Be called back
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
🚀 Employers
s in the face of recruitment challenges
Internal recruiters and temporary employment agencies are finding it increasingly difficult to recruit. Contrary to what most employers believe, this has nothing to do with a mismatch between labor supply and demand. According to a survey by theDirectorate for Research, Studies and Statistics (DARES), poor working conditions are the main reason for this significant difficulty in the recruitment process, whether for internal recruiters or temporary employment agencies.
Faced with this situation, most temporary employment agencies decide to keep the information of former candidates so they can contact them again if necessary, without taking into account the limited duration of Data retention periods provided for by the GDPR.
Given that personal data is considered to be any information relating to a natural person that allows them to be identified directly or indirectly, in the context of recruitment, temporary employment agencies and internal recruiters will therefore store data such as:
- the candidate's identity: their first and last name;
- his professional experience, including internships and jobs he has held;
- his education, including his degrees and certifications;
- the assessment of their aptitudes and skills, such as the results of knowledge or personality tests.
💼 How long are candidates' personal Data retention ?
🤷 The GDPR specify a specific duration for processing carried out for recruitment purposes. In other words, it is up to each data controller to determine this.
There are numerous texts that can guide data controllers in defining this period, particularly that of intermediate archiving, which will be discussed in more detail below.
Furthermore, in order to take into account the various texts that impose minimum Data retention periods specific to the recruitment sector, the limitation periods for legal action may constitute a criterion for adjusting the Data retention period.
Example: Article L. 1134-5 of the Labor Code sets the statute of limitations for legal action to obtain compensation for damage resulting from discrimination at five years from the date on which the discrimination was revealed.
In case of refusal:
After rejecting an application, the recruiter is required to inform the candidate of their desire to keep their file on file, giving them the choice to accept or decline this proposal.
If the candidate does not ask the recruiter to destroy their file, the data they have provided must be systematically destroyed two years after contact. However, if the candidate is hired for the position, their personal data may be retained for the duration of their employment with the organization. Only specific information may be retained after the employee leaves, such as pay slips, for example (five years after their departure).
| Processing activities | Treatment details | Operating times | Prescription period | Legal references |
|---|---|---|---|---|
| Recruitment | Immediate destruction of information if the candidate is not selected, except for the resume, which may be kept for a period of two years. | Processing of information collected during the recruitment process, including via chatbot | NA | "Recommendation of the CNIL (National Commission for Information Technology and Civil Liberties) of March 21, 2002" |
📌 What rules must recruiters apply when it comes to Data retention their candidates' personal Data retention ?
In the context of GDPR recruitment, there are two main successive phases in the life cycle of personal data:
Common use:
This step involves using the data provided by the candidate in relation to an ongoing recruitment process. All the information collected during this phase will be accessible to the recruiter in their immediate work environment. For example, if a recruiter receives a resume or cover letter from a candidate, they can download it to their work computer or a company server so that they can consult it at their convenience, at any time, throughout the recruitment period until a hiring decision is made. This brings us to the second phase.
Intermediate archiving:
Once the recruitment process has been completed and the hiring decision has been made, the purpose of processing the collected data will therefore have been achieved. All information provided by candidates has been collected for the Purpose recruitment management.
This means that, unlike in the first phase, in the second phase, the recruiter no longer needs to store candidate information on their work computer or on a company server.
In the event that the Data retention this Data retention could be of interest, particularly with regard to the management of a discrimination case, or to meet a legal obligation, even after the current use phase, candidates' information may be stored in an intermediate database. This database can be consulted on an ad hoc basis by persons who are expressly authorized to do so.
However, the intermediate archiving phase also has a limited duration. In this case, all information must be deleted or, at the very least, anonymized. It is therefore necessary to identify the objective behind such Data retention, with a view to retaining only the information necessary to achieve that objective.
⚠️ How should candidates be informed about the processing of their personal data?
Among the rights available to candidates is the right to be informed about the processing of their personal data. This right allows them to control the personal information they provide during the recruitment process.
Why inform?
Under the GDPR, a data controller is required to provide data subjects with accurate information about how their personal data is processed. It goes without saying that the way in which this information is presented must be adapted to the recruitment context.
This is therefore the principle of appearance, which allows candidates to:
- A clear understanding of why their personal information has been collected and therefore processed (e.g., professional skills, CV, knowledge test, etc.);
- A general understanding of how this data will be used (the context in which it will be accessed, and for how long);
- A guarantee that they have control over their information by facilitating the exercise of their rights.
On the other hand, for recruiters, this helps build trust between recruiters and candidates, even if the candidate isn't hired.
Cases in which the recruiter must inform candidates:
When processing personal data, recruiters are required to inform the individuals concerned, regardless of how the data was collected (directly or indirectly).
The information procedures therefore vary depending on how the data was collected. In other words, it will depend on whether the data was collected directly (CV or cover letter submitted by the candidate) or indirectly (website, colleague, etc.).
Direct collection:
This is usually when the candidate has sent their details directly to the recruiter, regardless of the method used. This could be in the form of a resume or cover letter, a diploma or work certificate, a completed form, or answers to questions asked during an interview.
Indirect collection:
Indirect data collection may take the form of references from a candidate's former employer, information obtained from an alumni directory, or information obtained from professional social networks.
💼 Does a recruiter have the right to contact a candidate?
A recruiter has the right to contact a candidate for a position if they have obtained their information from a public source, such as a job advertisement or online profile, without asking for their consent. However, it is always preferable for recruiters to ask for consent from the individuals concerned before contacting them, in order to respect their privacy and ensure that the contact is appropriate.
It is also important to note that certain data protection laws may require explicit consent from the candidate before receiving communications from a recruiter.
Furthermore, employers have the right to search for information about candidates on the internet. There are recruitment websites that offer paid access, such as Monster, APEC, Cadremploi, etc. In this case, the search is considered fair, since by registering on these sites, candidates must give their consent for their personal data to be shared.
The same applies to professional social networks such as LinkedIn or Indeed. The candidates' objective is already identified. Furthermore, no personal data concerning users' private lives appears on professional social networks. Control over personal data therefore remains with the individuals concerned.
However, recruiters are not allowed to search for information on personal social media accounts (e.g Facebook, Instagram, or typing the candidate's name into Google). These types of sites provide information that concerns the private lives of the individuals involved. Recruiters are therefore not allowed to collect or process this data.
📕 Cases involving temporary employment agencies
, and recruitment agencies
A temporary employment agency is considered to be an entity whose main mission is to find and hire employees in order to meet the needs of a client company.
In terms of their main activity, temporary employment agencies can be classified as:
- controllers to build a pool of qualified candidates in certain fields of activity;
- Data controllers specifically for temporary employment activities, for the purposes of managing the provision of temporary employees to user companies and their remuneration by temporary employment agencies.
A temporary employment agency is therefore required to collect and process the personal data of candidates who register on its online platform in order to offer them job opportunities. Temporary employment agencies would therefore like to reuse candidates' personal data in order to carry out analyses to optimize the candidate placement process. This is a Purpose falls within the scope of GDPR compliance, GDPR are no consequences for the individuals concerned.
Dipeeo counts among its clients agencies specializing in recruitment, and in particular, temporary employment agencies such as:Hunteed, TalentAddict, Student Pop, LeHibou, and Emploi-Collectivités.
😯 GDPR HR sanctions
Given that the GDPR obligations on recruiters to ensure the protection of candidates' personal data, candidates may file a complaint if their data has not been processed in accordance with GDPR. The consequences may include fines, administrative penalties, and damages in the event of a serious breach of GDPR obligations.
It should be noted that fines imposed by the CNIL (National Commission for Information Technology and Civil Liberties) are CNIL (National Commission for Information Technology and Civil Liberties) necessarily GDPR sanctions GDPR immediately by the personal data regulator. The latter may apply and impose one or more of the following measures:
- A call to order: this is a warning from the CNIL (National Commission for Information Technology and Civil Liberties) take the necessary measures to correct the failure;
- An injunction to comply, which may be accompanied by a penalty payment of up to €100,000 per day of delay;
- A temporary or permanent restriction on processing, its prohibition, or the withdrawal of authorization;
- Withdrawal of certification;
- The suspension of data flows addressed to a Data recipient in a third country or to an international organization;
- The administrative fine.
