All Collections
GDPR FAQ
May candidates request data? How?
May candidates request data? How?
Aref Abedi avatar
Written by Aref Abedi
Updated over a week ago

Short answer: Yes, by telling the controller (recruiting company).

Candidates have a right to request information about which personal data is being processed. At the minimum, the first copy of such information must be free, but if the candidate requests an unreasonable number of excerpts you as a controller may charge a “reasonable fee” for the following excerpts. If the request is made digitally, the excerpt should be provided in a digital form as well. It is the responsibility of the controller to meet such a request.

The information provided must contain (article 15.1 of the GDPR):

  • the purposes of the processing;

  • the categories of personal data concerned;

  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

  • the existence of the right to request from the controller rectification or erasure ofpersonal data or restriction of processing of personal data concerning the data subject or to object to such processing;

  • the right to lodge a complaint with a supervisory authority;

  • where the personal data are not collected from the data subject, any available information as to their source;

  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The right of access to information is not absolute, it is explicitly stated that this right is void if it should adversely affect the rights and freedoms of others, including company

secrets and intellectual property rights. The controller must also ensure that the person making the request really is the candidate in question. The level of security should be decided based on the sensitivity of the data requested and shouldn’t be used to provide unnecessary obstacles for the registered. When deciding how the data subjects, the candidates, shall verify themselves it is important to take into account how they provided the data in the first place. That should decide how you should ask them to verify (via email/through a log-in etc.)

In Jobylon, you can easily export a PDF of the most relevant data. If this

is not sufficient we’re glad to help you make the export from our end. Furthermore, we offer a request functionality which enables data subjects to verify themselves when enforcing their rights under the GDPR.

Related Articles
Export of data the candidate has submitted
How does Jobylon handle a request for change (rectification) or deletion?
How can candidates exercise their rights to Data Portability?
Why does the main part of “default” privacy policy provided by Jobylon base processing on “legitimate interest” rather than “consent”?
How does sourced recruiting comply with the GDPR?
Did this answer your question?