Podcasts Podcasts

Data protection in the recruitment process

In this episode of our Arbeitsrecht podcast, Magdalena Ziembicka and Paulina Pomorski look at questions related to data protection in the job application process: from general issues of processing applicants’ personal data, background checks and obtaining references to the use of algorithms in the application process and processing and storing application records.


In Austria, there is no separate act specifically governing employee data protection. Rather, personal data of employees (and job applicants) is covered by the GDPR and the Austrian Data Protection Act. Thus, processing employee personal data requires a legal basis under the GDPR, and the processing principles must be observed. Employees are considered a group of persons whose personal data requires special protection, due to their dependency on their employer.

Application documents and consent for data processing

For the purposes of handling the job application and hiring process, the potential employer will need to process candidate’s personal data in application documents submitted by the candidate (such as a letter of motivation, CV, references and training certificates). The legal ground for processing personal data in this case is typically the necessity to perform the contract or the pre-contractual measures at the request of the data subject.

In practice, however, employers sometimes ask for candidates’ consent, which in fact puts the employers in a vulnerable position. The GDPR requires the consent to be voluntary in order to be valid. However, the voluntary nature of consent in the application process can be questioned due to the inherent imbalance of power between the potential employer and the applicant, as the applicant may fear being rejected if he/she refuses to provide consent. Therefore, there is a risk that the consent would be considered invalid.

Nevertheless, there are circumstances where consent may be deemed voluntary, e.g. when there are no negative consequences for the employee when refusing consent.

In addition, according to the GDPR, consent can be withdrawn at any time without a reason, meaning that the future processing of the related data will not be possible. This should be considered when relying on consent. As such, relying on consent in the employment relationship, including in the application process, as a legal ground for processing should be carefully assessed in each individual case.

Background checks

In practice, many companies wish to conduct background checks on the candidates and request a criminal record certificate.

The processing of criminal-related data is only permitted if there is a corresponding provision in national law. In Austria, section 4 para 3 of the Data Protection Act addresses this case. In sum, it means that the employer must have a legitimate interest for processing personal data contained in a criminal record certificate. However, the permissibility of such data processing depends on the position for which the candidates are applying. For example, the potential employer would usually be able to request an extract from a criminal record if a candidate would work in the financial services sector or with children. The employer cannot introduce the requirement of a background check for all employees in general simply because the company does not wish to employ persons (i.e. irrespective of their specific job position) with a criminal record.

Employment references

Potential employers usually request the candidates to provide references and also often contact current or previous employers to inquire about the candidate.

In Austria, the employer is obliged by law to provide a reference letter to the employee at the end of the employment relationship, indicating at least the duration of employment and description of responsibilities and main tasks. Other information can be added on a voluntary basis or per agreement between the employer and the employee, such as an assessment that “the employee has performed duties to the complete satisfaction of the company”.

The potential employer has a legitimate interest to request and process data included in reference letters. This type of data helps them to assess the professional experience of the candidate against the requirements of the advertised position. Additionally, contacting current or former employers to inquire about the candidate would in most cases also be covered by the potential employer’s legitimate interest for the same reason. However, in our opinion, an additional justification is required, e.g. in cases where the written reference is unclear or the applicant is shortlisted.

If the candidate is to be hired and an employment contract is to be drafted, the employer may also base the processing of the reference letter on the necessity for performance of the contract, as well as compliance with a legal obligation. The employer will in most cases require the reference letters in order to classify the employee within the salary scheme of the applicable collective bargaining agreement. Some collective bargaining agreements contain a direct obligation to provide the reference letters.

However, potential employers should keep in mind that reference letters and other information provided by current or previous employers have limited informational value, because they will usually not contain any negative information about the employee. The purpose of reference letters is to advance employees and therefore negative assessments, even very subtle, are prohibited. In addition, if the current of former employer provides negative feedback to the potential employer, they (the current or former employer) may be liable to pay damages to the employee. At the same time, references provide an objective description of the employee’s experience, thus supporting information in their CVs.

Artificial intelligence

The use of an automated system, which excludes human involvement, for individual decision making in the hiring process falls under the Art 22 GDPR. It means that the use of such an automated system is permissible only under certain conditions, including the data subject’s consent and the right to comment on and contest the decision.

Furthermore, the use of an automated system is problematic from the perspective of employment law due to potential algorithmic bias, which can lead to discrimination of candidates on the basis of protected characteristics, such as, for example, gender, age and ethnicity.

Rejected candidates can claim damages, with good chances of a decision in their favour, as the discrimination would only have to be made credible/plausible and not proven. In addition, candidates can request access to their personal data. This includes access to meaningful information about the logic involved in the automated decision-making process, as well as about the significance and the envisaged consequences of such processing for the data subject.

Storing candidates’ data

If the candidate applying for a specific job does not get hired, but the employer would like to keep the application for future similar job openings, the employer will need to obtain consent for keeping their data on file. It is one of the cases where consent is less problematic because it is to the advantage of the employee. However, the employer must clearly indicate whether the information will be shared within the group companies and the duration of data retention.

The employer also has a legitimate interest to retain data of unsuccessful candidates to use it as evidence in the case of potential legal action from the candidates’ side, e.g. if they claim that their application was rejected on discriminatory grounds. In such cases, the company must demonstrate which specific future legal action could be filed and on what legal basis, and to what extent this establishes a need for further storage of personal data. Employees have six months to challenge the outcome of the hiring process based on alleged discrimination, yet according to case law a retention for seven months (factoring in the time of service of the claim) is acceptable.