Gdpr Resume OR

Gdpr Resume OR

Gdpr Resume


Your resume and cover letter should also include your understanding of the implications of the GDPR for recruitment. In particular, you should focus on how your background or experience could give you a unique insight into the organisation you’re applying to and the skills you’ll be able to offer.



In answer to your questions, always get potential clients to sign a contract which covers the GDPR personal data processing requirements at a minimum, prior to giving them a copy of a consultant resume to retain. If you were sat in a meeting with them it is much simpler to record in your logs that the client had sight of the resume but was not left a copy of it in any format, than it is to keep track of which clients have a copy of which data and chasing up to ensure it is erased/destroyed when appropriate.

To ensure clients treat the resumes as confidential, make sure they are labelled in the header and footer as confidential. They could also be kept in an envelope clearly marked confidential. There could also be a footnote in small print that informs anyone with a copy, who the data controller is, and that processing is strictly subject to the terms of the 'client contract' or whatever you call it, and that it should be returned or shredded within X days of receipt for example. If you have a computer system generate these it could even specify the client's name and the specific date it should be shredded by. Your notice could include a reminder that the personal data is protected under the E.U. General Data Protection Regulation (GDPR) 2016 and that (client name) as a data processor could be held liable in the event of unauthorised disclosure or processing, if they act outside or contrary to lawful instructions of the data controller. (Source: law.stackexchange.com)



Candidates or “data subjects.” Candidates are the data subjects because they can be identified through personal data they give to companies. For example, their resumes may include their names, physical addresses or phone numbers. The GDPR exists to protect this kind of data. Members of hiring teams are also considered data subjects under GDPR, but their own data will not be processed in the same extent that candidate data will.

Applicant Tracking Systems (ATS) and other recruitment software/services or “data processors.” Your ATS is a data processor because it processes candidate data on behalf of your company following your company’s instructions. Data processors often have “sub-processors” (e.g. Workable uses a cloud platform to deploy its system.) (Source: resources.workable.com)

Privacy Policy

Your company must have a transparent privacy policy in place explaining how it collects, processes and protects data and giving instructions to data subjects on how to ask your company to delete and rectify their data. In addition to this privacy policy, your company may find it useful to have a privacy notice for recruitment. This note will address candidates directly and should include all information required by GDPR Article 13 and Article 14 as well as a recount of your company’s actions to ensure data protection:

We process this data for recruitment purposes only. We found this data on [Linkedin] when looking to fill an open position at our company. We are storing this data in our Applicant Tracking System, [which stores data in the U.S and is fully compliant with EU data protection laws], and we will not share it with anyone else. (Source: resources.workable.com)

Related Articles