GDPR titbits series: We are all controllers

Human resources

A perspective on Human Resources for GDPR.

I’m usually very biased on providing input related to GDPR which is usually targeted towards software companies, however I recently came across some questions which are relevant for every company. More specifically relevant for the Human resources department (HR). Below is a subset of data that the majority of companies will have on their employees. In this regard, every company is the controller of that data.


  • CV’s for recruitment purposes
  • Interview reports
  • Criminal checks prior to hiring employees
  • Performance Review reports
  • Sick leave certificates/ Medical Certificates
  • Access badges
  • Emergency contact information
  • Copies of certifications/qualifications

So how are each of these handled with regards to GDPR?


CV’s for recruitment purposes

When a post/vacancy is opened, for how long do you require the CVs you receive? One would presume that once the vacancy has been closed, there is no imminent reason for those CV’s to be kept, but what if the post you have has a high turn over rate and you want to keep some of those CVs which were promising, in case the post is opened again in the near future?

In today’s job market, needs and requirements change quickly, a candidate which was interested 6 months ago is unlikely to still be interested in the same post, in addition the situation and details of that candidate might have changed.

Here are some considerations in relation to GDPR that one would need to take in relation to keeping CVs.

  • Data accuracy
  • Retaining data for longer than you need it
  • Securing that data and access to it.


The ideal situation would be to discard the CV’s as soon as the post is closed. If not determine the absolute minimum amount of time, that these CV’s could be useful and make sure to declare that as your retention period at the start of the application whether on paper or online. Any CV’s of candidates that are clearly not useful for any foreseen future posts should be immediately discarded.

Interview Reports

You interview a candidate and probably a short report is drawn up on the outcome of the interview. Once again, for how long is this data useful? Do you have any legitimate grounds for keeping these once the vacancy has been closed?

Some companies keep these reports and review them when they have a candidate who re-applied after a while, to see whether it’s worth their time interviewing the person or not. However once again, could the data not be accurate? Could the candidate’s situation have changed? Consider that by doing this, although you’d be making the process more efficient you could be creating bias and discriminating, entering into another host of problems.


Discard all the interview reports as soon as the vacancy is closed. If this report is required to justify the hiring decision at some point, create one report at the end of the hiring process which is generic, aggregates the data and information and leaving out any personal information. To further explain the report would abstracted such as the below example.

For the post of receptionist, 20 candidates were interviewed between January 2nd 2018 and January 20th 2018. 4 candidates were short listed based on the following skill sets <list skill sets> and criteria <list criteria>

  • Candidate 1: Was an excellent candidate with all required skill sets but the asking salary was not within our budget.
  • Candidate 2: Did not demonstrate practical knowledge when presented with scenarios.
  • Candidate 3: Fulfilled all requirements, however their starting date was further away than the business could afford to wait.
  • Candidate 4: Fulfilled all requirements, within budget for salary and could start within the 2 week period as required by the business. A job offer was made and was accepted by the candidate.


The report would mention all the factors that were taken into consideration, leaving out any form of personal information. An additional benefit is that it is much easier to remain impartial and unbiased when the information is presented that way ensuring that the logic has a better chance of prevailing, whilst also remaining GDPR compliant.


Criminal Checks prior to hiring employees

A number of industries are required to ask for a police conduct prior to employing any candidate. A number of companies also do this as best practice. There is nothing inherently wrong about this, it is what happens with the document provided that needs to be taken into consideration.


Trust your HR department. In the above mentioned interview report simply state whether the criminal background check was passed successfully or not. Once done, destroy the documents by shredding them, preferably using a cross shredder. In any case, even if a person has a squeaky clean criminal record issued today, no one can say that the person cannot commit a crime tomorrow. This is also why police departments generally state that criminal records expire on the same day they are issued as their validity cannot be ensured the next day.


Performance Review Reports

This is where the situation changes. We are now talking about an employee. Performance review reports are used (hence processed) for a number of things, such as, salary increases, performance bonuses as well as grounds for termination. It’s a whole other ball game and  it’s a fine balancing act to both protect the company as well as be GDPR compliant.



Check the employment law within your country, it probably already states a retention period.

Determine what the performance reports are used for, e.g. to determine salary increases, promotions etc… and declare these in the related policy or process as your grounds for processing.

Make sure the policy or process is available to all employees.

If no retention period is mandated by law, there should be a period determined within the law, stating how long after termination of employment, an employee can sue for wrongful termination. In case of termination by the company, keep these records for this period. In case of resignation by the employee, you know what to do, delete or redact these records.

If you are required by law to keep them, redact them by replacing the employee name and surname with the employee reference number, so that even if these get accessed by people without enough clearance by mistake, the data is still safe.


Sick Leave and Medical Certificates

Once again check the employment law and do not keep these any longer than necessary. In some countries you might need to refer to financial or taxation laws to get this information as these records might be requested by authorities for social security or taxation purposes.


Any records of medical conditions you’re keeping for the purpose of health and safety should be immediately deleted once the employee has resigned or is terminated.


Access Badges/ Biometric data for access

This is an interesting one. Access badges come in many forms, with a picture, without a picture, or as a biometric fingerprint. How does GDPR come into play?

On one hand we’re dealing with possibly biometric data or a photo which is considered highly sensitive. On the other, these mechanisms form part of the organizations’ overall security. So how do we tackle this?

  1. Declare the use of such data in the employment contract.
  2. Upon termination or resignation delete promptly.
  3. Do not use this data for anything else other than the access. As a company you have legitimate grounds and concerns revolving around security however in no circumstance can this be used for anything other than that.
  4. Ensure that the data is stored securely.
  5. Ensure that the only people with access to this data are those who really need it to perform their duties and that these are kept to the minimum.
  6. Try to keep systems where such data is stored,  as separate as possible with little to no integrations.


Other items to consider:

  • Where are the access cards printed? Is the printer in a secure location or is it easy to forget to pick up a newly printed card and someone else to find it?
  • Do you get these cards printed by a 3rd party? If so conduct due diligence and review your contracts with the 3rd party to ensure they are also GDPR compliant.
  • Are the cards transported/delivered anywhere at any point in time to get to the employee? What are the delivery mechanisms? Think about how to best protect the card from getting lost or stolen whilst in transit.
  • What’s the process if the card is lost before it’s delivered to the employee (it’s a data breach)?
  • Can the process be made more efficient by having less people involved? Can the delivery be avoided, perhaps by investing in a printer at every office location?

Emergency contact information

Most organizations will require their employees to provide them with emergency contact details. The purpose and grounds for processing in this case is to know who to contact in case the employee is injured at work.

These can be deleted immediately as soon as the employee exists the building permanently. In addition, whilst the employee is still employed, for the purpose of data accuracy, employees are to be periodically asked if there have been any changes to the emergency contact information.


Copies of certifications/qualifications

Beyond the interview, do you really need to see them? Trust your HR department. The HR department can request to see the originals and even take note of the certification an employee would have. For example Mr. John Smith CIPP/E certified. However what real use does keeping copies of the actual certificates have? Is it worth increasing the risk of a data breach?


I believe I’ve rambled on more than I should have for one post. If you’re curious or interested on knowing how to treat other kinds of documents an HR department might have, feel free to leave a comment, there’s always more space for an extra paragraph or two.


Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.