you are at the end of your recruitment process, you need to consider what to do with the personal information about the non-recruited applicants. If you want to keep the information, due to a possible employment in the future, be sure to get consent from the people in question. If you get consent, it is beneficial to have a fixed deletion deadline on the obtained personal data – because the General Personal Data Regulation requires that you do not store personal data longer than necessary.

How to comply with GDPR in your recruitment process_compliance

We point out that our blog posts are neither comprehensive nor an absolute exposition of the compliance processes. RISMA Systems makes no guarantee that the information is accurate, up-to-date or complete, and the blog post must by no means be seen as legal advice. You are responsible for verifying that the information is in accordance with applicable law, if you are considering using it. All information is used at your own risk. RISMA Systems cannot guarantee full compliance with applicable laws and regulations, if you choose to follow the information in this blog post.


Stay up to date with knowledge and best practices on compliance, risk management, and governance. Receive guides, articles, case stories, invitations to events, offers, and much more.