Read in: Nederlands
One year GDPR and you are compliant. But when you purchase a new career site, you are again left with questions. How does the website protect the candidate’s privacy? This is how we do it.Not too long ago we had saved a number of old spreadsheets with personal details of former candidates. Somewhere in a folder on the joint recruitment drive. Those who were more organized had a talent pool in the ATS that grew and grew over the years.
Although this was already forbidden under ‘old’ regulation, data protection of candidates only became a hot topic for employers last year. When the GDPR threatened them with fines that make most companies sick to the stomach.
Many employers are now - almost - GDPR-proof. Yet when we build new career sites for our customers, we still get many questions about how the new website guarantees the privacy of candidates. In this blog we answer the most frequently asked ones.
- Who is responsible for data protection?
- What is our job, what is yours?
- How do we adjust the job alert?
- How do we make our application forms GDPR-proof?
1. Who is responsible for data protection?
We both are. Employers are always ultimately responsible for the data they collect from candidates. Or in GDPR terms: the employer is the ‘controller’ of the data.
Because we also process this data - think of analyzing anonymized data and forwarding data to the customer's ATS - we are a 'data processor' according to the GDPR. Therefore we also bear responsibility for the protection of candidate data.
We jointly agree how we do this in a ‘processor agreement’. This includes:
- What information do we store as builder of the website and for what purpose?
- How do we ensure that candidates can view and delete their personal information?
- What measures do we take to protect these data?
- Whether we cooperate in audits on request. (Yes, we do.)
2. What is our job, what is yours?
A logical follow-up question: who does what to protect the candidates’ privacy? Below the division of tasks.
What the customer does himself:
- Drawing up a privacy statement with own legal department.
- Preparation of a cookie report (content and text).
What we do:
- We place the cookie report on the career site.
- We handle the functional and analytical cookies.
- In collaboration with the customer's ATS provider, we provide a checkbox at the right place on the website. By checking the box, a candidate actively agrees to the storage of his data. Required when, for example, registering for a job alert or applying via an application form (more in this in question 3 + 4).
- We offer help, practical examples and advice.
If you can't figure out how to prepare a privacy statement or cookie statement, we naturally have plenty of examples of other companies we work with. But despite the fact that we have good security and privacy experts on board, we are not a legal consultant. Ultimately, the customer is responsible for being GDPR-compliant.
- We ensure safe sub-suppliers.
Our own partners must of course also comply with the GDPR rules. And they do. As the GDPR also considers them as processors, we have concluded processor agreements with all of them. Moreover, they are ISO-27001 certified to secure data safety and protection, just like us.
This is what we do together:
- We draw up a processing agreement and adjust it to the recruitment needs of the company.
3. How do we adjust our job alert?
Again a ‘who-does-what question’. A job alert on your career site can be set up - and therefore adjusted - in two ways.
- Job alert via the ATS? (then the supplier does this)
- Job alert via the career website? (then we adjust it)
More practically: what adjustments does a job alert need to meet the GDPR?
These three questions are important:
- What information do you store?
This means that you keep the number of question fields in the form to a minimum. Only request the really necessary information such as name, e-mail address and vacancies of interest.
- What will you do with this data?
What is your objective? In this case, to send targeted job offers to candidates. Include this in the privacy statement, and clearly ask the candidate for permission.
- What is the retention period of the collected data?
The general retention periods for application data apply here: the data must be deleted 4 weeks after the application procedure is closed. Unless the candidate gives explicit permission to store his data for a longer period - a maximum of 1 year.
Include these terms in the privacy statement. Ask the candidate again for a clear agreement in the registration form.
Example: look at the job alert of WerkenbijNS.nl.
Translation: ‘I agree with the privacy disclaimer’.
4. What information can we request in an application form?
To keep it simple: only the essentials. All that is required to apply for the position. So how to keep your application forms GDPR-proof?
- Write in the privacy statement why you store this information.
And (we keep saying it!) ask for the candidate’s permission via a checkbox. Other things to state in your privcay disclaimer: which personal data you store, on which legal basis and to whom data is provided. Also important: state what rights an applicant has based on the GDPR (right to view and to be deleted) and how the company facilitates this.
- Ask the candidate how long you can store his data.
The standard terms of 4 weeks after the application procedure or 1 year apply here. This is up to the candidate. Clearly state these two options in the question field in the application form. (For example via a drop-down option. Like the example below of the career website of Dutch Railways, WerkenbijNS.nl).
What type of data you request will - of course - also depend on your own recruitment process. For example, how is the first contact with the candidate organized and what information does a recruiter need for this? Below two practical examples.
Example 1: a simple application process
For a traditional selection where the first screening is mainly based on the CV and cover letter, a simple application form will do. Look at the example of Dutch Railways below. Name and contact details are sufficient in the first step of application.
Translation: ‘I agree with storing my data for a period of’
‘4 weeks after closing the application procedure’
Example 2: first screening via the application form
It is a different case when the first screening of candidates is based on the online application form. For example when many qualifications are required to make a first selection. Look at the example of Tzorg. This healtcare organization asks candidates about their availability, experience and private transport, which are requirements for the job. A first selection is made by these questions.
Want to know more about data protection on your own career website?