GDPR Recruiting: Making Sense of Data Processors and Data Controllers

Watch our on-demand GDPR webinar. Dive into GDPR basics for the recruiter and what they need to know. Click here to watch on-demand

When the GDPR, the European Union’s General Data Protection Regulation, goes into effect on May 25, 2018, a set of regulations designed to enforce the rights of individuals in Europe will come into play, relating to the processing of personal data. It will affect all companies that deal with personal data. Even non-EU-based companies who process personal data of individuals in Europe may have to comply.

It’s important to focus on the distinction between data processors and data controllers with regards to the GDPR. Simply put, the data controller is the employer and the data processor is the human resources or recruiting technology, job boards, or other supporting technology. Under the GDPR, the regulations make a distinction between the two, and both have shared liability where fines could be as high as €20 million and/or 4$ of global turnover for non-compliance.

Defining Data Controllers and Processors

Article 4 of the GDPR defines data controllers and data processors as follows:

  • “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

This distinction is important for compliance. The GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.

Who is a Data Controller and Data Processor in Recruiting?

The GDPR is squarely focused on hiring inclusion sourcing, selection and recruiting. Once a candidate becomes employed, there are different privacy regulations and requirements.

During the sourcing, selection and recruiting points in the life cycle, the GDPR is clear on data processing on behalf of a controller. Article 28(1) of the GDPR states that:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.[

In short, data controllers (i.e. customers of data processors) shall only choose processors that comply with the GDPR, or risk penalties themselves. As supervisory authorities enforce penalties on controllers for a lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure their would be customers.

Data Processor Requirements for Recruiting Vendors and Partners Under the GDPR

The GDPR is specific about the role and requirements of data processors, as well as the role of the data controller (or the employer). All processors are required to:

  • Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3). In other words, a data processor may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller.
  • Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
  • Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
  • Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
  • Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
  • Notify data controllers without undue delay upon learning of data breaches (33.2)
  • Restrict personal data transfer to a third country only if legal safeguards are obtained (46)

A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria (30):

  • Employs 250 or more persons
  • Processes data that is “likely to result in a risk to the rights and freedoms of data subjects”
  • Processes data more than occasionally
  • Processes special categories of data as outlined in Article 9(1)
  • Processes data relating to criminal convictions.

Examples of Questions to Ask Your Recruitment Vendors & Partners

The GDPR introduces direct obligations for data processors for the first time, whereas the current Directive only holds data controllers liable for data protection noncompliance. Processors will also now be subject to penalties and civil claims by data subjects for the first time. HR and recruiting leaders must speak with and understand if their vendors and partners are taking steps to be compliant with GDPR.

Below is a short list of questions that you should ask your vendors and partners in relation to GDPR compliance. It’s imperative that your HR technology vendor understands compliance with the new regulations, as well as liability for violations and noncompliance.

  • Have their contract terms changed with GDPR?
  • What level of consent do you seek when applicants submit their data?
  • Process for storing, collecting, & deleting data
  • Timeline for auto-deletion – circumstances & data type
  • What is documented timeline for keeping data?
  • What processes exist to keep data up to date?
  • Have they appointed a data protection officer?

When a DPO is Required

In relation to the last question, Section 4 of the GDPR outlines the requirement for applicable firms to appoint a data protection officer (DPO). According to Article 37(1), data controllers and processors shall designate a DPO where:

  1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.

Most firms required to appoint a DPO would fall under subparagraphs (b) and (c). Article 39 outlines five minimum tasks that the DPO must perform:

  1. Inform and advise firms and employees who carry out data processing on applicable data protection provisions
  2. Monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
  3. Advise on data protection impact assessment (DPIA)
  4. Cooperate with the supervisory authority
  5. Serve as the main contact for the supervisory authority

Partner and Vendor’s Shared Responsibility

A word of caution: In many cases, the business can be both data controller and data processor. However, because the GDPR makes the distinction, we’d like to consider the shared responsibility of both parties.

Companies that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a recruiter (controller) collects the data of its clients when they apply for a job, but your recruiting technology (processor) stores, digitizes, and catalogs all the information. These companies can be ATSs or full-suite recruiting software companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.

Watch our on-demand GDPR webinar. Dive into GDPR basics for the recruiter and what they need to know. Click here to watch on-demand

*DISCLAIMER: This article is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes. You should seek the advice of competent legal counsel with respect to any particular fact pattern or issue.