The topic of data protection also plays an important role for companies in the recruitment process. Here you can find out how to handle application documents and applicants' personal data in a legally compliant manner.
The documents that job applicants submit to the company usually contain a range of personal data, such as age, address, CV or grades. Employers must protect this data and, in particular, ensure that the application documents do not fall into the hands of people who have nothing to do with the application process.
This also applies to the handling of applicant data. The Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR) must be observed. These regulations protect both employees in an ongoing employment relationship and persons who submit their application to a company.
Table of contents
Estimated reading time: 5 minutes
Processing of applicant data
The legal basis for the storage of applicant data is Section 26 (1) sentence 1 BDSG. According to this, the processing of personal data is permitted, among other things, if this is necessary for the decision on the establishment of an employment relationship is required.
It is important to comply with the duty to inform regarding data processing. You must provide the applicant with information about the privacy policy , as follows:
- the legal basis of the data processing (Section 26 (1) sentence 1 BDSG)
- the purpose of the data processing (decision on the establishment of an employment relationship)
- the duration of data storage
- the contact details of the employer and the data protection officer
- Possible other recipients of the application documents (for example, another branch of the company)
In addition, you must inform the applicant about:
- his right to withdraw his consent to the data protection information
- the right to lodge a complaint with the competent supervisory authority in the event of a breach of data protection regulations by the employer
- the rights of the data subject under the GDPR, for example their right of access under Art. 15 GDPR or their right to data rectification under Art. 16 GDPR
Who is authorised to access the applicant data?
Employers who receive application documents must ensure that the access rights to applicant data to be limited.
In principle, the following applies: Only those people in the company who decide on the recruitment or are involved in the selection process in any way should have access to the application documents, for example the responsible person in the HR department, the head of HR and the management.
You should never store applicant data in a generally accessible folder.
Forwarding of data: The applicant's consent is required. If the employer wishes to forward the application documents internally because the applicant is suitable for another advertised position in the company, the employer must first obtain consent of the applicant .
Questions in the job interview: What is allowed?
During the interview, the employer usually tries to find out more about the applicant's professional background, qualifications and personality.
But be careful: Certain questions are not permitted in the job interview. The right to ask questions only exists with regard to information that is relevant to the application process and the selection decision. The employer may only ask questions in which they have a legitimate interest because they are related to the requirements profile of the position.
Inadmissible are part of the job interview questions on the following topics:
- Pregnancy. Exception: If the employment would pose a health risk to the pregnant woman, for example due to heavy physical labour.
- Family planning
- Financial circumstances. Exception: If it is a management position or a position with an asset management obligation.
- Religious affiliation. Exception: Church or denominational employers may ask about religious affiliation.
- Political convictions
- Trade union membership. Exception: If it is a job interview with a trade union.
- Previous convictions. Exception: If the previous conviction is relevant to the position offered. For example, you may ask an applicant applying for a job as a professional driver about possible previous traffic offences.
- State of health. Exception: If the state of health is important for the position in question.
If the employer asks an unauthorised question during the interview, the applicant is not obliged to answer it truthfully.
How long may you store applicant data?
As a general rule, applicant data may only be stored for as long as necessary. After that, it must be deleted.
If you employ the applicant, you may include their application documents in the personnel file if these are necessary for the performance of the employment relationship.
If you reject the applicant, the purpose for processing the personal data no longer applies. Accordingly, you are then obliged to delete the applicant's submitted documents or to destroy submitted paper documents.
However, it can happen that the rejected applicant sees unequal treatment in their non-recognition and files a lawsuit in accordance with the General Equal Treatment Act (AGG). In order to be able to prepare themselves accordingly in the event of a complaint, employers may retain the documents for up to 6 months after completion of the application procedure . They then permanently have to delete the application documents.
In the event that the applicant is placed in a so-called applicant pool you may, in exceptional cases, keep their application documents for longer. However, a prerequisite for inclusion in an applicant pool is that the applicant consents to the storage of their data for this purpose.
Related topics:
