Personal data in selection processes
Personal data in selection processes
The use of personal data is essential for any recruitment process, but to get a new job can sometimes be more complicated than studying for a Bachelor’s degree, as the phases you must pass include complex tests and questionnaires.
Companies must configure and design their selection processes taking into account the provisions of data protection regulations, since requesting more personal data than necessary to establish the employment relationship could be counterproductive.
A good proof of this can be found in resolution PS/00214/2022 of the Spanish Data Protection Agency, in which a recruitment company was fined 50,000 euros.
In this case, a person who was in a selection process, had to take some psycho-technical tests, with the objective of assessing the intelligence, personality, emotional intelligence and potential of the candidate, accessing them through a link on the Internet provided by a recruitment company (THOMAS INTERNACIONAL SYSTEMS). emotional intelligence and the potential of the candidate, accessing them through a link on the Internet provided by a recruitment company (THOMAS INTERNATIONAL SYSTEMS).
These tests collected personal data and asked questions about disability and ethnicity. It should be noted that the recruiting company argued that the processing of this personal data was requested for research purposes, to improve their evaluations.
Faced with such facts, we must then reflect on whether requesting this type of special category personal data is appropriate to the purpose of the processing, i.e., to know the sufficient capabilities of candidates for the performance of a job.
Special category personal data
In the case under analysis, the recruiting company in question provided the candidates with a questionnaire called “Thomas’ Research Questionnaire”, which was independent from the questionnaire to fill the position offered, where personal data were requested, such as gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, current industry, current function, current level of command, level of happiness in the position (with a scale from 1 to 7), job rating (with a scale from 1 to 7), description of disability (text field) and consideration of leadership.
As can be seen, some of the questions to which the candidates were subjected referred to personal data. personal data of special special category specified in art. 9 of the GDPR, which prohibits the processing of such data, except in the cases legally established in art. 9.2 of the GDPR.
The selection company based the processing of these special personal data on paragraph 2, letter j) of art. 9, relating to research purposes; however, the Agency understood that the necessary requirements were not met to be able to sustain such a basis, since no legal framework was alleged by the company to support such processing, and the company’s Privacy Policy, in relation to this aspect, was considered generic, since it did not specify the specific processing carried out by the data controller.
On the other hand, the fact that the recruiting company provided the data subjects with the possibility of not answering the questions on disability and ethnicity does not mean that with this measure the consent of the data subjects to process their personal data has been obtained, since this does not meet the requirement of having obtained prior express consent for the processing of special category personal data.
From the analysis of the triple test of necessity, appropriateness and proportionality, the controller did not provide sufficient evidence to justify the processing of special category personal data.
Resolution of the AEPD
The Agency considered in this case, that the facts exposed breached the provisions of Article 9 of the RGPD, which implies the commission of an infringement typified in paragraph 5.a) of Article 83 of the RGPD, with a fine of 50,000 euros.
Finally, an early voluntary payment was made, resulting in an amount of 40,000 euros.
Conclusions
First of all, we must identify which personal data is necessary for the purpose we are pursuing, and whether such data is considered relevant or excessive to fulfill its purpose, also, it will be determined prior to processing whether the data is of special category to establish the necessary requirements for its lawful processing, as we already published at the time on the use of Test Discs.
If we have any doubts about whether or not we can process such data, applying the principle of data minimization will be our best ally, as well as relying on the advice of experts in the field.
If you need help, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]