Unless a company is popular enough to receive thousands of job applications, it must not fully rely on automated recruitment systems. It must keep a human in the loop. The recruitment is deemed to produce significant effects on a person.
USEFUL SOURCES
»
Article 29 Working Party, ‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’ (22 August 2018) https://ec.europa.eu/newsroom/article29/item-detail.
2.6. The obligation to appoint a Data Protection Officer (DPO) 2.6.1. Background With the adoption of the GDPR, both controllers and processors may be required to appoint a Data Protection Officer (DPO). The concept of a
2. Personal data protection basics
cfm?item_id=612053
DPO is not a new one, and the WP29 previously argued that the DPO is a cornerstone of accountability.
2.6.2. Is the appointment of a DPO mandatory for SMEs? In practice, the requirement to appoint a DPO will not typically apply to SMEs. At the same time, it should be noted that, contrary to a popular belief, it is not the size of a company that determines whether it has a legal obligation to appoint a DPO, but rather it is determined by the core data processing activities the organization conducts. These are the personal data processing activities essential to achieving the company’s goals. The appointment of a DPO therefore concerns SMEs acting as either controllers
75
