+31622959248
gerard.koolen@lugera.com

In a couple of months every company (not only recruitment companies) within the EU has to comply with GDPR.  The General Data Protection Regulation. It’s great such kind of legislation is in place.

Here under you’ll find our analyses…I hope it can be useful for your company:

GDPR has 6 main Players:

  1. Data subject: candidates, clients’ employees, colleagues, our ex-colleagues, suppliers’ employees, employees of our clients for whom we do the payroll administration…in short: all people we store in our database (or whom we want to store in our database).
  2. Processor: our colleague or free-lancer under our contract who is processing data of data subjects
  3. Controller: responsible person for data processing employed by us or under free-lance contract
  4. Data Protection Officer: independent person responsible for the compliance with GDPR, can be our employee or a third party person
  5. Our company: defining the purpose of data processing and finally responsible for compliance with GDPR
  6. The Supervisory Authority: the official controlling authority and when operating in more than one country the SA applicable is where the main seat is of the Company

Don’ts:

  1. Process and store data of people under 18 years of age (increased risk as they are even more protected than adult data subjects)
  2. Automated transfer of data from Data Subjects to (not approved) NON-EU countries
  3. Process and store data from Data Subjects without their explicit consent
  4. Transfer data from Data Subjects without their explicit consent to third parties within the EU
  5. Processing data without the possibility of human intervention from our side when required by the Data Subject

Do’s:

  1. For each type of personal data processing we need a data protection impact assessment
  2. All Data Subjects can ask for all the data and processing history we store from them. We should facilitate this that they can get all the data with one click and a PDF is send to them (for example)
  3. All Data Subjects can delete all the data we store from them (exception: all information which we have to store because of legal requirements: payroll data and possible other data such as statistical data which must be send to governmental bodies) – we can offer the Data Subject many options.
  4. Once the Data Subjects asks to delete we do not necessarily have to delete all information. Pseudonymisation is enough: to erase the information with which the person can be identified: name, address, e-mail address, telephone numbers, Facebook name etc., a code which leads to the Data Subject, possible correspondence with the person which can lead to his or her address. This means we can keep everything except from all Data Subject’s contact details (so we can keep all information for our statistics)
  5. In case the Data Subject gives his or her consent for whatever we write down of what we may do with his or her information we are in compliance with GDPR
  6. When a Data Subject requests the up-date or rectification or correction of his or her data we have do this within 72 hours (best is that the Data Subject can correct his or her data by itself any time)
  7. When we ask for permission to process a Data Subject we should inform the Data Subject the sources of our information, if they are not yet in our database and we don’t have their consent. And we immediately ask their consent and give them the links to delete their file and to request what we store of them 
  8. When the Data Subject asks to send his or her file to another company (for example another staffing agency) the PDF of the total file should be send to the Data Subject so actually it is the same as Point 1 with one extra detail: we should send it directly to the address the Data Subject gives us. So they should fill in the e-mail address of the third party and we send a copy to the third party and to the Data Subject and we must store this
  9. When a Data Subject asks to delete (in any form) his or her information we must send a notification to all third parties to whom we have send his or her data in order to delete his or her information. We will do so with a copy to the Data Subject of each e-mail.
  10. The Supervisory Authority should be given access to our applications when they require
  11. We should provide them with a clear structure, rules of conduct and safety measurements in order to make controls easy and the entire system very transparent
  12. For all our Data Subjects we should provide our Rules of Conduct etc., including a copy of the GDPR, links for Data Delete, request of stored data, overview to whom his/her information is send
  13. Our employees (processors, controllers = actually everybody from us who has access to the stored data – data protection officers must sign an appendix to their labor contract that they will work in compliance with GDPR and assume responsibility when they breach this legislation = unauthorized processing f.e. copying CV’s and storing it on their private laptops, sharing CV’s with friends without the authorization of the candidate, giving personal data to third parties (talking about a specific person to a friend, not being our employee etc. etc. etc.) – for this we need to have a Do’s and Don’ts for our staff plus a full copy of the GDPR
  14. When there is a breach of GDPR (f.e. our system is hacked, a colleague has taken CV’s home, etc.) the Data Subject must be informed without delay and an assessment must be made of the possible damage. The Supervisory Board must be informed as well without delay
  15. If we want to process data but we are not sure if it is in compliance with GDPR we can request an opinion from the S.A. and they have to respond within a certain amount of time
  16. Automated rejection of candidates is 100% proof when before it is send to the candidate or to a group of candidates a Human Intervention executes it. 
  17. Data Subjects must have always the possibility to request Human Intervention. The easiest way is to mention always in every communication the name of the processor, e-mail address, telephone number, our general telephone number, our address and website.
  18. Data Subjects and SA need easy access to the Processor, the Controller and to the Data Protection Officer (names, job title, telephone, e-mail address)

In short:

  1. We process people from 18 years old (not younger)
  2. We build a Chinese wall around the EU and NON-EU BUT APPROVED countries for automated data transfer
  3. We only process data with explicit consent from the Data Subject
  4. We give real-time access to their stored data (sending a PDF)
  5. We send their data to any third party of their request (sending PDF)
  6. They can anytime delete (with all options we would like to offer) their data
  7. We than have to pseudonymise their data – delete is not necessary
  8. We need Rules of Conduct and a Structure/Process Flow etc.
  9. We inform all Data Subjects to whom we send their data
  10. We correct their data on their request and per immediate and the new data are being send to them for their approval
  11. When we delete a Data Subjects data we inform this person

I wish you good luck and a lot of common sense with implementing GDPR. If you need extra advice: please do contact me.

If you need recruitment software which is fully compliant with GDPR: we have this for you, in two highly advances recruitment applications:

STAA and The New TalentBase….

Good luck

Gerard Koolen

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu