
A GPDR Compliance Guide for HR Team - victorkab
https://blog.truework.com/gdpr-compliance-guide-hr-teams/
======
weinzierl
The article is a bit shallow but this is an interesting topic.

The GDPR is in a sense modeled after the German Data Protection Act
(Bundesdatenschutzgesetz, BDSG) and in many respects very similar. So it might
be interesting how candidate data has been and is handled in Germany. The
following are my personal takeaways from when I did hiring for a small
business. I'm by no means an expert so take them with a grain of salt:

1\. If you can outsource the hiring process, do it. It will save you a lot of
headaches.

2\. Keep correspondence with applicants separate from your other business
correspondence. The reason is that data retention rules are very different for
both types of correspondence. As a rule of thumb: Ordinary business mail has
to be archived for at least 10 years in Germany.

3\. You cannot keep applicant data at will. You need a reason. Valid reasons
are:

\- the data is needed for the application process

\- the applicant has given you consent to keep the data

At any point in time you have the applicant data you need _one_ of those
reasons, you don't need both. At first you are covered because you need the
data to conduct the hiring process.

Consensus is that you can keep application data for a maximum of six months
after the application process has ended. The end of the application process is
determined in most cases by the date of the rejection letter.

The six months isn't arbitrary but determined by the maximum of various
periods for filing suit. If I remember correctly the anti- discrimination law
(Allgemeine Gleichbehandlungsgesetz, AGG) is the determining factor.

You can ask your candidate in the rejection letter for consent to keep their
data for a specified amount of time and I've heard that some companies do
this. We decided against this because keeping track of the additional
deadlines for deletion would have been to complicated for little benefit.

Deletion of application data means erasure of all personally identifiable
information. This includes backups.

One last thing. The original post states the following question:

> Can you quickly and efficiently respond to an employee’s data subject rights
> request?

I think this is misguided. Yes, sure, you should be able to respond to this
request, but in practice it will never happen. As long as the candidate is in
the application process (plus 6 months) they will never ask for their data and
even if they did it would be easy to answer. After that you have no personally
identifiable information of the candidate and the answer is also easy.

