Skip to main content

Candidates’ personal data must be processed in accordance with GDPR when recruiting

GDPR tightens the requirements for processes in connection with recruitment. A job applicant must provide consent for the processing of his/her personal data. The job applicant must also be clearly informed about how the data will be processed and has the right to correct or delete the information, says Nina Sigurdsson, Business Area Manager, HR Services at Accountor.


“In a recruitment process, personal data is processed and the law applies to all companies and organisations that recruit employees,” emphasises Kristin Annerstedt, Accountor’s Senior Recruitment Officer.


There must be a clear description of how personal data is processed

According to the General Data Protection Regulation, job applicants must be informed clearly and in detail of which personal data will be collected and how it is then processed. The applicant must also give his/her consent to the collection, processing and storage of personal data. This consent must be obtained actively, in writing, electronically or verbally.

Companies that recruit are responsible for ensuring that the processing of personal data takes place in a legal manner and that job applicants are informed.

“To be certain that this obligation is being fulfilled, it can be appropriate for the company to include a request for consent in its own confidentiality policy,” says Nina Sigurdsson.


The requirements can be met if you use a recruitment system

Recruitment solutions make it possible for an organisation to easily meet the requirements of the EU’s data protection regulation, in terms of both the processing and security of personal data. It is not considered secure to email personal data.  Examples of what is processed in a digital recruitment solution in the cloud include:

The applicant’s consent:

  • The system has an integrated solution that means the job applicant must actively give his/her consent to the processing of his/her personal data.
  • It is not possible to apply for the job without the job applicant’s consent.
  • The applicant can easily withdraw his/her consent and ask for the application to be deleted
  • The employer must be able to show how and where the job applicant gave his/her consent and when information with the applicant’s consent was archived

Information to the job applicant:

  • The processing of personal data is described in detail to all candidates
  • The job applicant is informed clearly and unambiguously of which information is been collected, how it is processed and for what purpose it is being used
  • Management of rights and the opportunities to view, edit and revoke consent and delete personal data are described to all candidates
  • The applicant is informed if there is a third party that may have access to the personal data

Right to correct data:

  • Applicants can view, edit and delete information about themselves
  • Personal data can be transferred from one system to another
  • The job applicant’s request to update, delete or transfer data is processed without delay

Accountor has a recruitment solution that meets the requirements of GDPR. Contact your consultant or Senior Recruitment Officer Kristin Annerstedt to find out more about the service.


What is GDPR?

EU General Data Protection Regulation, GDPR, came into force in 2016 and the two-year transition period ending May 25, 2018. Act's central task is to protect European citizens' personal data and rights. The law applies to all organisations that treat EU citizens' personal data.