Ensuring minimization at data collection
Article 5.1.c of the GDPR establishes the principle according to which “personal data shall be […] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
The principle of minimization during data collection requires that data controllers only collect the data that is strictly necessary for the purpose of the processing activity. Regarding recruitment, this principle is also established in the French Labor Code, which stipulates that “information requested, in any form whatsoever, from a job applicant must have the sole purpose of assessing their capacity to perform the job offered, or their professional skills. The information must be directly connected to, and required for, the job offered, or be necessary to evaluate professional skills.” In practice this means that applicants can only be asked for information needed to evaluate their capacity to fill the job offered. Within these terms you can ask applicants for the following information:
- Their qualifications, e.g. diplomas
- Their past experience, e.g. position most recently held
- Their skills
When necessary relative to the job offered, additional information may also be collected. For example, if a job requires frequent travel, a recruiter can ask if the applicant has a driver’s license.
It is therefore crucial to avoid any questions that extend beyond the professional realm. This excludes questions involving an applicant’s private life, for example their marital status, current number of children, or plans to have children.
 Art. L1221-6 of the French Labor Code
Setting a limited retention time
Recruiters can keep the personal data of applicants not hired for a job. This is because another position may need to be filled at a later time.
However, the time limit for keeping the data is two years.
Furthermore, to ensure process compliance, the data controller must ensure two points:
- The applicant must be able to withdraw their consent at any time: in the email informing them that their data will be kept, they must be informed that they have the option to withdraw their consent.
- If the applicant does not ask that their data be deleted, a process must be implemented to automatically delete the data after two years.
Naturally, to ensure your compliance with the GDPR, you can use a shorter retention period, for example 18 months.
Choosing an appropriate legal basis
All processing of personal data must be based, according to article 6 of the GDPR, on one or more legal bases: it is important to choose a legal basis that corresponds to the purpose for which you are collecting the data.
If the purpose of a processing activity is to recruit applicants, the data controller can choose from among the following legal bases:
- Legitimate interest, which can justify the creation of a resume bank. This legal basis is grounded in the data controller’s need for a resume database that they can draw on whenever a new recruitment is required
- Performance of a measure prior to entering into a contract: This legal basis generally concerns processing relative to applicant follow-up, and to the formalization of an employment contract once the applicant has been formally chosen
- Legal obligation: This legal basis can be justified, for example, by a recruiter’s obligation to check the residence permit of a foreign recruit
Ensuring that applicants are informed
A recruiter’s obligation to inform ensures that applicants can know the reason for which their personal information is being collected (e.g. evaluation of professional skills), understand how their data will be used, and ensure that they have control over their data by facilitating data subject requests.
Recruiters must therefore inform applicants if they are processing their personal data, regardless of how the data was collected.
The methods for informing them depend on how the data was collected:
- Directly from an applicant who sends them their resume when applying for a job offer
- Indirectly, for example via professional social media
The following information must be given to applicants:
- Identity and details of the data processor
- Purpose of the processing
- Legal basis of the processing
- Recipient(s) of the information collected
- Data retention time
- Existence of transfers to third-party countries, if applicable
- Existence and conditions for applicable data subject requests
In addition to this information, if the applicant’s personal data was collected indirectly, the recruiter must also inform the applicant of:
- The categories of personal data collected
- The source of the data
 Article 13 of GDPR