Update Data Protection No. 49
Data protection in the application process
Under its Article 88(1), the GDPR allows Member States to draw up their own rules for the area of employee data protection. Germany has taken advantage of this option with Section 26 of the Federal Data Protection Act (BDSG). The first sentence of Section 26(1) already applies while the decision to establish an employment relationship is made and hence it needs to be taken into account early in the application process. In the following text, we have concentrated on three aspects of the application process which are of particular relevance in terms of data protection.
To whom may the applicant’s data in the company be forwarded?
Where a work council exists within an enterprise with more than 20 employees, the application documents and other papers compiled in the course of the application process have to, pursuant to the first sentence of Section 99(1) Works Constitution Act, be submitted by the company to the works council. This applies not only to the most promising applicants but also to those applicants the company does not wish to consider. The potential employer must obtain the works council’s agreement to the recruitment of the most promising applicant. The passing on of this data to the works council is a permitted data processing activity under the first sentence of Section 26(1) of the BDSG as it is required for fulfillment of the works council’s rights arising under Section 99 BetrVG [works constitution act]. The works council needs the documents in order to decide whether to give its consent. However, once it has made its decision on the requested consent, but at the latest after one week, the works council must return the documents. It is not permitted either to retain or to copy the documents received but must comply with the principles of data avoidance and data economy under Article 5 GDPR.
The application documents may also be passed on to potential future line managers if the latter are allowed to be involved in the internal decision-making on recruitment and the filling of vacancies. The application documents may be consulted in order to ascertain whether the applicant is appropriate for the given team in the light of his/her skills. Once the decision has been made and a response given, the potential line manager must erase or return the data without delay, however. In addition, he/she must ensure that the documents cannot be viewed by third parties, e.g. the documents should not be left open on the desk.
When must the applicant’s data be erased?
Personal data are to be erased should they no longer be necessary for the purposes for which they were collected or processed. Where the application process is complete, there are two options:
Where the application process has been completed successfully, meaning the applicant has been given the job position, the personal data can be transferred to the personnel files. They are required partly to administer the employment relationship and partly because a legitimate interest exists in their transfer pursuant to Article 6(1)(f) GDPR. Within the existing employment relationship, reference is frequently made to application documents to check training opportunities, implementation options, the allocation of new assignments etc.
However, once applicants have been rejected by the employer, their data must be erased. There is no legal time limit within which they have to be deleted. Immediate erasure should be discouraged, however. Unsuccessful applicants still have the option of asserting claims under the General Equal Treatment Act (AGG). The time limit for asserting such claims under Section 15(4) AGGis two months. Rejected applicants then have a further three months following the assertion of the claim to take legal action under the Labor Court Act. Given that a certain amount of time is still needed for processing and posting, it is recommended, in practice, to keep applicant data for a maximum of six months so as to be able to defend any AGG claims. The data should then be erased no later than at that point.
Storage of data in an applicant pool
Enterprises often give rejected applicants the option of remaining in an “applicant pool”. This means the applicants can still be considered for future or other vacancies that remain open. For this to happen, applicants must, however, give their express consent to the storage of their data. There is no time limit on the validity of such a consent. However, for best practice purposes, it is recommended that such a consent should be “renewed” after a certain period of time. This means that the enterprise will write to applicants and ask whether they still consent to the processing of their data within this applicant tool. Should this not be the case, the data is then to be erased.
The application process itself presents a number of data protection law aspects which the employer needs to consider. In doing so, the employer must always undertake a balancing act between obligations (e.g. to the works council), own interests (protection against AGG claims) and data protection obligations.