Employee data protection series (iv): processing a candidate’s personal information during recruitment

1. Legal basis for processing a candidate's personal information

Unlike processing an employee’s personal information (“PI”), companies in most cases cannot process a candidate’s PI on the legal basis of "necessity for the performance of an employment contract", "necessity for the implementation of human resource management", or "necessity for the performance of statutory responsibility or obligations" during the recruitment process, since the employment relationship has not been established at this stage.

Although the recruitment process and the processing of personal information are pre-requisite for offering the employment, the employer may not be able to rely upon “conclusion of an employment contract” to process personal information of a candidate as not all the information being processed at the recruitment will be necessary for concluding an employment contract. Whilst the PIPL is silent on what will be considered “necessary” for concluding a contract, we are of the view that if the employment contract cannot be concluded without processing of certain PI such processing will be considered necessary. As such, the personal information needed for concluding an employment contract will be very limited.

Therefore, companies should review the legal basis for processing PI of candidates and identify the appropriate legal basis for processing a candidate’s PI. Where necessity for concluding an employment contract or for compliance with statutory obligations under limited circumstances (as discussed below) is not available, companies should obtain consent from the candidates.

2. What PI may be processed during the recruitment process

Following the principle of "reasonable purpose and minimization", companies should only collect personal information necessary for the purposes of evaluating a candidate’s suitability for a position, including contact information, educational background, work experience, professional qualification, etc. Companies should not collect candidates’ PI that may not be necessary for reasonable purposes, such as information about candidate's family members, religious belief, life experience, sexual orientation.

In addition, employers should also note that certain PI collection is prohibited during the pre-employment process. For example, companies are not allowed to inquire about women’s marital and childbearing status during the recruitment process under PRC law.

3. Collection of resumes

Employers may obtain a candidate’s resume in various ways. Here are some common scenarios:

• Self-collection: where a candidate sends resume to the email address of the company, upload resume through the company's official website, or submit paper resume to the HR face to face.
  
  In this case, the company should make sure the candidate is fully informed about the details of the processing (click here) before submitting their resumes and, where consent is required, obtain their consent.
  
  
• Collection through third parties: companies may collect candidates’ resumes from third parties, such as recruiters, and online recruitment platforms, such as job-advertising websites/apps.
  
  A company should ensure that the third party collects the PI of the candidates lawfully. In this situation, the company and the third party will likely be considered two separate personal information processors, who should enter into a contract with regard to the data sharing. In the contract, the company should require that the third party (i) have complied with applicable laws in its own processing activities; (ii) have fully informed the candidate of the details of the processing activities by the company; (iii)have obtained a separate consent of the candidate where necessary.

4. Background check

Background check is a common way for a company to learn more about a candidate. In most circumstances, since the company can decide whether to enter into an employment contract with a candidate at the recruitment stage even without background check information, it will be arguable to consider that background check information of the candidate is necessary for conclusion of an employment contract. Therefore, we recommend that candidate’s consent should be obtained before the background check. Besides, where background back is statutorily required, the employer may rely on legal obligations to process personal information obtained via background check.

5. Physical examination

Physical examination is also a common part of the recruitment process, where a physical examination report contains sensitive PI of the candidate. Therefore, we recommend that employers obtain a separate consent from the candidate except where physical examination is statutorily required in the industry (e.g. workers in food industry are required to obtain health certificates after physical examination).

6. Retention of PI

Once the recruitment process of a candidate ends, the employer should not retain the PI of the unsuccessful candidates unless there is a reasonable purpose for doing so. In addition, the company must also notify the candidate of the retention and obtain the consent of the candidate.

7. Key takeaways

Companies should take actions to make sure that they comply with the PIPL in the recruitment process. Here are the key takeaways for employers:

• Only processing PI that is necessary to evaluation a candidate’s suitability for the position;
• Ensuring that candidates are fully informed of the company’s PI processing activities throughout the recruitment process;
• Identifying the legal basis for processing personal information and obtaining consent and/or separate consent where necessary;
• Conducting due diligence on third-party recruitment service providers and including data protection clauses in the service contracts with the recruiters or signing a separate data sharing agreement; and
• Deleting the candidate’s PI at the end of the recruitment process, unless the employer has a reasonable purpose for retention and has obtained an informed consent from the candidates.