I completed the online GDPR course last year but still have to do my exam. As the Office Manager of a biopharmaceutical company, I receive multiple CVs from jobseekers on a weekly basis. There is no ongoing or active recruitment process. These jobseekers just take a chance and send their CVs looking for a job. What is my obligation as the DPO of this company? What do I need to do with these CVs so that we remain compliant with GDPR? Any advice would be much appreciated.
First of all, you should discuss with your CEO and define the period of data retention according to the company's needs. If CVs received from spontaneous job seekers will not be considered by the HR department, you can delete all the files. If they assume that CVs still can be useful, you can determine a period of validity (I guess 6-9 months) in which the information in the CVs may be interesting, after one year CVs are pretty useless and old, so you should be able to delete it.
Here you can find more information about HR and GDPR:
Thank you for your response. I am still a little confused.
If it is determined by the CEO that the CVs should be kept for 6 months, what do we need to do in those 6 months to remain compliant with GDPR? Do we need explicit consent to keep them or is a notice on our website stating this sufficient or am I missing something here? I have inserted my original question below for ease of reference.
During the retention period, you can store the unsolicited CV, you don't need explicit consent because the legal basis falls under the request of pre-contractual measures on request of the data subjects (Article 6 par. 1 lett. b) GDPR). You need to state in the privacy notice that personal data in CVs will be processed for the purpose of selecting candidates for a job application and that will be stored for 6 months.