It is widespread common practice for companies to check social media as to investigate the “web reputation” of candidates applying for job positions. Nothing seems more natural for prospective employers to “google” applicants and check their Linkedin profiles, but also Facebook, Twitter, Instagram etc.Is this conduct legitimate under the revolutionary EU Regulation 2016/679 (General Data Protection Regulation “GDPR”) which will become applicable on next 25 May 2018? If you do not want to risk fines up to 4% of annual turnover or €20 million, whichever is higher, it would be better to start addressing this with utmost care and diligence.
GDPR is governed by principles of fairness and transparency also for pre-hiring phase. Candidates’ data can be collected for a genuine reason that is relevant and proportionate to the scope of recruiting. But when it comes to social media, there is everything but clarity on what would be the right approach to follow.
In the absence of specific provisions, it is still reasonable to rely on the non-binding guidelines issued with Opinion no. 2/2017 on data processing at work by Article 29 Data Protection Working Party, an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.
The opinion sets few but clear concepts relating to use of social media in the recruiting process: a legal ground is necessary for processing data, this action is necessary and relevant for the performance of the position being applied for, the applicant must be informed that his/her social media profiles will be reviewed.
It derives that employers should not investigate individual’s social media profile only because they are publicly available but are allowed to inspect only social media profiles related to business purposes (e.g. Linkedin). On the contrary, it would be therefore risky to collect information from social media profiles related to private use (not even in case of “open” profiles) as there would not be legal ground for this action.
Likewise, there would not be legal ground to require candidate to “friend” the potential employer, or in other ways provide access to the contents of their private profiles.
Furthermore, data collected during the recruitment process should be deleted as soon as it becomes clear that an offer of employment will not be made or is not accepted by the candidate.
Candidates should be also informed that their social media business profiles could be reviewed (e.g. in the text of the job advert).
Again, those are only guidelines and interpretations with no binding legal value. However, in the absence of more specific local legislations (encouraged by the GDPR), although quite restrictive, they currently represent the most prudential approach to be followed, at least until different case law develops.