It’s hard to believe that it’s 7 years ago since the GDPR came into force on 1st May 2018. I’d hazard a guess that many of us haven’t given our privacy notices any thought since then and have just been wheeling them out.
Given that the world is moving at pace, you may need to update your recruitment candidate privacy notice to inform the candidate about any automated shortlisting software that you are using, or indeed that your recruitment agents are using on your behalf. The privacy notices would need to describe the software that you are using and what it does, and highlights to the candidate their right to have a human review the output.
You will recall that your privacy notice lists out the ways in which personal data of an employee might be used. There is also likely to be a section where you describe what third parties might have access to data and the purposes for which they do so. This probably covers things like accountants but you may not have covered off litigation. Clearly if somebody is suing the organisation then an individual’s personal data may be used, for example, in the disclosure documents for that case. This need not necessarily be the data subject themselves bringing the legal action because they could be being used as a comparator, for example, in an equal pay claim, or when showing consistency of treatment, for example in a disciplinary scenario.
Another legal use might be where a TUPE transfer is occurring or the organisation is, for example, undergoing a round of investment or a sale or merger process. Personal data might well be shared at some point with investors, potential buyers etc. At initial stages of such processes, employee spreadsheets for example are normally anonymised so there is nothing to worry about but further down the due diligence process, questions might be asked which would reveal personal data when answered.
Anna Denton-Jones
Refreshing Law
