As you may have heard, the EU put new data protection guidelines (EU-DSGVO = EU General Data Protection Regulation) into effect on May 25, 2018. This has led to various questions not only from our foreign customers, but also from our Swiss customers.
We have collected these questions and would like to answer them for you in this article. Please note that this article cannot definitively answer all questions, as the topic is constantly evolving. In addition, this article can only provide recommendations, which are not legally binding.
The legal circumstances may vary from company to company. If in doubt, be sure to clarify your legal questions with an appropriate specialist.
Are you affected by the EU-DSGVO?
In principle, all companies in the EU member states are affected, but also companies outside the EU (such as Switzerland) that store and process personal data of EU citizens. So, if you receive applications from EU citizens, your company is affected by the new regulations.
Are the differences between the CH-DSG (Swiss Data Protection Act) and the EU-DSGVO significant?
The two laws are very similar in principle, but differ greatly in detail in some cases. Both share the goal of protecting personal data in the digital age. Switzerland will adopt a large part of the EU-DSGVO in the medium term. Corresponding legislative changes are already being planned. This is another reason why you should be concerned with the new legal situation today.
Do you have to publish data protection guidelines on your website?
This is highly recommended, as the EU-DSGVO assumes that personal data could be stored when someone visits your website. This is already the case, for example, if your company website uses so-called cookies to store certain information about the visitor to the website. In addition, the Swiss Data Protection Act will also require you to proactively provide information about data protection and to provide this in the simplest possible way, such as a public document on your website.
What changes in relation to the recruitment process due to the new legal situation?
If you receive applicant data (especially from people from the EU), you must inform the applicants before saving it that you intend to save the transmitted data. If you receive the application documents by email, this is not possible at all, as the data is already stored on your IT systems (or those of your email provider).
In addition to this paradoxical situation, the applicants must give their explicit consent to the storage of the data.
Our recommendation for this situation:
Continue to process applications that you receive by email as usual. The applicants have actively sent you the documents, which suggests that they have an interest in you processing the data in their interests (data is only used for application purposes).
It is best to confirm the processing of the data to the applicant with the letter of acknowledgement sent in each case, by attaching the following example text as a disclaimer to the email:
Text example:
In accordance with the applicable data protection law, we would like to draw your attention to the fact that your application documents are stored and processed by us. The data will only be processed for the purpose of the application you have specified. You can find the detailed data protection guidelines of our company here (link to your company’s data protection guidelines).
You can of course easily integrate the text once into your response templates, which you have stored in your Ostendis account.
Are there other options that can be made available to applicants for a GDPR-compliant transmission of data?
Ostendis provides you with the Ostendis CVdropper™ to receive applications from applicants. The Ostendis CVdropper™ is a new type of application form that you can easily make available to applicants without integration on your website. It is not structured like a classic and increasingly frowned upon application form, as only the email address needs to be entered and all documents can be dragged & dropped into a box. The Ostendis Import Service then processes this data, as with the previous email forwarding by you to [email protected].
From a practical point of view, this results in a very simple and inviting way for applicants to apply to you. For you, the step of forwarding the email is eliminated, which saves even more time.
From a legal point of view, the Ostendis CVdropper™ offers a very big advantage: As required by the EU-DSGVO, you can provide the applicant with your data protection guidelines before submitting the application documents, and they must explicitly confirm them with a mouse click before sending.
For more information about using the Ostendis CVdropper™ in your company, please contact us.
Do you have to adapt your data protection guidelines if you process applicant data with Ostendis?
Due to the transparency required by law, it makes sense to point out in your data protection guidelines that you store the application documents at Ostendis and process them via the options offered by us. This is a so-called order data processing (Art. 28 EU-DSGVO). You can inform the applicants as follows in your data protection guidelines:
Text example:
Our company works with the e-recruiting solution of Ostendis AG, CH-5706 Boniswil (UID: CHE-102.097.261), which takes over the data storage in relation to application documents and offers processes for processing this data in the sense of order data processing. Personal data is neither analyzed in detail by machine (profiling) nor are automated data processing procedures used for decision-making (matching). Further information and the data protection guidelines of Ostendis AG can be found at www.ostendis.com.
Is it allowed to keep data from applicants so that you can contact them if needed?
In principle, you are obliged to delete application documents after the recruitment process has been completed. However, the process can take a few days or a few months. Therefore, no absolute period is specified by law.
What is certainly not allowed: Collecting applicant data as a precaution. So simply saving all the files you receive and keeping them indefinitely for no reason.
However, if you have received an interesting applicant file and can assume that you could consider this person for a next job vacancy, it makes sense to keep the file. For this purpose, the candidate pool is available to you in Ostendis.
Since the duty to provide information is very important in the EU-DSGVO, we recommend that you integrate the following text into your data protection guidelines and possibly into your rejection letters:
Text example:
We reserve the right to have your application documents stored with us for a maximum of 2 years after the application process has been completed, so that we can contact you for filling other interesting positions. If you do not agree with this practice, please let us know briefly.
The value of 2 years can of course be determined by your company. There are currently no maximum permissible reference values that have come about through court rulings. Not defining a retention period would not be legally correct, as this would allow an inadmissible, infinitely long storage.
Ostendis is currently being expanded in this regard, so that you can use a simple mechanism in the candidate pool to search for and delete files of a certain age (for example, all files older than 365 days), so that you can meet your data protection obligations with Ostendis at any time and in a simple manner.
In addition, you will be able to define the retention period for applications that you have moved to the recycle bin by deleting them. After the retention period has expired, the data will be automatically and irrevocably removed from the Ostendis systems.
Concluding remarks & data protection officer of Ostendis AG
Please note, as mentioned at the beginning, that we cannot give you any legal guarantees with this article, but only recommendations researched by our legal contacts.
If you have any further questions about data protection with Ostendis, please do not hesitate to contact us.
Mr. Philippe Moser
CEO & Responsible Data Protection Officer
Ms. Livia Berger
Marketing Manager, Member of the Executive Board & Deputy Data Protection Officer
