6 Tips for International Recruiting Programs in the Era of GDPR and Emerging U.S. Laws When your organization is searching to fill a new position, you understandably want to find out as much as possible about the candidates who apply. Aside from determining whether the candidate has the specific skill set, education, and experience necessary to do the job, you want to make sure that the person will fit in with the team. Do they have a positive attitude and integrity? Are they flexible and hardworking? Are they a good communicator and team player? Are they dependable and creative at work? If possible, you want to hear from references provided by the candidate to confirm that the candidate was sincere and meets your organization’s needs. You might even want to check how they behave on the internet. It is difficult to figure all of this out through the traditional hiring process, so many companies resort to seeking additional information from the candidate him or herself and by conducting extensive background checks that might even include reviewing the candidate’s social media accounts. The nature of personal information that an organization may collect during the hiring process is, however, quite limited due to the EU General Data Protection Regulation (GDPR), the implementing laws of the EU Member States, and emerging U.S. laws. Here are six tips for your international recruiting programs 1. Do not collect more information than you need The basic GDPR rule that all organizations must comply with is the principle of proportionality. This means that organizations should not collect more information from the candidates than is necessary to determine whether the person has a specific skill set, education, and experience necessary to do the job. This will usually include information on their CV, such as name and contact details; previous work experience and education; skills; professional and other work-related licenses, permits, and certifications; and information relating to references and other information that candidates might volunteer to the organization (such as employment preferences, willingness to relocate, current and desired salary, awards, and professional memberships). The company can usually rely on its legitimate interest or legal obligation when processing such information, depending on the relevant jurisdiction. Regulated organizations (such as financial institutions and insurance providers) might be legally required to ask for more information and conduct certain background checks to determine whether individuals are worthy of being placed in certain positions of trust. The kinds of background checks and roles for which background checks are allowed by local law vary per EU Member State, so, if your organization is conducting background checks, make sure to determine what is allowed in each specific jurisdiction. In Germany, for example, the
lawfulness of background checks (both criminal and credit) will depend on the specific tasks and responsibilities of the job. This is quite different from the United States, where, pursuant to the Fair Credit Reporting Act and numerous state corollaries, some type of background check is generally allowed subject to the applicant’s consent, sharing of any report with the applicant, and notice to the applicant if an adverse action is taken based on the report. 2. Provide an appropriate privacy notice at the start of the hiring process Information collected from applicants is distinct from information that your organization collects from customers or website visitors and more limited than the information you would collect from employees. Job candidates are not yet your organization’s employees; therefore, employee privacy notices are not appropriate. Your organization must have a notice that describes what kind of personal information will be collected about candidates, how and from which sources, and how such information will be used by the organization, and it must cover all other transparency requirements of Article 13-14 GDPR (including information on data retention, transfers, and individuals’ rights). In the United States, the California Consumer Privacy Act (CCPA) requires businesses to give applicants who are California residents notice at or before the time their personal information is collected. The content requirements are more limited than GDPR requirements. The notice must describe the categories of personal information collected and the purposes for which the information will be used. CCPA notice requirements will expand if the current exemption for Human Resources data is not extended. Businesses that are subject to the CCPA and that already have a GDPR-Compliant applicant notice may want to repurpose that notice, with some modifications, for applicants in California. Ensure that the notice clearly describes all purposes for which the organization might use the candidate’s personal information. The purposes can include, for example, administering the job application process, assessing capabilities and job qualifications, conducting reference and background checks, responding to any inquiries from the candidate, complying with applicable laws, and preserving other legitimate interests of the organization (such as aggregate management reporting and internal training). The privacy notice should be provided to the candidate at the beginning of the hiring process, before, or at the time personal information is collected. For example, if you have a dedicated careers website that accepts online applications, place a clearly visible hyperlink on the first page of the online application form, directing the candidate to the privacy for more detail about how the organization will handle personal information collected in the context of the hiring process. The candidate must also be able to revisit the privacy notice at all times, so ensure that every page of the careers website contains an easy to find the hyperlink to the notice (for example, in the footer of the website). 3. Do not ask for consent unless required by local law The Article 29 Working Party (the predecessor of the European Data Protection Board – (EDPB) explained in its Guidelines on consent (WP 259) that it deems processing personal
information of not only current but also future employees on the basis of consent problematic for employers because such consent will be unlikely to be freely given and is therefore invalid. If your organization processes only the personal information that is absolutely needed to determine whether the job applicant is qualified for the position, it likely can rely on its legal obligations and legitimate interest. Consent should only be used if so required by EU Member State law. In the context of a regular procedure, where your organization limits itself to the strictly necessary information to select a candidate, consent likely will never be needed or appropriate. 4. Do not ask about an applicant’s private life Asking candidates about their private life for the purpose of the hiring process will be difficult to defend under the GDPR. This information is unlikely to be required or possibly even relevant to the hiring decision and, therefore, would violate the GDPR principle of proportionality, and it may not be justified under legitimate interest and may require another legal basis. This approach differs significantly from the approach to sensitive information collection in the United States. The collection of certain information, such as medical information and genetic information, is prohibited, while it is strongly recommended not to request or collect other types of sensitive information. For example, employers must take care when requesting information on race or religion, as it may evidence discriminatory intent. 5. Only screen publicly available social media related to business purposes Screening social media and other publicly available information, including candidates’ websites, blogs, and Vlogs, during the hiring process is currently quite widespread. Many organizations check the internet for additional information about the candidate, especially if such sources are publicly available. This approach is generally fine in the United States, where social media laws passed at the state level focus on prohibiting employers from requiring an applicant to disclose a username and password, change privacy protections, or add other employees to allow the company to gain access to personal social media pages. These restrictions, however, do not restrict an employer’s ability to view and act on posts to public social media pages as long as there is no discriminatory basis for its actions – for example, failing to hire an individual whom it learned from social media is pregnant – and the applicant’s actions are not otherwise protected as legal off-duty conduct under state law. In Europe, however, organizations should not assume that just because the candidate’s social media profile or website is publicly available, they are allowed to process the information contained therein for recruiting purposes. In other words, a publicly available LinkedIn profile is likely a fair bet because this social medium is set up for business purposes; however, organizations should not screen information from social media and other webpages of candidates that were clearly set up for private purposes and have nothing to do with the job. This means staying away from other publicly available social media profiles, posts, and any
other media that the candidate is clearly using for the purpose of his/her private life and entertainment. 6. Limit retention The U.S. FCRA Disposal Rule and state data security and breach notification laws have made U.S. based multinational businesses more cognizant of the dangers around retaining information and the importance of secure disposal. Still, many businesses fail to translate that into data retention practices. However, a basic tenet of the GDPR is that personal information is retained only for so long as required to accomplish the purpose for which it was collected. What does that mean in a hiring context? Many companies like to maintain a database of candidates, keeping information of individuals not hired for a particular position in case a more suitable position opens up. First, that practice should be part of any notice to applicants, and, even so, there may be restrictions on how long the information can be retained under local Member State laws. Organizations should keep in mind that an applicant’s information, like resumes and CV’s, becomes out-dated fairly quickly and should consider implementing a practice of purging applicant information regularly, subject to any local data retention or disposal requirements. Should an organization wish to retain the data for future opportunities longer than legally permitted, the candidate’s consent might be required in certain jurisdictions. About Securecheck360 All our clients stand out from their competitors by having qualified and thoroughly vetted candidates through a combination of our unparalleled background screening processes, tailored solutions to cater to their unique requirements, quick turnaround time, compliance with regulatory laws, paperless workflow automation technology, dependable background verification partner, round the clock customer service availability, and accuracy on results. We have saved millions of dollars for our customers by minimizing their risk of poor hiring and established a rich history of employee retention rates. Every Client is a priority and every requirement is a priority. It is easy to get comfortable, fit in, and settle with what you get, but Securecheck360 does not stop there. We bring it up by a notch / We go the extra mile / We push ourselves towards excellence by offering unparalleled customer service to give you the better comfort, trust, accountability, and readiness you need for your business goals.
This document has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under the Federal, State, and Local laws that may impose additional obligations on you and your company.