RGPD & recruitment: everything you need to know about your obligations and compliance (and how to automate it)


Since May 25, 2018, the European Regulation on the Protection of Personal Data (RGPD) has provided a framework for data collection. The data requested from applicants on the recruitment form is governed by this regulation.

How do we recruit?

When recruiting or adding to your CV library, the key is to keep candidates well informed. So, whenever you collect personal data with your recruitment software, the information must appear on the medium used. So this concerns forms, associated questionnaires, etc.

What information is required?

  • The name of the company processing the data [Name, RCS address].
  • The email address of the contact person who can be reached to check the data.
  • The recipients and purpose of the data collection, such as the HR department for recruitment purposes.
  • How long the data will be kept after agreement.

Who has access to personal information within the company?

According to regulations, only those involved in the recruitment process can consult the applicant’s personal data (usually the employees in charge of human resources management). Once hired, this data can also be accessed by the usual administrative services (retirement, France-Travail, Social Security, etc.).

Employees’ superiors may also have access if necessary, but this data should be kept to a minimum as long as the candidate is not part of the company. In the context of an interview, it is not necessary to provide any personal data other than the candidate’s surname, first name and home town. Apart from these limited cases, employers may only disclose the personal data of applicants or employees if required to do so by law or a court order.

It is the company’s responsibility to ensure the security of candidates’ information and that only authorized persons have access to it. All actions performed on candidate data by authorized persons must also be recorded to comply with RGPD standards. That’s the beauty of recruiting software like Jobaffinity: only those involved in the recruitment process have access to the candidate’s personal data.

What rights do candidates have to their personal data?

In France, the RGPD gives candidates more control over their personal data, which is a new trend to consider in your recruitment strategy. According to the regulations, personal data can no longer be exchanged without the consent or knowledge of applicants.

The RGPD lists six rights available to every data subject, namely:

  1. Right of access. The right to ask whether the controller(s) hold(s) personal data about him/her, to obtain a copy of such data and information about the processing carried out (and its purposes) and the sources of the data.
  2. Right of rectification. The right to request correction or updating of personal data.
  3. Right to object. The right to object to the processing of personal data indefinitely
  4. Right to erasure. The right to request the deletion of personal data from the database
  5. Right to limit. This is a complementary right to the others (opposition or rectification), which prohibits the use of data while the other rights are being applied.
  6. Right to portability. The right to request the recovery and/or transfer of its data to an organization of its choice.

You have all the details in this very good CNIL document (fiche n°7), of which here is an extract of the summary table:

To respect the rights of applicants, as a data controller, you must thoroughly review your recruitment toolbox and update your entire recruitment process. That’s what our Jobaffinity recruitment software is for.

It is your responsibility to ensure that candidates’ personal data is processed in a transparent and lawful manner, while enabling candidates to exercise their personal data protection rights.

Can I use the data of an unsuccessful candidate for a new offer at a later date?

If, and only if, he gave his consent during your first interaction.

This is why it’s a good idea to prepare your job ad forms well in advance. It’s worth mentioning that, by applying for a job, the candidate gives the company the right to contact him or her again for future job offers.

It’s a standard feature of Jobaffinity job ads, and you’ll find a sample text just below.

If you do not have this prior consent, you cannot legally use the personal data of the candidate(s) in the future. It would be a shame for your CV library!

Example of candidate consent text for RGPD

To communicate a first level of information, you can add a link to the privacy policy on your website.

We propose an example of text to display on the application form of your recruitment software to comply with the RGPD information principle.

The text we are proposing is aimed at companies whose data does not “leave” the European Union. For example, if you use our recruitment software. If your data is potentially stored outside the EU (on a Google Drive, a Microsoft OneDrive-type service or on third-party hosting servers), you need to find out where the servers are located and whether there are any redundancies, and consult a legal specialist if necessary.

If your data is indeed stored in the EU, you can use this text by replacing the words in square brackets with your information:

“The data you have just provided will be processed automatically in order to process and manage your application. It is carried out by [Company name, RCS address], in its capacity as data controller . This data processing is necessary to process your application.

The person in charge of data protection can be contacted at the following email address [email]

Data will be kept for two years after the last contact with the candidate. The data may be kept by the employer for the duration of the employment contract in the event of recruitment. Visit [HR department, recruitment department…]are the recipients of this data.

The data controller undertakes not to transfer your personal data outside the European Union as part of its processing operations.

You have a right of access and rectification. In the event of legitimate reasons, you also have the right to delete, limit or object to the processing of your data. You also have the right to port your data. And you have the option of giving instructions concerning your data in the event of your death. You can send an email to[email] to exercise your rights. If you are not satisfied, you can refer the matter to the CNIL.

Please note that this text is not intended to replace legal advice, but rather to provide information.

Jobaffinity makes it easy to manage RGPD in recruitment

Our software makes it possible to comply with the RGPD and inform candidates at several levels, you’ll find text templates and all the information you need to properly manage your RGPD compliance. What’s more, our secure servers are located in France to avoid any problems.

Jobaffinity’s little extras:

  1. You can set your data retention period.
  2. You can also set up a reminder email. This email allows the candidate to restart their RGPD deadline if they wish to remain in your database.
  3. You can set a short deadline for candidates approached via social networks to obtain their agreement.

We address the subject of data retention periods at the end of this article.

Keep data on time and according to source

What does the CNIL say?

In the event of a negative outcome to an application, the file is kept by the company unless the candidate advises otherwise. Data is automatically destroyed at the end of a retention period generally set at two years after the last interaction with the applicant. This time may vary from company to company. Only with the formal agreement of the applicant can the data be retained beyond this period.

What’s actually happening in the field?

Some companies choose to delete this data after one year, but other organizations that recruit rarer profiles apply to the CNIL for exemptions to extend this retention period. This is the case for penurious professions such as architects, for example;

Nuances to be taken into account depending on the source of the application

If you have retrieved applications from LinkedIn yourself, for example, as our recruitment software allows, you have a 30-day retention period. If you wish to pass on CVs to a third party and/or keep profiles beyond this period, you must ask permission from the persons concerned.

What are the advantages of an ATS like Jobaffinity?

You can program the deletion of profiles in your ATS tool; It will be done automatically at the end of the chosen period. Jobaffinity can detect when your last interaction with the candidate took place. If you wish to keep this application, you can ask the candidate for their agreement to keep their profile in your CV library. This is a software function.

Jobaffinity also knows how to distinguish between different sources of applications. Our tool detects applications which you have entered manually and which have therefore not been subject to prior consent. Our solution automatically deletes them after 30 days. If you wish to keep them, you can contact them to ask for their approval (or even program an automatic e-mail). You can easily filter these profiles in Jobaffinity, identify them and contact them!

Informing your candidates about the processing of their data

What does the CNIL say?

The RGPD requires concise, transparent, comprehensible and easily accessible information for data subjects. Transparency enables data subjects to find out why the various data concerning them is collected, to understand how their data will be processed, and to take control of their data, making it easier for them to exercise their rights.” (source : CNIL)

What do you need to do?

In your legal disclaimer, you must specify the conditions under which data is stored and used. This text must also appear in the application form so that people wishing to apply to your company can accept them with full knowledge of the facts. When you receive profiles by e-mail, you can include this legal text in the acknowledgement of receipt of applications.

What’s in it for Jobaffinity?

For your information, we offer an example of text to display on the application form in your recruitment software to comply with the RGPD information principle (see above). This text is aimed at companies whose data does not “leave” the European Union. Our software provides information to candidates on several levels. For applications from social networks, you can identify them using Jobaffinity and send them your privacy and data processing policy by e-mail.

Retention periods for personal data in recruitment

Now, if you’re wondering how long you should keep your data… The law does not specify a precise deadline. The RGPD specifies that personal data may only be kept for no longer than is necessary for the purposes for which it is collected and processed. Particularly when it comes to data on job applicants.

The CNIL has ruled on what it means by “necessary duration”. Thus, the CNIL recommends that the information retention period (on computer and paper media) not exceed 2 years. Please note that this period is calculated from the “last contact” with the person concerned.

We remind you that the recruitment process is subject to:

Let’s not forget to mention the recommendations of the Commission informatique et libertés (CNIL): Cnil, practical guide for employers;

Use an ATS to simplify RGPD compliance in recruitment

Would you like to take the hassle out of the various actions required to comply with RPGD for recruitment? Put your trust in recruitment software (ATS) designed for : Jobaffinity, ask for a demo today.

See articles in the same category