Most recruitment agencies and consultants will be well aware of their obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. In the vast majority of situations, recruiters are data controllers and, as such, have obligations to provide candidates (data subjects) with information about the collection and use of their personal data.
Delivery of this information, usually in the form of a privacy or fair processing notice, is easily delivered when a candidate creates an online profile or uploads their CV to a recruitment site. But what about the situation where candidates are headhunted? Inevitably, in these situations, a large amount of personal data about a candidate will have been processed by the recruiter long before the candidate becomes aware that they are being considered for a position. How does this then sit with the recruiter’s duty to provide the candidate with information about the processing of their personal data?
As with many things GDPR, this is something of a grey area. In this context it is likely that recruiters will be able to process data on the basis of the recruiter’s legitimate interest to do so, provided the processing is necessary and the agent’s rights to carry out that processing is not overridden by the interests or fundamental rights and freedoms of the data subject.
While it may be relatively easy to establish a lawful basis for processing personal data, the recruiter must still provide the candidate with information about the processing of their data.
Where personal data is collected directly from the data subject, GDPR requires the data controller to provide the data subject with fair processing information at the time the personal data is obtained. This can be achieved by providing the data subject with a fair processing notice in hard copy or online when the candidate actively volunteers their CV or registers for vacancy notifications.
However, where personal data is not collected directly from the data subject (for example, where it is obtained from a prospective employer or a LinkedIn profile) the data controller must provide the data subject with the fair processing information:-
a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data is processed;
b) if the personal data is to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
c) if a disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed.
The fair processing information must be provided to the data subject unless the following provisions apply:-
a) the data subject already has the information;
b) the provision of this information proves impossible or would involve a disproportionate effort;
c) obtaining or disclosure of the data is expressly laid down in law with appropriate measures to protect the data subject's legitimate interests; or
d) the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
For most recruiters, they will only be able to avoid providing fair processing notice to the candidates where it would be impossible or involve a disproportionate effort.
“Disproportionate effort” is not defined by the GDPR although processing for archiving, scientific, historical or statistical purposes are specifically listed as examples of situations where the effort required in providing a fair processing notice may be disproportionate. Other factors which should be taken into account when assessing disproportionality are the number of data subjects to be provided with the information, the age of the data processed and any appropriate safeguards which have been adopted in the processing of that data. For most recruiters, it is unlikely that they will be able to demonstrate that providing fair processing information is impossible or involves a disproportionate effort.
This poses a difficulty for recruiters who do not want to “tip off” candidates that they are being considered for a position. In some cases, it will be possible to deliver fair processing information to a candidate within a month of processing or on first communication with the data subject, but often the data collected will be transferred by the recruiter, in the first instance, to the prospective employer. On receipt of that personal data, the employer may elect not to follow up with a potential candidate. However, in terms of GDPR, the recruiter should provide the data subject with a fair processing notice at the time of transfer of the data to the employer.
Many recruiters and employers would no doubt prefer to avoid having to tell a data subject that their data is being processed only to have to tell them shortly after that that they are no longer being considered for a position. Many recruiters will also find this at odds with the discretion which is usually exercised when conducting research of this nature.
For many businesses, how they address this issue will likely involve a risk-based approach and balancing the challenges of altering business models and the scope for complaints from employers and candidates. However, recruiters should certainly consider ensuring that their privacy notice can be easily accessed online and carrying out a data protection impact assessment to record the decision-making process in any situations where fair processing notices are not issued to data subjects.
For further information on this topic please click here.
Lynn is an Associate at BTO Solicitors LLP. She works in Commercial Dispute Resolution, Technology and Intellectual Property and Data Protection Defence.