FAQ GDPR – (General Data Protection Regulation)

  1. Is the GDPR like a ‘baseline’ for the EU? After all, each member state is free to add to it (for example, stricter penalties, etc.)One of the main reasons for renewing privacy-related legislation is to create a level playing field when it comes to privacy in Europe. At this moment in time, each country has its own rules. Although regulations can be found in a European privacy guideline (Data Protection Directive 95/46/EC), the parliaments of each member state are free to determine how they want to convert this guideline into national legislation. However, the GDPR is a directive; a ‘super law’ that transcends legislation implemented in individual counties. As a result, we will all have the same privacy legislation in Europe after 25 May 2018.
  2. Can competencies also be regarded as unique personal data?This depends, for example, whether membership of a trade union or other association is regarded as a competence. Competencies relating to skills will not be seen as unique personal data.
  3. Does the GDPR mention a maximum storage period for data?Although the GDPR does not mention any specific storage periods, certain guidelines have been provided which differ for candidates and employees. These storage periods must be mentioned in the privacy statement. The storage period for a candidate is:4 weeks once an application process has been completed (hired/rejected) or12 months once an application process has been completed (hired/rejected). After this 12-month period, you could decide to approach the concerned candidates to ask them whether you can keep their data for longer than 12 months. Different storage periods apply to recruited candidates (employees) because they are also subject to Dutch tax legislation, which stipulates that this data must be stored for a period of 7 years.
  4. Can you store data from LinkedIn in Carerix without permission/notification?Data can be collected directly or indirectly. The direct approach involves candidates supplying their data directly, for example, via an application form. The indirect approach involves collecting data via an external source. This takes place, for example, when recruiters collect data about candidates via LinkedIn. If data comes directly from candidates, the privacy statement must be shown at the moment when personal data is transferred. This can be done by including a link to the privacy statement in the application form. The privacy statement must at least contain the following information:Identity and contact information of the processing partyPurpose and legal basis for processingThe legitimate interests of the processing party (if applicable)Potential recipients (or categories of recipients) of personal data (for example, processors)Information concerning the transfer of personal data to another country (outside the EU), if applicableThe storage period or criteria used to determine the storage periodThe concerned person must be informed of his or her rightsThe concerned person must be informed about his or her right to withdraw consent for processingThe concerned person must be informed about his or her right to submit a complaint to the regulatory bodyThe use of automatic decision-making must be mentionedThe requirements mentioned above also apply if data is collected indirectly, e.g. via LinkedIn. You must also clearly mention which type (category) of data you have processed and which source you used. The concerned person must be informed about the above-mentioned points within a reasonable period of time (certainly within a month of processing). If personal data will be processed to communicate with the concerned person, this information must be supplied to the concerned person during first contact, at the latest.
  5. What about ‘the right to be forgotten’ and other laws (e.g. Dutch Money Laundering and Terrorist Financing (Prevention) Act – Wwft) that require data to be stored for a longer period?The law explicitly states (in the article concerning the basis for processing) that data can (must in this case) be stored if a legal requirement is being met. Fiscal legislation and the Public records Act are good examples in this case. The right to be forgotten is important for candidates if they no longer wish to appear in a database or account, and also do not want to receive notifications. The Wwft imposes certain requirements on:Sellers of goodsIntermediaries in the sale and purchase of goodsReal estate brokers and intermediariesReal estate appraisersOperators of pawn shops and PO box providersFinancial institutions such as banks, currency exchanges, casinos, trust agencies, investment institutions and certain insurersIndependent professionals, like notaries, lawyers, accountants, tax advisers and administration agencies
  6. Does the law require a DPO (data protection officer) to be appointed?The directive states that a Data Protection Officer must be appointed in the following situations:If processing is carried out by a government department or government body, but excludes activities of the Court when exercising its legal tasksIf the processing party or processor is primarily responsible for processing which, due to its nature, magnitude and/or purpose, requires regular and systematic large-scale monitoring of the concerned personsIf the processing party or processor is primarily responsible for the large-scale processing of special data categories referred to in article 9 (e.g. medical details) or personal data relating to criminal convictions and criminal acts referred to in article 10. In addition, Union law or member state law can identify other situations where a Data Protection Officer must be appointed. It is also recommended to appoint a data protection officer to improve awareness about privacy within the organisation.
  7. Must a data register be kept if organisations have over 250 employees?A register must certainly be kept if organisations employ more than 250 people. The processing party must determine which data is processed, for which purpose and with which equipment. Organisations that employ fewer than 250 people only need to keep a register for high-risk processing (like compiling customer profiles or processing large amounts of data), when data is processed structurally or when sensitive data is processed. The processing party’s register must contain the following information:The name and contact details of the processing party (or its representative, if the processing party is located outside the EU) and the data protection officer (if applicable)The reasons for processing dataThe categories of data (such as name and address details, contact details, payment details, etc.)The categories of involved persons (for example: customers, website visitors, employees, etc.)The categories of recipients (to whom is data supplied?)Information about the supply of data to countries outside the EUThe storage period for dataHow data is secured (for example: encryption, software access control, anonymisation, etc.). The processor must organise a register for each processing party. Processors must register the following for each processing party:The name and contact details of the processor and processing party (or their representatives) and (if applicable) the data protection officerThe processing categories (which match the purposes in the processing party’s register) Information about the supply of data to countries outside the EUHow data has been secured. The register can be requested by the Personal Data Authority. Organisations must then provide the requested access.
  8. Is a PIA (Privacy Impact Assessment) mandatory? If so, when?A Privacy Impact Assessment is a preliminary investigation into the privacy-related effects of a project, such as a new ICT system for customer information or a new approach for analysing or profiling people. The aim is to identify privacy-related risks as soon as possible, and devise measures so these risks can be minimised. A PIA is mandatory if the project is accompanied by high risks for the privacy of the concerned persons. For example, when inputting automatic assessments for people (like refusing candidates or detecting fraud), when using sensitive data about e.g. health or ethnic origin or when monitoring public spaces, e.g. using a camera. A PIA is also needed when combining files on a large scale (as in big data analyses).
  9. What exactly does Carerix expect from us with regards to the GDPR?Organisations bear final responsibility for their privacy and security policy and processes when it comes to collecting and processing personal data. It is this important for organisations to examine their processes and policy, and to take measures against risks encountered when collecting and processing data. Carerix, as the processor, can offer support and assistance on this front if required.
  10. We often look on Linkedin/ Monsterboard, etc. for good candidates and include them Carerix. Is this still allowed?Yes, this is still allowed and is referred to as indirect data collection. The concerned person must be informed about the above-mentioned points within a reasonable period of time (certainly within a month of processing). If personal data will be processed to communicate with the concerned person, this information must be supplied to the concerned person during first contact, at the latest.
  11. We also offer Project Staffing; is there a difference between storing data (type and duration) for employees and candidates. After all, each employee is first a candidate. How do you make a distinction?The difference lies in the structure of the application landscape. Candidates are registered in an ATS system and employees in a HR back office system. If a candidate becomes an employee, one can decide to change the ‘candidate’ type to ‘employee’ and add the accompanying contract period.
  12. Does Carerix establish a standard processing agreement with all customers/recruitment agencies?Yes
  13. Could you please clarify the roles again. Who bears final responsibility, and who is the processor if W&S organisations use the software of a 3rd party (e.g. Carerix)?Staffing organisations always bear final responsibility for collecting and processing personal data. Third party software suppliers, like Carerix, are classed as processors.
  14. We also offer Project Staffing; is there a difference between storing data (type and duration) for employees and candidates. After all, each employee is first a candidate. How do you make a distinction?The difference lies in the structure of the application landscape. Candidates are registered in an ATS system and employees in a HR back office system. If a candidate becomes an employee, one can decide to change the ‘candidate’ type to ‘employee’ and add the accompanying contract period.
  15. What checks are carried out to see if you store data for longer than 12 months?Checks can be based on the creation date in your system or reports submitted by a candidate. Candidates will be approached after 12 months if they have not given permission to do so.
  16. What if, after a period of 12 months, we send the candidate an automatic e-mail saying we would like to store his or her data for another 12 months, and failure to respond would equate to providing consent; is that allowed?The law stipulates that explicit consent must always be provided. If the candidate does not respond to your e-mail, then the data must be deleted within a reasonable period of time. That is why it is best to also approach important candidates by phone (this also offers another contact moment).
  17. What can you do if candidates provide consent over the phone? Will this be insufficient under new legislation?The law regards telephone consent as a form of indirect collection (like LinkedIn), which means that, once the conversation has ended, a privacy statement must be sent so the concerned person can complete proper consent documentation/registration.
  18. What does Carerix offer for the anonymisation of data?Carerix allows candidates to be anonymised with one simple click. Anonymisation means candidate records will be ‘wiped’. The record will continue to exist, but all data that makes it possible to trace the natural person will be deleted. For instance, attachments, activities, name, contact details and any notes will be erased. Historical quantitative data will not be lost because the record will continue to exist. This means you will always be able to check how many candidates you once matched to a certain vacancy, without seeing actual identities (in all records). Anonymisation is possible once Privacy Restrictions in the general settings have been activated. This setting can be activated by your Carerix administrator. Candidates can be anonymised individually (in the dossier) or collectively (in the overview).
  19. Will there be an automatic e-mail that allows candidates to extend for another 12 month period?Yes, Carerix will offer a standard e-mail template for this specific purpose.
  20. So will we, for example, only get Monsterboard and NVB databases that feature candidates no older than 12 months; or is that not the case?Monsterboard and NVB will also be subject to the GDPR and must comply with it. However, candidates on these sites manage their accounts personally, and accounts will only be deleted if candidates want to be forgotten. This 12 month period applies once candidates are placed in your organisation’s database.
  21. Does Carerix enable automatic anonymisation?To prevent the loss of data, it is not possible to automatically anonymise/delete data. However, it is possible to automatically label candidate records (e.g. groups or statuses), which makes collection easier. This requires a bit of process modification in Carerix, but can be done in various ways. It will thus be possible to regularly check for ‘to be anonymised candidates’ and then perform anonymisation manually.
  22. If I make everyone anonymous, then content becomes useless to me because I no longer know people’s identities?Anonymisation removes personal details; candidates will still be in the database, but without personal data, and can be used for other purposes like, for example, reporting.
  23. Is there a standard text for the privacy statement, which agencies will soon be able to use? Has this already been written by a legal specialist?A standard privacy statement is not available. A privacy statement must have the following characteristics:ConciseTransparentUnderstandableEasily accessibleThese requirements aim to make sure candidates know where they stand when it comes to privacy. Depending on how the candidate’s data is collected, there are a few specific requirements for the privacy statement. Data can be collected directly or indirectly. The direct approach involves candidates supplying their data directly, for example, via an application form. The indirect approach involves collecting data via an external source. This takes place, for example, when recruiters collect data about candidates via LinkedIn. The privacy statement must at least contain the following information:Identity and contact information of the processing partyPurpose and legal basis for processingThe legitimate interests of the processing party (if applicable)Potential recipients (or categories of recipients) of personal data (for example, processors)Information concerning the transfer of personal data to another country (outside the EU), if applicableThe storage period or criteria used to determine the storage periodThe concerned person must be informed of his or her rightsThe concerned person must be informed about his or her right to withdraw consent for processingThe concerned person must be informed about his or her right to submit a complaint to the regulatory bodyThe use of automatic decision-making must be mentioned
  24. How do you arrange responsibility if you are in a franchise formula, where Carerix is the central system?Carerix remains the data processor; final responsibility for processing lies with franchise holders.
Did this answer your question?