The Article 29 Data Protection Working Party (comprising representatives from the data protection regulators in each EU Member State, the European Data Protection Supervisor and the European Commission) has issued an opinion on data processing at work (2/2017) (the Opinion). The Opinion is not legally binding but it does provide an indication as to how EU data protection regulators will consider and interpret EU data protection law. The new EU data protection law (the General Data Protection Regulation – or the GDPR) comes into force on 25 May 2018 and will impose significant fines on non-compliant organizations (up to 4% of annual worldwide turnover or €20 million, whichever is higher) in addition to giving individuals more rights with regard to their personal data. The GDPR does not only apply to EU companies, but can also apply to non-EU based organizations processing EU citizens’ personal data.
The Opinion notes that in light of the increasing amount of personal data that is being processed in the context of an employment relationship, the balance between the legitimate interests of the employer and the privacy rights of the employee becomes ever more important. It provides guidance on a number of specific scenarios including the use of social media during recruitment. Nowadays, employers may be tempted to view job applicants’ social media profiles as part of the recruitments process. However, according to the Opinion, employers may only use social media to find out information about a job applicant where: (a) they have a “legal ground” for doing so; (b) doing so is necessary and relevant for the performance of the position being applied for; (c) the applicant has been informed that their social media profiles will be reviewed; and (d) the employer complies with all of the data protection principles set out in the law.
What steps should your organization take if it wishes to review social media profiles as part of the recruitment process while also complying with the Opinion and EU data protection law?
- If you are reviewing social media profiles you will be processing personal data in relation to an individual who is not yet an employee. Question whether it is absolutely necessary to do so. Aside from the employment risks (e.g. potential discrimination), businesses need to be aware of their obligations under the GDPR and the guidance provided in the Opinion.
- Do not automatically assume that you are permitted to review an applicant’s social media profile during the recruitment process, even if that profile is publicly available.
- Ensure that you have a legal ground for processing personal data as set out in the law. In the case of using personal data obtained from an applicant’s social media profile, it may be that the legal ground of “legitimate business interests” could be relied on but this will require a balancing exercise and documentation to demonstrate fairness and transparency.
- Part of that transparency is ensuring that individuals are made aware that their social media profiles will be reviewed in the recruitment process (e.g. in the job advertisement, via a pop up on the career page, in the privacy notice available via the job application site or via an email once the job applicant has applied for the role).
- Only review social media accounts if it is necessary and relevant for the job role e.g. in order to be able to assess specific risks regarding certain applicants for a precise role.
- Consider whether the social media account is used for business or private purposes. It will more likely not be legitimate to review an applicant’s Facebook profile (regardless of whether it is public or not), but reviewing a LinkedIn profile will likely be legitimate.
- Do not require applicants to “friend” or connect with you, or demand their password for their account in order that you can access their profile.
- Enlist the support of your data protection officer, if applicable, to provide training to HR/recruitment, oversee monitoring activities and set up an infrastructure to notify applicants.
- If you use third party recruiters and/or background checking agencies, ensure that they are aware of when they can and cannot view social media profiles and which social media they can review for each individual job role. They should not be undertaking a blanket search on all social media platforms for all applicants.
As tempting as it is to obtain as much information as possible about applicants (including from their social media presence, or lack of it) be mindful of these potential risks, follow the guidance in the Opinion and be compliant with your business’ obligations under the law.