Client Alert

7 Tips for International Recruiting Programs in the Era of GDPR and Emerging U.S. Laws

30 Oct 2020

When your organization is searching to fill a new position, you understandably want to find out as much as possible about the candidates who apply. Aside from determining whether the candidate has the specific skill set, education, and experience necessary to do the job, you want to make sure that the person will fit in with the team. Do they have a positive attitude and integrity? Are they flexible and hard working? Are they a good communicator and team player? Are they dependable and creative? If possible, you want to hear from references provided by the candidate to confirm that the candidate was sincere and meets your organization’s needs. You might even want to check how they behave on the Internet.

It is difficult to figure all of this out through the traditional hiring process, so many companies resort to seeking additional information from the candidate him or herself and by conducting extensive background checks that might even include reviewing the candidate’s social media accounts.

The nature of personal information that an organization may collect during the hiring process is, however, quite limited due to the EU General Data Protection regulation (GDPR), the implementing laws of the EU Member States and emerging U.S. laws. Here are seven tips for your international recruiting programs.

1. Do not collect more information than you absolutely need

The basic GDPR rule that all organizations must comply with is the principle of proportionality. This means that organizations should not collect more information from the candidates than is necessary to determine whether the person has a specific skill set, education, and experience necessary to do the job.

This will usually include information on their CV, such as name and contact details; previous work experience and education; skills; professional and other work-related licenses, permits, and certifications; and information relating to references and other information that candidates might volunteer to the organization (such as employment preferences, willingness to relocate, current and desired salary, awards, and professional memberships). The company can usually rely on its legitimate interest or legal obligation when processing such information, depending on the relevant jurisdiction.

Regulated organizations (such as financial institutions and insurance providers) might be legally required to ask for more information and conduct certain background checks to determine whether individuals are worthy of being placed in certain positions of trust. The kinds of background checks and roles for which background checks are allowed by local law vary per EU Member State, so if your organization is conducting background checks, make sure to determine what is allowed in each specific jurisdiction. In Germany, for example, the lawfulness of background checks (both criminal and credit) will depend on the specific tasks and responsibilities for the job.

This is quite different from the United States, where, pursuant to the Fair Credit Reporting Act and numerous state corollaries, some type of background check is generally allowed subject to the applicant’s consent, sharing of any report with the applicant, and notice to the applicant if an adverse action is taken based on the report.

2. Provide an appropriate privacy notice at the start of the hiring process

Information collected from applicants is distinct from information that your organization collects from customers or website visitors and more limited than the information you would collect from employees. Job candidates are not yet your organization’s employees; therefore, employee privacy notices are not appropriate. Your organization must have a notice that describes what kind of personal information will be collected about candidates, how and from which sources, and how such information will be used by the organization, and it must cover all other transparency requirements of Article 13-14 GDPR (including information on data retention, transfers, and individuals’ rights).

In the United States, the California Consumer Privacy Act (CCPA) requires businesses to give applicants who are California residents notice at or before the time their personal information is collected. The content requirements are more limited than GDPR requirements. Notice must describe the categories of personal information collected and the purposes for which the information will be used. CCPA notice requirements will expand if the current exemption for human resources data is not extended. Businesses that are subject to the CCPA and that already have a GDPR-compliant applicant notice may want to repurpose that notice, with some modifications, for applicants in California.

Ensure that the notice clearly describes all purposes for which the organization might use the candidate’s personal information. The purposes can include, for example, administering the job application process, assessing capabilities and job qualifications, conducting reference and background checks, responding to any enquiries from the candidate, complying with applicable laws, and preserving other legitimate interests of the organization (such as aggregate management reporting and internal training).

The privacy notice should be provided to the candidate at the beginning of the hiring process, before, or at the time personal information is collected. For example, if you have a dedicated careers website that accepts online applications, place a clearly visible hyperlink on the first page of the online application form, directing the candidate to the privacy notice for more detail about how the organization will handle personal information collected in the context of the hiring process. The candidate must also be able to revisit the privacy notice at all times so ensure that every page of the careers website contains an easy-to-find hyperlink to the notice (for example, in the footer of the website).

3. Do not ask for consent unless required by local law

The Article 29 Working Party (the predecessor of the European Data Protection Board – (EDPB)) explained in its Guidelines on consent (WP 259) that it deems processing personal information of not only current but also future employees on the basis of consent problematic for employers because such consent will be unlikely to be freely given and is therefore invalid.

If your organization processes only the personal information that is absolutely needed to determine whether the job applicant is qualified for the position, it likely can rely on its legal obligations and legitimate interest. Consent should only be used if so required by EU Member State law. In the context of a regular procedure, where your organization limits itself to strictly necessary information to select a candidate, consent likely will never be needed or appropriate.

4. Do not ask about an applicant’s private life

Asking candidates about their private life for the purpose of the hiring process will be difficult to defend under the GDPR. This information is unlikely to be required or possibly even relevant to the hiring decision and, therefore, would violate the GDPR principle of proportionality, and it may not be justified under legitimate interest and may require another legal basis.

This approach differs significantly from the approach to sensitive information collection in the United States. The collection of certain information, such as medical information and genetic information, is prohibited, while it is strongly recommended not to request or collect other types of sensitive information. For example, employers must take care when requesting information on race or religion, as it may evidence discriminatory intent.

5. Only screen publicly available social media related to business purposes

Screening social media and other publicly available information, including candidates’ websites, blogs, and vlogs, during the hiring process is currently quite widespread. Many organizations check the Internet for additional information about the candidate, especially if such sources are publicly available.

This approach is generally fine in the United States, where social media laws passed at the state level focus on prohibiting employers from requiring an applicant to disclose a username and password, change privacy protections, or add other employees to allow the company to gain access to personal social media pages. These restrictions, however, do not restrict an employer’s ability to view and act on posts to public social media pages as long as there is no discriminatory basis for its actions – for example, failing to hire an individual who it learned from social media is pregnant – and the applicants actions are not otherwise protected as legal off-duty conduct under state law.

In Europe, however, organizations should not assume that just because the candidate’s social media profile or website is publicly available, they are allowed to process the information contained therein for recruiting purposes. Organizations should always take into account whether Internet sources are related to business or private purposes. In other words, a publicly available LinkedIn profile is likely a fair bet because this social medium is set up for business purposes; however, organizations should not screen information from social media and other webpages of candidates that were clearly set up for private purposes and have nothing to do with the job. This means staying away from other publicly available social media profiles, posts, and any other media that the candidate is clearly using for the purposes of his/her private life and entertainment.

6. Use caution with artificial intelligence (AI)

A number of different software tools are available to assist and streamline the recruitment process. Some of these tools rely on artificial intelligence (AI) through bots and proprietary algorithms to find; screen; and even assess resumes, applications, and recorded interview responses.

Under the GDPR, these tools would be profiling job applicants. Profiling occurs when automated processing is used on personal information to evaluate an individual’s personal characteristics. It is often used to predict the individual’s behavior (for example, their ability to perform a particular job), but, according to the Article 29 Working Party guidelines on Automated individual decision‑making and Profiling for the purposes of Regulation 2016/679 (WP251), even categorizing an individual by a particular characteristic could be considered profiling. If an employer engages in profiling, this needs to be included in the notice to applicants. If the employer bases any decisions solely on automated decision-making (including profiling), with no human intervention, the applicant has the right to be notified about the automated decision-making, the logic followed for such decisions, and the potential impact of this processing. Applicants have the right not to be subject to decisions based solely on automated processing where the decisions result in legal or similarly significant effects, such as losing a job opportunity, and should be offered a mechanism to challenge these decisions. The GDPR only allows automated decision-making where the decision is necessary for the entry into or performance of a contract, authorized under EU or Member State law, or with the individual’s explicit consent. Keep in mind that applicants’ consent is generally not considered valid in the EU, as discussed above.

In the United States, employers seeking to use AI for recruitment also face some hurdles as concern over the use of AI is on the rise. While a number of bills at the state and federal level related to AI failed in 2019, Illinois passed the Artificial Intelligence Video Interview Act (AIVIA), which entered effect January 1, 2020. Pursuant to AIVIA, before using AI to analyze recorded interviews of applicants for positions in Illinois, employers must first: (1) provide the applicant with notice that AI may be used to analyze the interview and explain how the AI works and what “general types of characteristics” it uses to evaluate a recording; and (2) obtain the applicant’s prior consent to being evaluated as described. AI may not be used to evaluate the applicant without his/her consent. AIVIA also limits sharing of applicant videos to those necessary to evaluate the applicant for the position, and, within 30 days of receiving a request from the applicant, employers must delete any recorded interview and instruct anyone who received copies to delete the videos, including back-up copies.   

Your organization should conduct a data privacy impact assessment (DPIA) before implementing these tools to assess the risks and document any risk mitigation measures taken to protect personal information that is processed in this way.

7. Limit retention

The U.S. FCRA Disposal Rule and state data security and breach notification laws have made U.S.‑based multinational businesses more cognizant of the dangers around retaining information and the importance of secure disposal. Still, many businesses fail to translate that into data retention practices. However, a basic tenet of the GDPR is that personal information is retained only for so long as required to accomplish the purposes for which it was collected. What does that mean in a hiring context? Many companies like to maintain a database of candidates, keeping information of individuals not hired for a particular position in case a more suitable position opens up. First, that practice should be part of any notice to applicants, and, even so, there may be restrictions on how long the information can be retained under local Member State laws. Organizations should keep in mind that an applicant’s information, like resumes and CVs, becomes outdated fairly quickly and should consider implementing a practice of purging applicant information regularly, subject to any local data retention or disposal requirements. Should an organization wish to retain the data for future opportunities longer than legally permitted, candidate’s consent might be required in certain jurisdictions.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.