Legal Business

Sponsored briefing: GDPR aspects to consider when conducting reference checks

Penkov, Markov & Partners’ Nikolay Cvetanov and Dimo Katrandzhiev on the GDPR risks facing employees checking the references of potential new employees

Although the GDPR has been in effect for a while now, organisations (especially applicable to small and medium-sized businesses) continue to face challenges with the alignment of all processes and activities involving processing personal data. Particular areas where our legal practice has identified compliance issues, given various customer enquiries, represent marketing and staff recruitment activities.

Considering the above, one of the urgent queries that recruiting employers, and HR departments in particular, inevitably bring up in their recruitment work is how to lawfully, in terms of data privacy requirements, obtain references from job candidates’ previous employers. With the purposes to clarify some of the concerns revolving around this matter, we are pleased to present an overview of several options that are of a nature to limit risks that employers may encounter when engaging in the relevant activity of doing reference checks.

First of all, can recruiting employers request from job candidates’ former workplaces information on the candidates’ skills, dependability, and overall integrity?

While the broad response to the subject under consideration may be ‘yes’,there are several difficulties from both data protection and e-privacy perspectives that must be taken into account each time before submitting such requests to former employers.
In essence, such unsolicited communications sent for the purposes of reference checks, and particularly those directed to email addresses revealing personal data of individuals (or delivered for that matter via phone call which by nature requires to identify the recipient’s phone number), can be categorised as ‘cold calling/messaging’. These kinds of communications in theory require the recipient’s prior consent in order to be deemed lawfully sent, as is the case for direct marketing communications under Directive 2002/58/EC (the E-privacy Directive), as well as pursuant to its implementing Bulgarian law (the Electronic Communications Act). Тhe rationale for this necessity is the circumstance that the contact information itself – email addresses, phone numbers, etc. – may reveal personal data, making its processing subject to the requirement of a valid legal basis. It is also feasible, from a practical perspective, that the former employer, particularly the staff members employed thereby, decline to act as a reference.

The aforementioned problems are currently remedied in practice by recruiting companies requiring candidates to obtain themselves with references in a specific format. However, alternatives are also frequently sought out since for many HR departments it seems most beneficial to be able to speak and connect with the candidate’s former supervisors in order to better understand the applicant’s work performance and personality.

here are several difficulties from both data protection and e-privacy perspectives that must be taken into account each time before submitting such requests to former employers.

In order to accomplish their objectives, recruiting employers may use the following levers to obtain compliant reference checks as per GDPR’s general requirements:

Lastly, what legal ground must be always ensured for the legitimate disclosure and lawful processing of the applicant’s personal data discovered in the provided references?

In short, the ideal way to proceed with ad-hoc requests for reference checks and what should be done by default is for the job applicant to give explicit consent to their former employer for the specific purpose of disclosing the relevant personal data, and for that consent to be recorded accordingly under GDPR rules.

The potential invocation of the legitimate interest of the recruiting employer as a ground for disclosure cannot be lawfully justified. In the case of disclosing candidate’s personal data without obtaining their prior consent, there is a risk of prejudice to their interests because the information disclosed may contain circumstances they may not initially wish to share. The disclosure of such personal data could, in turn, hinder the applicants’ further participation in the recruitment process, which further outlines the risks associated with violation of their interests. Therefore, as a conclusion, the legitimate interest of the recruiting employer cannot be given preference over the applicant’s ones.

Authors

Nikolay Cvetanov (nikolay.cvetanov@penkov-markov.eu)
Dimo Katrandzhiev (dimo.katrandzhiev@penkov-markov.eu)

 

Return to TMT Yearbook contents