GDPR is about managing data responsibly. So, before we look at key areas such as CV databases and the application process, it’s important to understand some of the key definitions in GDPR and then examine the obligations of NIJobs.com and the Recruiter under the new legislation.
Key Definitions in GDPR
Joint Data Controllers
Under GDPR legislation NIJobs.com and the Recruiter are Joint Data Controllers.
A data controller controls and is responsible for the keeping and use of personal information on computer or in structured manual files. As we are Joint Data Controllers the need to have a Data Processing agreement is removed.
A data controller controls and is responsible for the safekeeping and use of personal information on computer or in structured manual files.
The Recruiter becomes a Data Controller when you receive an application from a job seeker through NIJobs.com or when you download a CV from our CV Database.
Retention
Retention refers to how long is it reasonable for you to hold onto a CV from a jobseeker either from an application for a specific job or downloading a CV from our CV database.
Consent
Consent must be freely given, specific, informed and unambiguous. When you receive an application from NIJobs.com or download a CV from our database that you can be sure we have permission from the candidate to do so.
However, if you then decide to keep that data for an extended period then you must seek the candidate’s consent to do that. Once you download a person’s CV you are starting your own data relationship with them.
Deletion, Right to be forgotten & Portability
The new legislation gives job seekers a right to delete their information and history and to see the information we hold about them and to take that information with them.
When a jobseeker registers on NIJobs.com we are the Data Controller.
We will remain the Data Controller for their profile and account information so long as they are a registered job seeker on the site. We have all the necessary consent and security protocols in place to keep this data safe. Job seekers have a right to ask for all the information we hold about them, for it to be deleted, and to be able to take the data away with them.
When the job seeker applies for a job they give consent as soon as they hit the apply button. They are giving consent to pass their application to the recruiter for a specific role only. We store a copy of the application in our back office which makes us joint Data Controllers with you.
You can only use the application for the job it relates to and you can only hold on to the applications if it’s reasonable for the lifetime of the particular job you are hiring for.
We have taken a viewpoint that 18 months is a reasonable period of time to retain an application. 18 months after the job posting has expired we will automatically delete applications associated with that job from our back office.
A job seeker who registers with NIJobs.com can upload their CV to our CV database and make their CV searchable to the recruiters who advertise on NIJobs.com. We control that database therefore, we are the Data Controller.
However, as soon as the Recruiter uses their account to view or download a CV, and access the jobseeker’s personal details, then they become a Data Controller too.
As with job applications, a CV can only be used in relation to a specific job. Therefore, CVs cannot be downloaded to simply be added to a talent pool. If you want to do that then you must get the consent of the job seeker.
We are the Data Controller of the CV database. If a job seeker asks us to erase their data, we will do that. If you have downloaded or viewed their CV in the previous 18 months, then we will endeavour to inform you of their request to be erased. It is then your responsibility to ensure that you erase their data too.
If you would like to learn more then you can read our updated Privacy Policy
Please be aware, while NIJobs.com is doing everything we can to assist our customers, we are not a law firm and highly recommend you seek legal advice to ensure your businesses are compliant with GDPR.
You can find out more about GDPR legislation from the Information Commissioner’s Officer here.