The retention period of candidate data is controlled in France by the CNIL. It must comply with the GRPD (General Data Protection Regulation).
This European regulation since May 2018 reinforces the protection of personal data.
How long is the candidates data kept duration?
Firstly, concerning the duration of data retention in general. It is stated in the GDPR that personal data can only be kept “for no longer than is necessary for the purposes for which it is collected and processed”.
Secondly, concerning more specifically the data of job applicants. The CNIL gave its opinion on what it meant by “necessary duration”. Indeed, the CNIL recommends that the period of retention of information (on computer and paper) should not exceed 2 years after the “last contact” with the data subject.
What does “last contact” mean?
The CNIL specified that the last contact could be a request or a click on a hypertext link contained in an e-mail.
On the other hand, the opening of an e-mail is not considered as a contact. Even if this information was given in the field of commercial prospecting, the assimilation of “last contact” to an active intervention of the person can be transposed to recruitment situations. For example in the following cases:
- The candidate contacts the recruiter by phone, this is a contact.
- An email is sent to the candidate but the candidate does not respond or click on the link that would be in the email, there is no contact.
- The candidate responds to a message or clicks on the link in the email, this is contact.
- A job interview is obviously equivalent to a contact.
How do you comply with the RGPD for your candidates’ data?
Jobaffinity our recruitment software allows you to make all the settings, very easily, to comply with the RGPD. We also support our customers to benefit from best practice communication on this subject. In addition, we have specific functions to comply with the RGPD.
Examples of RGPD functions in Jobaffinity
Firstly, you can set up a reminder email. This email allows the applicant to dun a RGPD deadline by clicking on a link.
Secondly, you can define a differentiated RGPD deadline according to the nature of the candidates. Indeed, when you make a direct approach on social networks you do not yet have the candidate’s agreement. In this case, you can set a short deadline that allows you to obtain their consent. In good practice, this period should not exceed 30 days.