On 26 July 2004, the Dutch Data Protection Authority (“College bescherming persoonsgegevens”) (“CBP”) approved the Privacy Code of Conduct of the Dutch trade organisation (“The Code”) concerned with recruitment, search and selection (“Branchorganisatie voor Werving, Search en Selectie”) (“BWSS”). This approval, published in the Dutch Government Gazette of July 30 2004, is valid for a period of five years. All organisations that are members of BWSS are obliged to comply with the Code. This means, inter alia, that they must take care to ensure that their customers, i.e. the companies/employers that have instructed them to search suitable applicants, handle information regarding potential applicants and other individuals in a strictly confidential manner.
In its approval, the CBP explained how the Code is intended to offer additional guidance and clarification on the provisions set out in the Dutch Personal Data Protection Act (“Wet bescherming persoonsgegevens”) (“WBP”). The Code lists the purposes for which members of BWSS may collect and process personal data of potential applicants. In addition, it specifies under what conditions personal data can be collected and processed. Moreover, the Code specifies the applicant’s rights, and the rights of other individuals concerned. In particular, the Code identifies at what stage the CBP has to be informed of the fact that an individual’s personal data has been processed.
The Code stipulates that the processing of data is necessary in the field of recruitment for the search and selection of applicants. The data may be collected and processed in circumstances where it is necessary for the assessment of the suitability of potential applicants for a specific function. In addition, data may be collected and processed if it is necessary for the conclusion of the employment contract between the applicant and the customer (the employer). Further, data can be processed for settlements of disputes, for auditing purposes, for scientific and historical research and statistics, as well as for informing applicants of the fact that their personal data is being processed.
The Code makes a distinction between potential applicants and other persons. With respect to other persons, only contact details such as initials, first and last name, academic title, gender, address and telephone number may be processed.
With regard to potential applicants, several types of personal data may be processed. In addition to the usual contact details, data regarding the following may be processed:
place of birth
training courses attended
current employment specifications as well as possible future qualifications
work experience and income
All data obtained from potential applicants must be public sources in the field of recruitment, from referees or by way of analysis of CV’s and interviews of the applicants.
In principle, personal data has to be removed if it is no longer required for these purposes. Personal data can only be stored for up to five years. The Code stipulates that data can only be provided to customers within the framework of a specific instruction and only after the applicant has given his unambiguous consent.
Should an individual claim infringement of the Code, the Code specifies how potential complaints and disputes can be dealt with. An independent supervisory committee has been set up to deal with these issues.
The Code (available in Dutch only) can be downloaded from