Penkov, Markov & Partners’ Nikolay Cvetanov and Dimo Katrandzhiev on the GDPR risks facing employees checking the references of potential new employees
Although the GDPR has been in effect for a while now, organisations (especially applicable to small and medium-sized businesses) continue to face challenges with the alignment of all processes and activities involving processing personal data. Particular areas where our legal practice has identified compliance issues, given various customer enquiries, represent marketing and staff recruitment activities.
Considering the above, one of the urgent queries that recruiting employers, and HR departments in particular, inevitably bring up in their recruitment work is how to lawfully, in terms of data privacy requirements, obtain references from job candidates’ previous employers. With the purposes to clarify some of the concerns revolving around this matter, we are pleased to present an overview of several options that are of a nature to limit risks that employers may encounter when engaging in the relevant activity of doing reference checks.
First of all, can recruiting employers request from job candidates’ former workplaces information on the candidates’ skills, dependability, and overall integrity?
While the broad response to the subject under consideration may be ‘yes’,there are several difficulties from both data protection and e-privacy perspectives that must be taken into account each time before submitting such requests to former employers.
In essence, such unsolicited communications sent for the purposes of reference checks, and particularly those directed to email addresses revealing personal data of individuals (or delivered for that matter via phone call which by nature requires to identify the recipient’s phone number), can be categorised as ‘cold calling/messaging’. These kinds of communications in theory require the recipient’s prior consent in order to be deemed lawfully sent, as is the case for direct marketing communications under Directive 2002/58/EC (the E-privacy Directive), as well as pursuant to its implementing Bulgarian law (the Electronic Communications Act). Тhe rationale for this necessity is the circumstance that the contact information itself – email addresses, phone numbers, etc. – may reveal personal data, making its processing subject to the requirement of a valid legal basis. It is also feasible, from a practical perspective, that the former employer, particularly the staff members employed thereby, decline to act as a reference.
The aforementioned problems are currently remedied in practice by recruiting companies requiring candidates to obtain themselves with references in a specific format. However, alternatives are also frequently sought out since for many HR departments it seems most beneficial to be able to speak and connect with the candidate’s former supervisors in order to better understand the applicant’s work performance and personality.
here are several difficulties from both data protection and e-privacy perspectives that must be taken into account each time before submitting such requests to former employers.
In order to accomplish their objectives, recruiting employers may use the following levers to obtain compliant reference checks as per GDPR’s general requirements:
- Acquire a distinct, specific and voluntarily given prior consent from a particular employer, and/or employee/s (supervisors) at the job candidate’s former workplace, for the purposes of contacting them and sharing information on the candidate’s work performance and character attributes. This risk-free approach enables a broad and complete discussion of all the details crucial to the recruiting company.
- It is still possible to send unsolicited communications to former employers, but only to email addresses which do not reveal recipients’ personal data (an email address that does not belong to a specific individual considered as data subject). Examples of these include generic business addresses, such as company-name@firm.com. This approach eliminates the requirement for prior consent in order to contact the recipient, since no individual’s personal data at the time of sending the email will be processed. Furthermore, it is also feasible that way to ask to speak with a specific employee at the candidate’s former workplace, who could be able to provide the needed information. If the recipient responds to the request by providing explicit consent for the provision of references and the communication is then forwarded to the specific individual (a human resources officer or an ex-supervisor of the job applicant), the recruiting employer will be able to demonstrate that they have obtained the necessary consent and will be able to move forward with the lawful processing of the personal data of the individual, who has agreed to provide information.
- As an exception, the GDPR enables recruiting employers to invoke their legitimate interest in sending cold mails/calls to individuals at the candidate’s former workplace. However, in order to potentially utilise this legal basis, data controllers must demonstrate that they have no other options to obtain the relevant persons’ prior consent. Additionally, data controllers claiming legitimate interest must ensure that the contemplated processing activities will not compromise the rights of data subjects (those whose contact information will be processed for the purpose of direct communications). To do all of this, a thorough balancing test must be prepared and recorded to determine if the processing is necessary and how it will impact the interests of the relevant data subjects. Moreover, this assessment must be made on a case-by-case basis. However, this is not a risk-free approach to implement, as supervising authorities may decide that the processing activity is unlawful, should the aforementioned alternatives appear to be viable options for the recruiting company.
Lastly, what legal ground must be always ensured for the legitimate disclosure and lawful processing of the applicant’s personal data discovered in the provided references?
In short, the ideal way to proceed with ad-hoc requests for reference checks and what should be done by default is for the job applicant to give explicit consent to their former employer for the specific purpose of disclosing the relevant personal data, and for that consent to be recorded accordingly under GDPR rules.
The potential invocation of the legitimate interest of the recruiting employer as a ground for disclosure cannot be lawfully justified. In the case of disclosing candidate’s personal data without obtaining their prior consent, there is a risk of prejudice to their interests because the information disclosed may contain circumstances they may not initially wish to share. The disclosure of such personal data could, in turn, hinder the applicants’ further participation in the recruitment process, which further outlines the risks associated with violation of their interests. Therefore, as a conclusion, the legitimate interest of the recruiting employer cannot be given preference over the applicant’s ones.
Authors