E-Recruiting data protection compliant

From the obligation to provide information during the application, to secure data processing, to the anonymization of rejected dossiers, there are obligations under data protection law during the recruiting process.

Test 30 days free of charge and without obligation:

What laws must be observed?

The Swiss Federal Data Protection Act (DPA) was revised as of September 1, 2023 and applies to the editing of personal data of natural persons.

In the EU, the General Data Protection Regulation (GDPR) has been in force since May 25, 2018. The law regulates the processing of personal data, but also data traffic within the European Union. Since most companies in Switzerland have interfaces with the EU, these companies may also be affected.

GDPR in E-Recruiting

Influences on recruitment

The following is an overview of the impact of the Swiss DPA based on the recruiting process.


Data protection obligations begin as early as the planning stage of the recruiting process.

For example, data controllers are required to ensure that the technical and organizational layout of data processing is such that data protection regulations are complied with. These measures should correspond to the state of the art.

The data protection impact assessment should also be carried out in advance. This comes into play if the data processing may entail a high risk for the personality or the fundamental rights of the persons concerned. This is the case, for example, when candidates have to complete a personality analysis or submit a criminal record extract.


The following items should be considered in the application or application receipt:

When applying, the duty to provide information should be observed. This means that applicants must be informed that their data will be edited. This includes, for example, the identity and contact details of the person responsible or the purpose of processing. The easiest way to comply with this obligation is via a privacy policy. The duty to inform exists regardless of whether the application is made by mail, e-mail, via a public job portal, the company’s own website or an applicant tracking system.

In addition, care must be taken to ensure that only the data necessary for the job to be filled is collected. Here one speaks of Data minimization or economy. This principle has an impact on the application form, which should only ask the applicant for the data that is really needed.


During the editing of dossiers, the following principles play an important role:

The Data security must be guaranteed. Personal data must be protected against unauthorized editing and access by appropriate organizational and technical measures. Access and authorization concepts are important here. Access should also be restricted within the company to those persons who are responsible for the recruiting process or are involved in the decisions.

Data controllers must keep a directory of all data processing activities . However, the Federal Council has issued an exemption in the DPA ordinance for companies with fewer than 250 employees if neither particularly sensitive data is edited on a large scale nor profiling with increased risk is carried out. Classic applicant data does not yet fall into this category. However, when medical information is obtained, such as for locomotive engineers or pilots, it is.

The persons concerned have the right to obtain information about the edited data. The revDSG contains an extended list of minimum information that must be released. This includes, for example, the retention period of the data. The right to information is generally free of charge and must usually be provided within 30 days.

Newly anchored in the law was Profiling. It has a big impact on recruitment. This includes automated processing of personal data to evaluate certain personal aspects, in particular work performance, interests or behavior. In other words, the classic case of a personality analysis. This is where the data protection impact assessment becomes mandatory.

Data retention

For the storage of the data comes DSG Art. 6 para. 4, which states: “They [Pesonendaten] will be destroyed or anonymized as soon as they are no longer necessary for the purpose of processing.”

If the purpose of processing is no longer given, the data may no longer be edited and thus may no longer be stored. The law explicitly mentions that such data must be anonymized or deleted. However, the revDSG does not specify specific retention periods with regard to the data.

We have summarized all this information and some more in a video.

Data protection compliant recruiting with Dualoo

Whether it’s the duty to inform, automatic anonymization, role assignment or technical and organizational measures – Dualoo makes data protection compliant recruitment easier for you.

When evaluating an E-Recruiting software or applicant tracking system, check not only the functional requirements but also the legal as well as company-specific requirements.

Dualoo also fulfills the following additional important and data protection-relevant points:

  • Data storage in Switzerland (Swiss hosting) with ISO 27001 certification

  • Contract as commissioned data processor

  • DPA & GDPR compliant data protection policy and terms of use

  • Technical and Organizational Measures (TOM)

  • Access control (authorizations in the software)

  • End to end encryption

  • Security backups

Dualoo E-Recruiting is used at:

E-Recruiting data protection compliant? Test Dualoo 30 days free of charge and without obligation