– Thoughts about preliminary background checks on social media –
Waves of innovation swept through the field of EU data protection law in the recent years.
On the one hand, EU legislative body’s long awaited intention to reform the current data protection rules, and to create a single, new and directly applicable regulation seems to be on its way with the General Data Protection Regulation (“GDPR”) and its applicability from May 25, 2018. Naturally, as the GDPR seems to bring serious changes in the field of data protection, the above date have definitely been marked in the calendar of those, who are concerned or just simply interested in this subject.
However alongside the GDPR, the legislative body’s other important task is to come up with competent, safe and stable reactions to whole-new data-protection issues stemming from the unbridled improvement of technology.
Compounding this, the data protection advisor body of the European Union (Article 29 Working Party) (“Working Party”) issued its new position paper in June, dealing with data processing in employment relationships, with special attention to the new life situations established by the technological improvement (“Position Paper”).
In the Position Paper, the Working Party – as it recognised how important but yet unregulated this field is – shared its opinion inter alia on how the possible-employers can check up on candidates on different social medias (e.g., Facebook, Twitter) during the recruitment process.
The present article written by Lea Báncziová and Gergő Szalai-Bordás focuses on analysing the EU’s current position on the potential employer’s virtual clearing regarding background checks.
The End of Unrestricted Stalking?
One of the most important aspect of the Position Paper is that it – for the first time in the history of EU law – clearly states: The potential employer cannot “surf” unlimitedly the social media platforms of the candidates, as the background check do have initial criteria.
According to the Position paper, the data controller (ie, the potential employer) must have a legal ground for the processing of personal data, for example to acquire data from the candidate’s Facebook page. The consent of the candidate or the legitimate interest of the employer could serve as such legal ground.
However, when the so-called background check is carried out based on the legitimate interest of the employer (ie, without the consent of the candidates) such data processing could only be legitimate if the acquired data is necessary and relevant to the performance of the job which is being applied for. The candidate must be properly informed about the processing of its data (ie, that he/she is being checked on social media platforms)
Another important aspect of the Position Paper is that is states: data collected during the recruitment process should generally be deleted as soon as it becomes clear that an offer of employment will not be made or is not accepted by the candidate.
For a Succesful Application, Please Add Us on Facebook
At the first look it may seem like a novelty, but generally it is a quite logic statement from the Working Party, that there must be no legal ground for an employer to require candidates to “friend” the potential employer, or in other ways provide access to the contents of their profiles.
Since in recruitment processes, there is a hierarchical and unequal relationship between the parties, the candidate cannot give its consent to the processing of its data from its own determination, but it is based on and external influence. In this case, adding someone as a friend of accepting such request may not qualify as a “freely given consent”, which can be relied upon as a legal ground in data protection law.
LinkedIn is OK?
Based on the Working Party’s opinion, it can be an important condition, whether the social media profile – on which the candidate is being checked – is related to business or private purposes? As the former is mainly used for sharing relevant information in connection with our professional life, therefore the legal admissibility of the data gathered from such profiles could be broader. Such platforms are used to share information which are necessary and relevant to the performance of the job which is being applied for.
Unlawful Data Processing
Firstly we underline, that the Position Paper is not legally binding. However both the EU and the national data protection authorities tend to accept the Working Party’s opinion on certain matters. The Hungarian data protection authority (Nemzeti Adatvédelmi és Információszabadság Hatóság) also cites the position papers and recommendations of the Working Party in its own decisions.
In the light of the above, we believe, that such guidelines issued in connection with the background checks will be enforced by the Hungarian authorities as well. This means, that in case of an infringement, the possible employers can expect sanctions from a quite broad scale, from the deletion of the unlawfully processed data to imposing a financial penalty which amount may run up to HUF 20 million.
 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
 Opinion 2/2017 on data processing at work (Adopted on 8 June 2017)