Your CV and the GDPR
In the context of a job search, a lot of information is shared and exchanged between candidates and recruiters. This can be your name, address, date of birth and your contact details. Application data provided by a candidate is regarded as personal data. All personal data exchanged falls under the GDPR, the General Data Protection Regulation. Find out how the legislation protects your data and what you are entitled to expect regarding the processing of your personal information.
What is the GDPR?
The GDPR (General Data Protection Regulation) is a European regulation, which came into effect on 25 May 2018. Its purpose is to protect the rights of individuals with regard to their data as well as to define the responsibility of actors processing the latter.
In essence, the regulation stipulated that organisations handle your personal data with care and not keep this information longer than is strictly necessary and only for a specific purpose.
Which application data is covered by the GDPR?
Any information that you provide as part of the application process counts as personal data. This can include information from your CV, cover letter, application forms, assessment tests, psychometric tests, interviews and even the notes made about you during an interview.
Even if you consent to providing personal information, your data remains protected by the legislation to guarantee its confidentiality.
Here are some examples of the data that may be required during the application process:
- Your name
- Your address
- Your phone number
- Your email address
- Your education history
- Your work history
- Details of your driving licence (if relevant to the position)
- Your availability
Which personal data may not be shared?
Employers, recruitment agencies or recruiters are prohibited from processing special category personal data unless there is a legal exception. Special category personal data is data revealing a person's race, religion, political beliefs or health.
A passport photo
A passport photo on a CV also falls under the heading of special category personal data as you can infer someone's origin or religion from a photo.
If you as a candidate, provide consent for the storage and processing of your passport photo by third parties, an employment agency or recruiter can share it with the client. This consent is only valid if the provision of a photo is voluntary and there are no adverse consequences if it is not provided. An employment agency or recruiter may not ask an applicant to send a photo if it is not necessary for reviewing your application.
Who can access or process your data?
When you apply through a recruitment agency or a job board, the email address to which you send your application documents may be a generic one that anyone can access.
Nevertheless, only certain people are allowed to access and process your data within the framework of the GDPR:
- Hiring managers
- HR departments
- Supervisors with whom you will be working
- Employees directly involved in the hiring process
It is the employer's responsibility to ensure that access to your data is controlled and that it is only accessible to authorized persons. Any such action must be properly recorded so that you know who sees what, how, when and for what purpose.
How can your data be used in accordance with the GDPR?
The use of your personal information is subject to strict rules. Whether it's the information on your CV or the information you may be asked to provide later in the hiring process, here are some of the ways in which your data could be used:
Evaluation of your ability to perform the job
The data you provide on your CV is intended solely to enable recruiters and potential employers to assess your skills for the position in question.
An employer may ask you for emergency contact information, in case you require ‘reasonable adjustments’ (changes to accommodate disabilities) during the application process.
If you need a name badge to access the company's premises, you may be asked to provide a photo; however, for visitors’ passes, this is generally not required.
How long can your CV and other application data be stored?
Employers, recruiters and recruitment agencies may store your data for the time it takes to determine your suitability for an open position.
If your application is unsuccessful, then your data must be destroyed no later than four weeks after the end of the hiring process.
However, the organisation can ask for your permission to keep your data for up to a year in case a suitable position becomes available. After this period expires, you can be approached again to provide your consent for updating and storing your personal data. If you do not provide consent, your data must be destroyed.
You have various rights to keep control over your personal data.
Right of access, rectification and addition, or deletion
As an applicant you have the right to see which data is exactly recorded about you. You also have the right to change your data or to have it removed from the database. Anyone may ask an organisation to have objectively incorrect data, incomplete data or data that is irrelevant removed.
Right to be forgotten
The right to be forgotten means that, in certain cases, an organisation must delete your personal data if you request it. In the privacy statement, you will find how you can submit a request to change or delete your data. Once the organisation has received your request, they must process it within one month.
Right to restrict processing
This means that you can limit the way an organisation uses your data.
Clear privacy statement
Whether you send your application through a recruitment agency or directly to the employer, a clear privacy statement must be visible on the website.
This must describe what kind of data is collected, why they need this data and how the organisation handles the data.
The privacy statement must also include information about the retention period. Companies must inform the applicant in advance which personal data will be stored, for what purpose and for how long.
Which personal data do you need to provide on your CV?
The level of personal data you need to provide depends on a few factors, such as your country of residence and the position you’re applying for. However, as a minimum, you will need to include the following details:
- Telephone number
- Email address
In addition, you can choose to include links to social media, such as your LinkedIn URL as well as include details of your driver’s licence, if this is relevant for the application.
Certain personal details such as your nationality, religion, gender and marital status add little to your CV and should therefore be omitted.
The GDPR and its application
The GDPR applies to companies that process data of EU residents. However, if you’re outside of the EU, but you’re applying to a company in the EU, the GDPR will also apply.