Which laws must be complied with?
National and international laws must be observed in order to comply with data protection in recruitment. Accordingly, the Swiss Federal Act on Data Protection (FADP) applies to the processing of personal data of natural persons in Switzerland.
The General Data Protection Regulation (GDPR) has been in force in the EU since May 25, 2018. The law regulates the processing of personal data, but also the movement of data within the European Union. As most companies in Switzerland have interfaces with the EU, these companies may also be affected.
Data protection in recruitment - but how?
Below you will find an overview of the influence of the FADP based on the recruiting process.
1. Planning
Data protection obligations begin as early as the planning stage of the recruiting process.
State of the art
For example, data controllers are required to design the data processing technically and organizationally in such a way that the data protection regulations are complied with. These measures should correspond to the state of the art.
Data protection impact assessment
A data protection impact assessment should also be carried out in advance. This comes into play if the data processing could entail a high risk to the personality or fundamental rights of the data subjects. This is the case, for example, if candidates have to complete a personality analysis or submit a criminal record extract.
2. Application
Please consider the following points when submitting your application or application receipt:
Duty to inform
The duty to inform should be observed when applying. This means that applicants must be informed that their data will be processed. This includes, for example, the identity and contact details of the person responsible or the purpose of processing. The easiest way to comply with this obligation is via a privacy policy. The obligation to provide information applies regardless of whether the application is made by post, email, via a public job portal, your own website or applicant management software.
Data minimization or data economy
In addition, care must be taken to ensure that only the data that is necessary for the job to be filled is collected. This is referred to as data minimization or data economy. This principle applies in particular to the application form, which should only ask the applicant for the data that is really needed.
3. Editing
In order to comply with data protection in recruitment, the following principles play an important role during the processing of dossiers:
Data security
Data security must be guaranteed. Personal data must be protected against unauthorized processing and access by appropriate organizational and technical measures. Access and authorization concepts are important here. Access should also be restricted within the company to those persons who are responsible for the recruiting process or are involved in the decisions.
Directory requirement
Data controllers must keep a record of all data processing. However, the Federal Council has issued an exception in the Ordinance to the FADP for companies with fewer than 250 employees if neither particularly sensitive data is processed on a large scale nor high-risk profiling is carried out. Classic applicant data does not yet fall into this category. However, if medical information is obtained, such as for train drivers or pilots, then it does.
Right to information
Data subjects have the right to request information about the processed data. The revDSG contains an extended list of minimum information that must be provided. This includes, for example, the retention period of the data. The right to information is generally free of charge and must generally be provided within 30 days.
Profiling
Profiling has now been enshrined in law. It has a major impact on recruitment. This includes the automated processing of personal data in order to evaluate certain personal aspects, particularly in relation to work performance, interests or behavior. In other words, the classic case of personality analysis. This is where the data protection impact assessment becomes mandatory.
4. Data retention
In the case of data protection in recruitment, Art. 6 para. 4 FADP applies to the retention of data, which states: “They [Pesonendaten] will be destroyed or anonymized as soon as they are no longer required for the purpose of processing.”
Anonymisation or deletion: If the purpose of the processing is no longer given, the data may no longer be processed and therefore no longer stored. The law explicitly mentions that such data must be anonymized or deleted. However, the revDSG does not specify any specific retention periods for the data.
Do you want to recruit in compliance with data protection regulations? Dualoo can support you.
Conclusion
Data protection-compliant e-recruiting is essential in order to meet the legal requirements of the GDPR and the FADP. Companies must ensure transparency, data security and the rights of applicants. By taking data protection into account in recruitment, you can strengthen applicants’ trust and minimize legal risks.
You can also find all this information and more in the recording of the webinar “Data protection in recruiting”.
Questions & Answers: Data protection in recruitment
Why is data protection important in recruitment?
Data protection protects applicant data, strengthens trust and ensures compliance with legal requirements such as the FADP or GDPR. This minimizes legal risks and conveys a professional impression.
Who is allowed to view applicant data?
Only authorized persons such as HR officers and responsible managers may view applicant data. Access must be limited to the application process and regulated in accordance with data protection regulations.
Which applicants' data may be stored?
Only data required for the application process, such as contact details, CV and qualifications, may be processed.
How long may applicant data be stored?
The data must be deleted after completion of the application process. Unless consent has been obtained for longer storage.
