The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection, hereinafter: Slovenian DPA) received your e-mail regarding job postings that require, besides resume and cover letter, also copies of diplomas, certificates and qualifications. You do not understand why this is necessary in the first stage of the process and you would like to know how these employers dispose of the documents from the candidates that were not selected to go further for an interview.
As requested, please find below answers to your questions:
In accordance with Article 6 of Regulation (EU) 2016/679 of the European parliament and of the Council (General Data Protection Regulation, hereinafter: GDPR) processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Pursuant to Article 29 of the Employment relationships act (slo. Zakon o delovnih razmerjih, Official Gazette, no. 21/13, 78/13 – corr., 47/15 – ZZSDT, 33/16 – PZ-F, 52/16, 15/17 – dec. US and 22/19 – ZPosS) the employer may demand the job seeker to submit documents proving the fulfilment of the job requirements. Accordingly, if the documentation you are referring to actually proves that you as a candidate meet the specific job requirements, then the processing of aforementioned personal data most probably is in accordance with the GDPR. Afterwards an employer can decide whether he or she wants to invite a certain candidate for an interview. However, the employer may not demand the candidate to provide information on family and/or marital status, pregnancy, family planning or other information, unless these are directly related to the employment relationship (Article 28(2) of the Employment relationships act). Slovenian DPA suggests that in cases when employers request personal data that are not needed for a position that job seeker is applying to, he or she should consult with the employer regarding the legal basis for such processing or simply refuse to provide the data.
Personal data of candidates may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Article 4(1)(e) GDPR) The documentation produced during the selection process, which is intended to decide on the selection of the most suitable candidate and at the same time serves as evidence that the selection process of the candidate was carried out correctly, should be kept for as long as the rights arising from the selection process can be exercised or a complaint or action for damages may be filed. For this reason, limitation periods in the field of obligation law or penal law should be taken into account when determining the storage time of this documentation. Where no specific legal action has been lodged against the selection decision, the documentation should, in principle, be kept for five years from the date of the selection decision. However, if judicial or other proceedings have been initiated, the file should be kept until the final conclusion of these proceedings.
Other material that do not fall into the aforementioned categories of documentation and have been submitted to the employer by non-selected candidates should be kept at least 30 days after the candidates, that were not selected, receive employer`s notification of non-selection, as in this period non-selected candidates may request judicial protection before the competent labour court.
It is important to note that personal data of candidates, collected by the employer for specified, explicit and legitimate purposes, may not be further processed in a manner that is incompatible with those purposes (the purpose limitation principle, Article 4(1)(b) GDPR).
Information Commissioner of the Republic of Slovenia