With the GDPR, the requirements for what can legally qualify as a consent have been narrowed. In order to be valid, consent needs to be “freely given, specific, informed and unambiguous”. Consent may also always be revoked at any time, rendering the legal ground for processing void and making any continued processing illegal.
Beyond the potential difficulties in dealing with revoked consents and documenting given consents, using consent as the legal ground for processing with recruitment purposes may also be problematic with regards to the requirements of being “specific” and, also, “freely given”.
By being specific, the consent needs to begiven for each purpose and must be unconditional. For example, you cannot require the candidate to consent to receiving marketing e-mails from your company as a condition for applying to the job.
Regarding consents being “freely given” it is the current standpoint of at least the Swedish Data Protection Authority that employees are generally unable to give consent to processing by their employer because of the dependence of the employee. The applicant-potential employer relationship is similar and it is possible that the same considerations will be made if you base any part of the recruitment process on consent. A consent for all the processing activities connected to the recruitment process (communication, selection process etc.) could therefore be difficult in practice to ensure and to administer as the legal ground when processing the data for the selection process.
However, if you wish to store the candidate’s contact details and application data for any future job openings you could use a consent (for more information see the section “Do we need consent if we want to recruit an applicant to another job than the one they applied for?”). This must however be, as stated above, specific and freely given, thus you cannot require the candidate to consent to such processing to be able to apply for the job at hand.
We have concluded that a balancing of interests, also referred to as “legitimate interest”, could be used as a legal ground for the major part of the processing within a recruitment process. The meaning of using a balancing of interests, is that you need to balance your interest in processing the data against the data subjects, the candidate’s, right to protection of privacy and their personal integrity. The legitimate interests would then be, for example your interest in being able to find candidates, determine whether the candidate is a good fit for you, having a structured application and selection process and to be able to ensure effective communication with the candidates.
The difference of using legitimate interest in comparison to consent is that you do not need an active affirmative action from the candidate. You however need to inform the candidate of the processing and document the balancing of interests made to be able to show a supervisory authority. The data subject may however object to processing based on legitimate interest. This means that you will no longer be able to process the personal data unless you can demonstrate compelling legitimate grounds for the processing which override the interests of the candidate. The candidate also always has the right to contact you for more information on the balance test that has been made.
In a normal recruitment procedure it is rather easy to motivate the balance test, however it may depend on the data you may want to collect and what you want to use it for (keep in mind the all-present principle of data minimization).
This said, you as the employer are the controller of the personal data and responsible for the validity of whichever legal ground you choose. You are responsible for ensuring that the proper amendments are made to our default policy, to ensure that the policy reflects the actual processing that you do. The default policy is only provided as a template for your convenience. There are no one-size-fits-all solutions.
We’ve done our best to accommodate most of our customers’ needs and tried to explain how we have reasoned in this FAQ. We do not take any responsibility for the privacy policy correctly reflecting your business’ processing.