Is the consent of the individual required during the selection process to carry out the processing of the data?
No, the processing of data during the selection process does not require the consent of the person concerned.
Article 6.1 b) of the GDPR establishes that the processing will be lawful if it is necessary to execute a contract in which the interested party (in this case, the candidate) is a party or for the application of pre-contractual measures requested by this party. We must also take into account recital 44 of the GDPR which specifies that: «The processing must be lawful when necessary in the context of a contract or the intention to conclude a contract».
In the event that the data included in the CV is then used for other purposes, for example, commercial, it will imply that we will need another legal basis, such as consent or legitimate interest.
How can we inform the candidate?
The duty of information must be carried out by means that allow to prove compliance and will be kept for the duration of the treatment.
The receipt of CV can come by two different ways, by an announcement or call where the company in question indicates that it has a vacancy or by the delivery of the candidate of his CV.
In the first case, the information provided for in Art. 13 GDPR must be included in the announcement or call. In the second case, the company must establish an information procedure that allows confirming that the candidate is informed correctly.
In case the CV is sent by email or post, the information can be sent to the sender’s address and wait for confirmation to start the treatment. In case it is physically delivered, it must be informed there by any means that allows accreditation, for example, through posters.
How can you regulate the sending of CVs? Is there a limit to the information the company can ask for?
It is recommended to establish a single channel for shipping, so that it is easier to control it, for example, via a standard form where the necessary information is requested and in that same the information required by the regulations is given. The principles of minimization and limitation must be respected and not ask for information indiscriminately, but only those data relevant to the position.
In the event that CV arrives by other means, they can be instructed to send it by the established means.
What sanctions exist for non-compliance?
As we mentioned at the beginning of the article, this treatment is subject to data protection regulations and its non-compliance can lead to sanctions.
On July 23, 2021, the Agency filed a penalty of € 2,000 to a company for failing to comply with the aforementioned art. 13 of the RGPD, by not providing the candidate with the information related to the processing of their data or the possibility of exercising their rights before the person responsible for the treatment.