Guidelines for AmazingHiring Partners and Customers


It is less than a week before GDPR comes into effect. GDPR aims to protect individuals when their personal data is being processed.

With this regard, Amazing Hiring would like to provide its customers and partners with a guide for being GDPR – ready by 25th of May 2018.

What is GDPR?

General Data Protection Regulation (“GDPR”) is the new EU regulation that describes how organizations must collect, store and protect personal data. The law applies to each company that is willing to process European Data Subject’s personal data. GDPR governs any processing of personal data carried out by companies.

Even if your company has a well-defined recruitment processes which include proper handling of applicant data, these processes must be designed to conform to the new data protection rules.

The GDPR emphasizes six important data protection principles (Article 5 of the GDPR), in accordance to which personal data must be:

  1. processed lawfully, fairly and in a transparent manner;
  2. collected for specified, explicit and legitimate purposes;
  3. adequate, relevant and limited to what is necessary in relation to the processing purposes;
  4. accurate and kept up to date;
  5. kept for no longer than is necessary;
  6. protected in a manner that ensures appropriate security.

What is personal data?

The term personal data encompass all kind of information that directly or indirectly relates to an identifiable natural person. Examples of personal data include: Name, address, social security number, online identifier, location, phone number, e-mail address, photographs and even IP address.

Can I process data for hiring purposes?

Any processing of personal data must be carried out in strict adherence to the principles of processing (Article 5 of the GDPR).

Lawfulness. One of such principles is lawful processing which means that any processing must be carried out only upon having a valid legal basis. Having a lawful basis for each processing activity is critical to an organization’s ability to comply with EU data protection law.

Processing of personal data is lawful if least one of following applies:

  1. Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. Contract - processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
  3. Legal obligation - processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. Vital interest - processing is necessary to protect the vital interests of the data subject or of another natural person;
  5. Public interest - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. Legitimate interest - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

What legal basis should I use for recruitment?

When you are looking for a suitable candidate in the public resources or authorize your trusted sourcing partners, such as Amazing Hiring, to source on your behalf, your legitimate interest is the legal basis you should rely upon. However, an essential part of the concept of Legitimate Interests is the requirement to carry out the balancing test, to balance between the interests of your company and the fundamental rights and freedoms of the candidate with respect to its personal data.

What to consider for balancing test?

The balance test must be a written document in which you define the legitimate interest of your company with regards to your processing activity and balance such interest against the rights and freedoms of the individual.

The balance test should include:

  1. Detailed description of your legitimate interest;
  2. Established necessity of processing that is corresponding with your legitimate interest;
  3. Carry out the balance of interest, in which you determine to what extent pursuit of your legitimate interest ma have an impact on a person’s rights.

Even though, it is suffice it to say that it is virtually impossible to avoid processing of personal data in recruitment process, and there are no valid legal ground to rely upon when you are sourcing candidates online, but legitimate interest, please carefully consider the rights and freedoms of each individual to make sure that you are able to handle individual’s request for objecting against processing and request to exercise other rights, such as rectification, right to access and right to be forgotten.

How to approach candidates?

If personal data is obtained from the public source or Amazing Hiring, i.e. not obtained directly from the candidate, by addressing candidates you should provide candidate with the following information:

  1. name of your company and your contact details;
  2. contact details of your data protection officer, where applicable;
  3. purpose of the processing;
  4. legal basis for processing (if the processing is based on the legitimate interest, you must inform candidates about such legitimate interest);
  5. categories of personal data processed;
  6. recipients or categories of recipients of the personal data, if any;
  7. eventual transfers of the personal data to a third country and legal basis for the transfer;
  8. retention period of personal data will be stored, or the criteria that determines the period;
  9. information about data subjects rights with respect to its data;
  10. right to complain to a supervisory authority;
  11. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  12. If your company is going to use the personal data for automated decision making or profiling, you must inform about how it is going to be performed and eventual consequences for the individual).