Expert Advice Community

Guest

Application of GDPR to emailed CVs

  Quote
Guest
Guest user Created:   Sep 21, 2021 Last commented:   Sep 30, 2021

Application of GDPR to emailed CVs

Good day,
I completed the online GDPR course last year but still have to do my exam. As the Office Manager of a biopharmaceutical company, I receive multiple CVs from jobseekers on a weekly basis. There is no ongoing or active recruitment process. These jobseekers just take a chance and send their CVs looking for a job. What is my obligation as the DPO of this company? What do I need to do with these CVs so that we remain compliant with GDPR? Any advice would be much appreciated.

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Sep 23, 2021

First of all, you should discuss with your CEO and define the period of data retention according to the company's needs. If CVs received from spontaneous job seekers will not be considered by the HR department, you can delete all the files. If they assume that CVs still can be useful, you can determine a period of validity (I guess 6-9 months) in which the information in the CVs may be interesting, after one year CVs are pretty useless and old, so you should be able to delete it.

Here you can find more information about HR and GDPR:

Quote
0 0
Guest
Guest user Sep 23, 2021

Thank you for your response.  I am still a little confused.

If it is determined by the CEO that the CVs should be kept for 6 months, what do we need to do in those 6 months to remain compliant with GDPR?  Do we need explicit consent to keep them or is a notice on our website stating this sufficient or am I missing something here?  I have inserted my original question below for ease of reference.

Quote
0 0
Expert
Alessandra Nisticò Sep 30, 2021

During the retention period, you can store the unsolicited CV, you don't need explicit consent because the legal basis falls under the request of pre-contractual measures on request of the data subjects (Article 6 par. 1 lett. b) GDPR). You need to state in the privacy notice that personal data in CVs will be processed for the purpose of selecting candidates for a job application and that will be stored for 6 months. 

Here you can find the legal basis in EU GDPR

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 21, 2021

Sep 30, 2021

Suggested Topics