In the context of recruitment, candidates' personal data is collected and used. To protect the privacy of this information, European companies are required to comply with the General Data Protection Regulation: the GDPR.

To help you meet your obligations in this area, here are the best practices to follow, step by step.

What is personal data processing in the context of recruitment?

In the context of a recruitment process, personal data processing refers to all operations (automated or not) that lead recruiters to access, use, store, and then destroy personal information obtained in particular during the search for qualified profiles or the analysis of CVs.

This personal information concerns the candidate's identity, professional experience, the assessment of their skills and abilities as listed on their CV, cover letter, and personality test results.

Beforehand, the company must define the purposes of data processing for recruitment purposes.

The collection of candidate data by a recruiter must be used to measure their professional skills and their ability to occupy the job for which they are applying. Nothing else. As the CNIL specifies in its Recruitment Guide, in practice, the processing implemented by the company can meet more specific purposes such as:

• Searching and identifying relevant profiles to collect applications: creation of a CV library, creation of a platform allowing applications to be submitted on the company's employment website, creation of an online directory, consultation of a website offering job offers on the Internet to candidates, making contacts at a "job" forum;
• Pre-selection of candidates: sorting, recording and ranking of CVs and cover letters in paper form or in a database, use of scoring tools offered by websites listing job offers on the Internet, etc.;
• Assessment of the candidate's ability to occupy a job and measurement of their professional skills: processing of information collected during telephone, face-to-face, video interviews, etc.

Is the employer required to obtain the consent of candidates for the collection of data?

In the context of recruitment, it is not necessary to obtain the consent of a candidate to process their personal data. The reason? If the candidate refuses, their chances of being recruited could be compromised. However, to do this, the CNIL recommends that companies base their action on the legal basis of contractualization, one of the 6 legal bases provided for by the GDPR.

Please note: if you plan to use personal data to activate your talent pool**, the prior consent of the candidates is required, as this action is separate from the simple application process.**

Finally, in the case where you use cookies on your career site, on social sharing tools or on your candidates' browser such as Google Analytics, explicit consent is required. Also, the refusal of cookies must be easy to do, so as not to influence the user to give their consent.

The 6 legal bases: what are we talking about?

To be lawful, any data processing must be based on one of the six "legal bases" provided for by the GDPR. The choice of the legal basis has several consequences, particularly in terms of the rights open to the candidates concerned. Therefore, the determination of the appropriate legal basis must be carried out before the processing and brought to the attention of the persons concerned. You can find the details in this guide.

Who can access the personal data collected on candidates?

It is up to the recruiter to determine the persons authorized to access the personal data of candidates concerning their duties and the nature of the tasks or functions they perform.

At the stage of the recruitment process, the following persons may be required to receive and process personal information relating to candidates:

• Recruitment officer
• HR manager
• Manager who will supervise the future recruit
• The director of the structure, the CEO.

In other words, anyone who obtains the CVs and other personal documents of candidates without being involved in the recruitment process is not a priori authorized to access them. On the other hand, at the end of the recruitment process, different people will be able to access the candidate's personal information deemed useful to the performance of their duties for:

• Prepare their hiring (e.g.: service in charge of disability management to adapt the position before hiring)
• Subsequently manage the candidate in terms of human resources (e.g.: payroll officer, training officer, logistics department for the creation of a badge, IT department...).

How Long to Keep Candidates' Personal Data?

The GDPR does not define a specific period for which information must be kept for processing used for recruitment purposes. It is therefore up to each data controller to determine this, on the understanding that it must be coherent and justified according to the objective pursued by the processing implemented.

In practice, in a recruitment process, the life cycle of personal data can be divided into two successive phases:

1. Current use or "active database"

This stage concerns the use of information relating to candidates by the recruiter in the context of an ongoing recruitment process. The information kept in the "active database" is accessible to the recruiter in his or her immediate working environment. For example, the CV is stored on the recruiter's computer or on a company server.

2. Intermediate archiving or "intermediate database"

When the recruitment process is completed, whether or not the candidate has been selected, the information relating to him or her that has been collected by the recruiter will no longer be used to assess his or her skills and the objective of collecting this information is therefore considered to have been achieved. Consequently, the recruiter no longer needs to keep this information in his or her immediate working environment, i.e. in the "active database".

However, this information may still be of interest, particularly for the management of any litigation such as a discrimination case, or must be kept to comply with a possible legal obligation (such as public sector archiving rules). The information can then be kept in an intermediate database, where it can be consulted, on an ad hoc and justified basis, by specifically authorized persons.

Once the retention period in the intermediate database has expired, the information must be deleted or anonymized.