GDPR and reference checking: What to consider and the benefits of a digital workflow

Compliance Emelie Dahl

Working by computer

The General Data Protection Regulation (GDPR) imposes stricter requirements on procedures and processes for the secure handling of personal data. As a recruiter, what are your obligations when conducting reference checks under GDPR in Sweden? And how can digital reference checking simplify the process? We sought the expertise of Fredrik Roos, partner at law firm Setterwalls, to answer some of these questions.

Fredrik Roos

Fredrik Roos has been advising companies on technology, intellectual property, commercial contracts and data protection since 2003. He has extensive experience in dealing with regulatory issues related to personal data, and is currently leading several major GDPR projects for both Swedish and international clients. So there's no one better to answer our questions about GDPR and reference checks.

Does GDPR always apply to reference checks?

- Yes. If reference checks are conducted professionally, with documented answers, GDPR always applies. This is true whether reference checks are conducted digitally, or if you conduct them over the phone and save notes on your computer or in another searchable record, explains Fredrik.

What obligations do you have as a recruiter?

1. Make sure you have a legal basis

- First and foremost, you need a legal basis for processing personal data. Collecting personal data during a reference check can often be done on the basis of 'legitimate interest'. This requires that you work for a company, not a government agency, and that the processing of personal data is necessary and proportionate to the purpose. Collecting and processing personal data is critical to a successful recruitment process and in most cases you will have legitimate interest support because your interest outweighs the candidate's interest in privacy. Legitimate interest is the legal basis for both the processing of reference contact details and the assessment of the candidate.

When using legitimate interest, certain conditions must be met. You must clearly explain why your interest as the data controller outweighs the candidate's interest and document your reasoning and assessment, as described by Fredrik. You should also consider whether the recruitment process could be conducted in a less privacy-sensitive manner and whether the data processing is consistent with what a candidate would typically expect.

However, if you work for a government agency, the usual legal basis for processing personal data in recruitment is 'public interest', as government agencies are not allowed to use legitimate interest when processing personal data.

If you're using public interest as a legal basis, it's important to make sure that the public interest is well-founded:

  • Law or other legislation,
  • Collective agreements
  • decisions based on the law or other legislation.
There may also be specific record-keeping rules that complement the GDPR and apply to the specific government agency you work for, which may affect how personal data can be processed in your workplace.

2. When do you need consent for reference checks?

- In most cases, a legal basis other than consent should be used for reference checks, especially when they are carried out by government agencies. However, it is permissible to obtain a candidate's consent before conducting a reference check as a general data protection measure. It's important to note that this is not the same as using consent as a legal basis, explains Fredrik.

If you want to keep data for longer than is necessary for the recruitment process, for example if a candidate may be contacted in the future, you can use consent as a legal basis. In this case, be careful how you ask for the candidate's consent, as only fully voluntary consent is valid. Make sure you also comply with the other requirements for using consent as a legal basis, such as providing the candidate with written information, including:

  • Identifying the entity (company/agency) requesting the consent
  • Specifying the personal data you intend to process
  • Specifying the duration of the data processing
  • Explaining the purposes for collecting and processing the data
  • State that the individual's consent is the legal basis for the processing
  • state that the individual may withdraw his or her consent, and
  • Indicate how long you intend to keep the personal data

Only then can the individual give consent, for example by ticking a box.

How can Refapp help? If you want to ask for consent in your digital reference checks, we can help you to request it from both the candidate and the reference through our system.

3. Inform the candidate and the reference

- When conducting reference checks, you are required to inform the candidate or reference about how you will process their personal data, including the legal basis you will use and with whom you will share the data.
Don't forget to tell them how long you intend to keep the personal data. Normally, you can only keep the data for as long as is necessary for the recruitment process, but other legislation or data retention requirements of public authorities may affect the permissible retention period.

It is advisable to inform the candidate and the reference in writing when you collect their data. Therefore, make sure you mention reference checks in your privacy policy and refer to it, explains Fredrik.

How can Refapp help? With Refapp, you can request the reference's contact information from the candidate through our system. This automatically provides the candidate with information about your data processing. The same applies to the reference when they complete the digital reference check. You don't need to send separate information as both the candidate and the references have access to it. Together with Fredrik, we have also prepared a template for an information text that our clients can use in their privacy policy to describe the data processing when using Refapp.

4. Delete sensitive personal data

- If you receive data during reference checks that are offensive or sensitive, you must delete the data immediately. In most cases, it is not allowed to process sensitive personal data in recruitment. Examples of sensitive personal data include information about ethnic origin, health, political opinions and sexual orientation, as Fredrik explains.

A recruitment process can be sensitive in general, and you may come across information about candidates that is of a more sensitive nature, even if it doesn't fall under the definition of sensitive personal data in the GDPR. For example, information about personal circumstances. You are not prohibited from processing this data, but be aware that this type of information may affect the requirements placed on you as a data controller. If you are subject to the principle of public access to information, you may be required to disclose this data. Therefore, it's important to ensure that the data is stored correctly and professionally.

Make sure that contact information and assessments are organised in a way that makes this process easy if it becomes necessary, concludes Fredrik.

How can Refapp help? If you receive sensitive reviews about a candidate, you can easily go into the digital reference report in Refapp and delete them immediately.

5. Consider what data you need for the recruitment

In the context of recruitment, it is only permitted to process personal data that is necessary to assess whether someone is a suitable candidate for the intended position, which is the purpose of the processing. If there are legitimate reasons to process more extensive or sensitive personal data about candidates than is usually processed when filling a specific position, it may still be allowed to do so.

It is also important to follow the principle of data minimisation when conducting reference checks. You should not collect more personal data than is necessary for your purpose of recruiting a suitable candidate for the position.

What rights do the candidate and the reference have?

- In addition to the right to be informed about data processing, candidates and referees also have the right to access their data and ask you to correct it. If you work for a government agency, the data you obtain through reference checks may be subject to the principle of public access to information and you may be required to disclose data relating to candidates. It's therefore important to ensure that the data is stored correctly and professionally.

Make sure that you have contact information and assessments stored in a way that makes this process easy for you if it becomes necessary! Fredrik concludes.

How can Refapp help? Since all the personal data you collect about candidates and references is stored in Refapp, it's easy to provide this data if your company or agency is asked to do so. In addition, the data is encrypted and deleted after a certain period of time.

Hopefully, this article has answered a few of your questions about how to make your reference checks GDPR-compliant. If you would like more information on how Refapp and digital reference checking can help you, please get in touch.