February 22nd, 2018 | Sterling

What are Candidate Rights Under the GDPR?

In just a few short months the updates to EU data privacy laws will be applied affecting individuals and companies around the globe. Sterling has produced a 10-part webinar series about the changes to personal data protection in the European Union when the EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018. The webinars share key steps hiring managers, HR and legal personnel can take now to help ensure full compliance from day one. The first webinar in the series, “What You Need to Know with 12 Months to Go” introduced the changes to data privacy laws to come. The eighth webinar in the series, “Candidate Rights Under the GDPR” is now available on demand. The webinar presented by Oran Kiazim, Vice President of Global Privacy and Beatriz Torets-Ruiz, Privacy Analyst & Legal Researcher of Sterling, explains candidate rights from the rights to access information to the right to object processing private data.

GDPR Approach to Candidate Rights

The GDPR has provided guidelines to how it approaches candidate rights in the context of data privacy. The key elements are transparency and accountability. Open and transparent communication to candidates is crucial. Candidates have the right to basic information about the screening process, including receiving a privacy notice providing the individual with insight on how and why their personal information will be processed. Under the GDPR, the information must be provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.” Organisations must ensure that they enable their candidates to exercise their rights. A good background screening policy is key to providing both of these elements.

Right of Access and Obtain Copies of Information

Under Article 15 of the GDPR, candidates have the right to obtain confirmation as to whether or not personal data concerning them are being processed.  An individual also has the right to learn the purpose of the processing, who will receive the personal data, how long the data will be stored and the right to request the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject to such processing. The candidate must receive notification detailing the background screening process and how their personal information will be handled. Candidates can receive copies of all their personal information, not just the screening report.

Right of Rectification, Erasure and Restriction

Inaccurate or incomplete data is bad, but not doing anything under GDPR is also bad.  Inaccurate data must be corrected wherever possible. If there is incomplete data, supplementary statements must be provided. Third parties must be informed if there is rectification or to pass on the additional statements. According to Article 17 GDPR, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have an obligation to erase personal data without undue delay. If one of the following is true, candidates can demand erasure of their personal data:

  • Personal information no longer needed for their original purpose
  • Candidate has withdrawn consent (if consent is the only legal ground for processing the personal data)
  • Candidate exercises their right to object to the processing (and there are no overriding legitimate grounds for the processing)
  • Personal information has been processed unlawfully
  • There is a legal obligation to erase the personal data

Right to Restrict and Object to Processing

An individual has the right to restrict and/or object to the processing of their personal data in some circumstances.One such circumstance is when the accuracy of the personal data is contested. If a candidate has a request to rectify or erase data, the processing of the data must be put on hold. The restriction must last as long as it takes to verify the accuracy of the information. To be transparent, it is important to inform the candidate when the restriction is lifted.

It is also possible for an individual to have a general objection to processing of personal data, even if its accuracy is not contested. When this objection occurs, the processing of the personal data (or background screening) must be stopped. To continue with the processing, an organisation must demonstrate a compelling legitimate ground for processing, which then overrides the interests of the candidate or an employer needs the information to establish, exercise or defend against a legal claim. This is not an absolute right unless it is related to direct marketing. Most organisations will find that a compelling legitimate ground can be established for background screening.

The Right of Data Portability

It is the right for an individual to receive a copy of their personal data, to transfer or have their data transferred to another organisation and the right to be informed on how their information will be stored. Under the GDPR individuals have many rights, including:

  • Right to receive personal data in a structured, commonly used, machine-readable format that supports re-use
  • Right to transfer their personal data from one organisation to another
  • Right to store their data for further personal use on a private device
  • Right to have personal data transmitted directly between organisations without hindrance

Individuals can receive copies of personal data free of charge. A “reasonable fee” will be charged when a request is unfounded, excessive or additional copies of the same information is required. Fees are based on the administrative cost of providing the items.

Practical Tips for Candidate Rights under the GDPR

Oran and Beatriz shared a few practical tips to be compliant with a candidate’s rights to data access and removal:

  • Review your privacy notices to ensure you explicitly call out the rights your candidates have and how they can exercise them
  • Determine how you can work with your screening provider to respond to candidate requests to access, rectify or erase data
  • If portability applies, consider which of your records are covered by your screening programme
  • Make sure your internal policies and procedures allow for pausing the screening process if a candidate exercises their right to restrict or object
  • Get a background screening policy in place that articulates your organisation’s legitimate interest


Please note: Sterling is not a law firm. The material available in this publication is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.

Sterling has been planning since 2016 for the GDPR changes that go into full effect on 25 May 2018. One way to stay up-to-date on the provisions of the GDPR and make sure that your organisation is compliant is to sign-up for the Sterling GDPR 10-part webinar series. The On-Demand webinars tackle the many aspects of the GDPR, from privacy notices to definitions of automated decision-making and how the changes will impact the background screening industry. Sign up today for these informative webinars.


This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.