The entry into force of the GDPR, the General Data Protection Regulation, has confused many companies and individuals. The rules established by the regulation regarding the collection and use of personal data are quite stringent and intimidating. Let’s see together how the GDPR applies to the sending and receiving of CVs, and how personal data can be processed under this Regulation.
What is meant by personal data?
When we talk about personal data we refer to the information that identifies a person and that can provide details about his characteristics, his habits, his lifestyle, his economic situation, etc. We can divide personal data into three macro-categories:
- Identification data: basic information that allows you to directly identify individuals, legal persons, entities or associations.
- Sensitive data: information that may reveal more private matters relating to the individual, including for example racial origin, religious beliefs, one’s sex life, etc;
- Legal data: information that may reveal the existence of judicial measures subject to registration in the criminal record and similar.
What must be included in the CV to comply with the law?
Before the entry into force, it was customary to add on every “formal” document in which they were present sensitive data, and therefore also on the curriculum vitae, the wording
“I authorize the processing of personal data pursuant to Legislative Decree 196/2003”
also in the form
“the undersigned authorizes the processing of data personal pursuant to Legislative Decree 196/2003 “.
In truth, however, even this wording was superfluous since the old Privacy Code, according to Legislative Decree 196/2003, in Article 24, paragraph 1 indicated, among the cases in which the processing could be carried out without consent, all those “data contained in the curricula in the cases referred to in Article 13, paragraph 5 bis” referring to the spontaneous transmission of the curricula carried out by the interested parties to be considered for an employment relationship.
The same decree in article 26, paragraph 3, lett. b-bis, provided that consent was not necessary even for any sensitive data contained in the CV.
In 2011, with law 70, things were further simplified with the specification relating to the possibility for the employer to I work to receive curricula without an explicit declaration of data processing consent, taking care to “provide the interested party, even orally, with brief information”.
The GDPR does not change this situation so that the formula that was usually used became officially superfluous in 2011 and continues to be superfluous and incorrect even today that the European Regulation is in force.
We reiterate: the candidate must not insert any wording at the bottom of his CV. Therefore, the request by a potential employer (but also a recruiter) to put it at the bottom is incorrect.
Employers, recruiters and GDPR
To whom it belongs. therefore the communication on the management of personal data of a candidate?
The employer must not request consent for the processing of personal data of candidates but must comply with a whole series of rules that are mandatory because they are established at the legislative level:
- The employer must provide information pursuant to art. 13 to the candidate, where to explain how and why the processing of his / her personal data takes place and which must be delivered or sent to the candidate based on the circumstances, but in any case before or at the same time as the start of the relationship, even if only in the first post-sending cognitive contact cv;
- In the event that the employer or a recruiter for the account publishes an advertisement to signal the opening of a position, it is necessary to allow candidates to view the information pursuant to art. 13 at the time of application. This also applies if there is a Work with Us section on the company website.
According to the GDPR, moreover, an employer can request the sending of a “private CV of sensitive data identified in EU Regulation 2016/679 (General Data Protection Regulation – GDPR)” “Taking advantage of the fact that receiving one with authorization is formally incorrect as the processing of sensitive data according to Article 9 of the GDPR cannot be carried out on the basis of pre-contractual measures (Article 6, paragraph 1, letter b).
To insert the authorization to process personal data on the CV or not?
Given that it is not absolutely necessary to do so, it is superfluous and very often also incorrect (when you send a spontaneous application, and you do not have information on how the company processes the personal data with which it comes into contact), is it advisable or not to insert the authorization to process personal data on the CV?
Provided that the document is not affected, inserting the wording on the curriculum does not compromise its effectiveness but at the same time being completely superfluous, each candidate can freely choose to insert it or not.
If you decide to insert it, opt for one of these three formulas and insert it at the bottom of the CV, to avoid affecting its use:
- I authorize the processing of personal data present in the CV pursuant to Legislative Decree .Lgs. 101/2018 and of the GDPR (EU Regulation 2016/679).
- I authorize the processing of personal data contained in my curriculum vitae based on art. 13 GDPR 679/16.
- I authorize the processing of my personal data pursuant to Legislative Decree 101/2018 and art. 13 GDPR (EU Regulation 2016/679) for the purposes of personnel research and selection.
In summary
The question of personal data and CV may seem complex but in reality, it is not and can be summarized in two essential points:
- The company must have ready information drafted pursuant to articles 13 and 14 of the GDPR to be provided to the candidate at the first useful contact or at the same time as the application. The company can never request the presence of the disclaimer with the authorization on the candidate’s CV;
- On the other hand, when you are applying for a job position, it may happen that you receive the information at a later time, together with the application or even that it is explicit that the CVs must not contain any authorization to process data. In all cases, the famous words “I authorize the processing of my personal and sensitive data” must never be present on your CV as a candidate.