Corporate cooptation and the RGPD: Everything you need to know


Co-optation is a recruitment method that involves asking a company’s employees to recommend potential candidates for a vacant position. Although this method offers many advantages (reduced recruitment costs, more trustworthy candidates, faster integration, etc.), it also raises concerns about the protection of personal data. As you probably know, our recruitment software is built to help you comply with the RGPD. But when you go by word of mouth, you may not be tempted to do without Jobaffinity.

So how do you combine co-option with the General Data Protection Regulation (GDPR)?

The RGPD: A brief reminder

The RGPD is a European regulation that aims to strengthen and unify the protection of personal data of European Union citizens. It imposes strict obligations on companies with regard to the collection, processing and storage of personal data. Failure to comply with these obligations can result in severe financial penalties.

Origin and purpose of the GDPR

The RGPD was adopted by the European Parliament in April 2016 and came into force on 25 May 2018. It replaces the 1995 Data Protection Directive. The main aim of the RGPD is to give European Union (EU) citizens more control over their personal data and to ensure that companies process this data transparently, securely and responsibly. Source

Scope of the RGPD

The GDPR applies to all businesses, organisations and associations, whether or not they are based in the EU, whenever personal data of EU residents is processed. This means that even companies based outside the EU may be subject to this regulation if they offer goods or services to EU citizens or monitor their behaviour.

Obligations of companies with regard to the RGPD

Companies are required to respect a number of fundamental principles when processing data, such as compliance with the law, transparency, purpose limitation, accuracy, retention limitation and confidentiality. They must also obtain explicit consent for the collection and processing of data, inform individuals of their data protection rights and put in place appropriate security measures to protect this data.

If you’re not yet RGPD compliant or are setting up your new business, this GPD guide can help you.

Co-optation and data collection

Co-optation, also known as sponsorship or recommendation, is a recruitment method where current employees recommend candidates for vacancies within their company. This co-option is often accompanied by rewards, such as monetary bonuses. Although this method is advantageous for companies because it can reduce recruitment costs and increase the likelihood of finding a suitable candidate, it presents particular challenges in terms of data protection because of the very way in which the information is transmitted: often by an employee who does not have RGPD compliance in mind.

Nature of the data collected

During the co-optation process, the data transmitted can vary, ranging from basic contact details (name, telephone number, e-mail address, postal address) to more personal information such as skills, professional experience, hobbies or even subjective assessments of the candidate.

The challenge of consent

The RGPD stipulates that consent must be “free, specific, informed and unambiguous” for personal data to be processed legally. In the context of cooptation, this means that even if an employee recommends a friend or former colleague, the company cannot simply use this information without first obtaining the explicit consent of the recommended candidate.

Example : Let’s imagine that Marie, an employee at TechCorp, recommends her former colleague Ahmed for an engineering position. She provides her CV and e-mail address to her HR manager. Before TechCorp’s HR department contacts Ahmed or uses his information to assess his application, they must ensure that Ahmed is informed of this recommendation and that he gives his consent for his data to be processed.

Putting it into practice

To comply with the GDPR, companies can implement specific procedures for co-option. For example, when an employee submits a recommendation, the HR department could send an e-mail to the recommended candidate, informing them of the recommendation and asking for their consent to process their data. This email should also provide detailed information on how the data will be used, how long it will be kept, and the applicant’s data protection rights.

Our Jobaffinity recruitment software provides you with email templates, and we recommend that you enter the profiles of co-opted candidates in the tool to make your life easier when it comes to compliance.

The rights of co-opted candidates

The General Data Protection Regulation (GDPR) has been designed to strengthen the rights of individuals with regard to their personal data. For co-opted candidates, this means that they have specific rights regarding the information that the company holds about them. Here is a detailed exploration of these rights, accompanied by concrete examples.

Right of access

This right enables anyone to find out whether their personal data is being processed by a company and, if so, to obtain a copy of the data and information on how it is processed.

Example : John, a co-opted candidate, can contact the company’s HR department and request an overview of all the data they hold about him, including interview notes or assessments.

And yes, mind you: employees can access all appraisal or interview data if it forms part of his or her file (see the insert on page 5 of this CNIL guide)

Right of rectification

If an individual believes that personal data held by a company is inaccurate or incomplete, they have the right to request that it be corrected.

Example: If the company has registered the wrong phone number or email address for Jean, he can ask for this information to be corrected.

Right to erasure (or “right to be forgotten”)

In certain circumstances, an individual can ask a company to delete their personal data. This may be the case, for example, if the data is no longer required for the original purpose or if the individual withdraws his or her consent.

Example: After being turned down for a job, John can ask the company to delete all the data it holds about him, including his CV and covering letters.

Right to portability

The aim here is to enable individuals to receive their personal data in a structured, commonly used and readable format. They can also request that this data be transferred directly to another company, if this is technically possible.

Example : John wants to apply to another company and wants to use the same information he provided previously, he can ask the original company to provide his data in a format such as a CSV (excel) file, which he can then send to the new company.

These rights give co-opted candidates greater control over their personal data and ensure that companies handle this data in a transparent and ethical manner. RGPD compliance is all too often neglected by companies. Although inspections (and convictions) are still relatively rare, they do occur.

Company obligations

Companies using co-option as a recruitment method must ensure that they comply with the following obligations:

  • Informing candidates: Before collecting data, the company must inform candidates of how their data will be used, how long it will be kept and their rights under the RGPD;
  • Minimise data collection: Only the data required for the recruitment process should be collected.
  • Protecting data: Companies must implement appropriate security measures to protect data from unauthorised access, loss or leakage.

Don’t set aside your RGPD obligations when co-opting

Co-option is a effective recruitment, but it must be implemented in compliance with the principles and obligations of the RGPD. Companies must be proactive in managing the data of co-opted candidates and ensure that their rights are respected.

See articles in the same category