Written by Raymond Faber and Elisabeth Guissart - Avocats à la Cour

Published on 27.11.2018 - Paperjam

Any entity managing human resources processes personal data at different levels and the impact of GDPR on these processes is far from neutral.

What many people forget is that these data processing operations are not limited to employees, but usually also concern job applicants (who are not selected), trainees/students, etc., and that the processing of these data poses real challenges beyond the simple duration of the employee's employment contract.

Vigilance is therefore the key word for any HR department, as the principle of data minimization and proportionality takes on its full meaning here.

During the recruitment process, the first thing to do is to keep the data collected to a minimum: do I really need the applicant's personnel number or bank details during the initial interviews? In all likelihood, no. So why ask for them?

It is only at a later stage that the file of the selected candidate will have to be completed with the data necessary for the conclusion of the employment contract. In practice, however, human resources are often confronted with the problem that they spontaneously receive, at a pre-employment stage, personal data that they have not requested, that they do not need and that they should theoretically refuse, at the risk of violating the principle of data minimization.

In the same context, it is a matter of adapting one's note-taking during job interviews and deleting within a reasonable period of time those applications that did not lead to an employment contract afterwards. Even though GDPR does not prohibit companies from retaining certain applications in case a new position is about to open, it is important to inform the applicants in advance, to choose a reasonable retention period, to respect it and to be able to justify it. A retention period covering the trial period of the selected candidate could thus, without doubt, be considered reasonable. This data can obviously only be used in a recruitment context and cannot be integrated into a marketing distribution list, for example.

Social networks, an Ali Baba's cave for human resources

It's so tempting, it's so easy and it comes directly from the candidate, so why not take advantage of it? The good news is that it is not forbidden to consult the "information" that can be found on social networks if the position requires it or if such an approach is "relevant" to the position in question, provided that the candidate has been informed in advance.

What about reference checks?

It is not forbidden to carry out a reference check on the candidate, but this processing must be proportionate and comply (like any other processing) with the GDPR rules. This means, among other things, that the candidate must be informed in advance. In practice, one should not go too far in monitoring and collecting data. It is advisable, for example, to limit the checks to the content of the candidate's CV (e.g. checks on diplomas and dates).

Beware of the criminal record!

It should also be noted that the collection of criminal records can only be carried out under very strict conditions1 . It can only be requested for certain positions and kept for a very limited time. It must be deleted immediately if the candidate is not selected and within a month if he or she is hired. Needless to say, this also applies to copies of records or manually transcribed information on another medium. The obvious reason for this very short retention period is that a criminal record can, by its very nature, change very quickly, for example over a weekend...

Protection of HR data

During the life of an employment contract, one of the important issues for companies in relation to their HR data is the implementation of organizational or technical measures to protect this data. For example, is it acceptable for a training manager to have access to the entire file of each employee? Definitely not. Careful management of access to personnel files (electronic or paper) is certainly the priority in terms of security.

At the end of the employment relationship, the main issue for the HR department is undoubtedly to sort out the data held. While the ideology of GDPR and in particular the principle of privacy by design would like any organization to be able to separate, within the same employee file, the data that can be kept from those that must be destroyed, it appears that in practice, companies (or their IT systems) are not yet adapted today to this obligation.

1 Luxembourg law of 23 July 2016 amending the Act of 29 March 2013 on the organization of the criminal record.