Recently, also Switzerland has adopted measures in order to comply with the data processing regulation, which already involves the European Union.
In fact, the Federal Council considered the Protocol of amendment to the Council of Europe Convention for the personal data protection regulation – GDPR.
With this update, which will also involve the Swiss Data Protection Regulation (LPD), Switzerland can guarantee a higher level of personal data protection, for both the private and the public sphere, together with the cross-border personal data flow.
The main regulation regarding personal data processing remains the General Data Protection Regulation (GDPR), which is a European Union regulation on the processing of personal data and privacy became operational starting from May 25, 2018.
Hereinafter, in our analysis, we will focus on the subject of GDPR strictly connected with the human resources area.
Actually, this mentioned adjustment implies an increase of the obligations for the data controllers. The data controller is the one who processes the data, without receiving instructions from others. He decides “why” and “how” the data should be processed. In our case, data controllers are the temp agencies or the companies directly.
But which kind of rights may the interested parties exercise? And what about the consequent obligations of the data controllers in practice?
The first right mentioned by the GDPR is the right to information (articles 13 and 14 GDPR).
These articles determine the minimum content of the privacy notice, which shall be submitted and accepted by the interested parties.
Just think about a candidate, who is applying for an offer through the website of the temp agency or the company itself.
Which should be the minimum content of the privacy notice?
Purpose of the processing, legal basis of the processing, legitimate interests, mandatory or optional nature of the processing, data retention period, cookies regulation.
The right to information is a right that lasts for the entire period of the data treatment. This means that, at any time, the data controller shall promptly accommodate the requests of the interested party (of the candidate, therefore).
For example, in case of an application that takes place via website, the data controller must keep in mind which information flags have been accepted by the interested party at the time of the consent, as well as submit a new information notice in case of any modification which involves the site itself.
Indeed, to be compliant with such regulation could be quite difficult in the absence of an adequate software, which will manage, on behalf of the data controller, all these mentioned matters. The use of a specific software represents not only a guarantee regarding the correct application of the Law, but also a generous saving of time. Moreover, the right to information represents the one most easily verifiable by the supervisory authorities, thus the information itself is published on the public website.
Last but not least, the failure to comply with the GDPR actually exposes data controllers to substantial penalties, not to mention the bad publicity which could arise from such situation.
In the next articles we will analyze, point by point, the other candidate’s rights, with practical examples for a correct application of the legislation.