Candidates blacklisted: is that allowed?
For example, a former employee left on bad terms and you want to make sure they don’t end up in the hiring process again. You can avoid that by using a recruitment blacklist. But, is that allowed? The General Data Processing Regulation (AVG) imposes strict requirements on the data you may collect and retain as an organisation. A blacklist is sensitive and not automatically allowed, despite the fact that it can offer great advantages during the recruitment process.
And to make things a little more complicated, imagine that you would rather not have certain individuals or types of candidates in the process. They didn’t previously work within the organisation, but you’d rather not have them there. A blacklist can appear to be a suitable option, but it also leads to even bigger privacy issues.
In the first case, a candidate understands that his or her data was stored when that person was employed. Being blacklisted isn’t fun, but the fact that the data was collected doesn’t initially raise any questions. However, it’s harder to justify this to someone who was never employed there and whose data therefore did not need to (and should not) be collected at all.
Important questions
Wondering if you can (still) use a blacklist and what options you have or don’t have? In any case, therefore, it is important to ask yourself three key questions:
- Who will be blacklisted?
Does it concern specific individuals you wish to blacklist? Have they previously worked or applied for a job with the organisation or do they not yet have a relationship with the company? Determine who you wish to put on the list. - Why does a person get blacklisted?
What is the reason you want to blacklist candidates? Identify why you think this is important and why you want to keep these individuals out of the recruitment process. - How long do you keep a person blacklisted?
How long do you want to keep candidates blacklisted? Does this apply to a specific recruitment process or does it include subsequent applications?
To determine whether or not it is possible to blacklist candidates, responses must meet the following three conditions:
- Is there a legitimate interest in processing personal data for this purpose?
As an organisation, you must have a legitimate interest in using a blacklist. For example, preventing misconduct or combating fraud. - Is there a need to process personal data for this purpose?
The blacklist must be necessary. In other words, best interest cannot be served via any other less intrusive means. - Does the best interest of the business outweigh the candidate’s rights to privacy?
You must be able to make it clear that the corporate interest outweighs the privacy interest of the individuals that are to be blacklisted.
Meanwhile, keep in mind that you can only list candidates who know that their data has been processed. In addition, everyone retains the right to access their data, even if someone is blacklisted.
Not in the recruitment process
Don’t want certain candidates in the recruitment process? A blacklist can provide a suitable solution. If the conditions are met and candidates can be blacklisted, a variety of restrictions are still in place.
For example, the specific reason why someone is blacklisted can not be put on record. Here, the candidate’s privacy interest always outweighs the interest served by the blacklist. Without putting the reason on record, best interest is served: for recruitment, the blacklist can prevent candidates from entering the recruitment process.
Blacklist under strict conditions
Make use of a blacklist while adhering to strict terms and conditions? It is wise to start with certain criteria, based on which candidates can be blacklisted. As soon as someone meets one or more of the criteria, that person is put on the list. In this case, the reason is not made clear, because there are multiple criteria that warrant it.
Please note: even under strict conditions, blacklisting candidates whose data you have not previously collected is not permitted. You cannot include someone on the list who has never applied or been employed, without informing that person and asking their permission.
Tip: The only way to include individuals you have not previously been in contact with is to create a shared blacklist, for example on an industry level. In order to create a shared blacklist, a permit must be obtained from the Data Protection Authority.
The Data Protection Authority also requires organisations to conduct a Data Protection Impact Assessment (DPIA). This should show the risks for those involved and how these are addressed.
The recruitment blacklist is a sensitive topic. It is possible to use such a list to exclude certain candidates from the recruitment process. Keep in mind that this comes with several caveats though, so always get good advice about it.
Want to learn more about the ways we help our clients work with candidate data efficiently and according to GDPR guidelines? Contact us on +31 (0)10 – 820 29 10 or fill out the contact formr.