Recruiting 4.0 – The Active Sourcing Trend – What does Data Protection Law allow?

For companies, it is becoming increasingly difficult to find qualified staff to fill job openings. The balance of powers has been reversed: candidates used to have to convince potential employers that they would be perfect for the position, now it is the companies that have to search for applicants and show them that they are attractive employers. Changes in the demographic mean this situation is likely to get worse, rather than better in the future.

1. Current recruiting trends

Against this backdrop, the approach of companies to recruitment has undergone some longlasting changes. Recruitment is now a management issue. According to a recent study by Linkedin, 83% of recruiters are convinced that talent acquisition is the No. 1 priority for companies. In order to ensure that a company discovers any suitable candidates before the competition, it must become increasingly active in recruitment. The term is “active sourcing”. Potential employees should be identified and contacted, before they even become aware of their suitability for a position with the potential employer and that the employer is interested in them. The use of social media to search for candidates plays an important role in this.

Practical Tip: In order to win the ‘war for talent’, human resources must take an increasingly active approach to staff recruitment.

2. Active sourcing and job applications

Active sourcing has two general phases:

• Targeted candidate search:

  This aims to find qualified potential employees with suitable profiles for specific or future positions.

  Keep in mind: During this identification phase, data protection law aspects are primarily relevant.

• Addressing the candidate:

  Once a suitable candidate has been identified, they should be contacted and won for the company.

  Keep in mind: Competition law aspects are of primary relevance during this contact phase.

A legal distinction must be made – as will be explained later – between active sourcing and a situation where an applicant has already applied for a position of his or her “own volition”.

3. Data protection law aspects

First, a potential applicant must be identified. When searching for talents externally, human resources personnel rely not only on data that they have obtained directly from the potential applicant. However, a separate basis for permission is generally required for the collection or use of personal data obtained from the internet or social networks. This basis could be, for example, the consent from the data subject or a legal provision.

This will become increasingly relevant as of 25 May 2018, especially in light of the EU General Data Protection Regulation (GDPR) and the revised version of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) (in particular § 26 BDSG, which governs employee data):

For most provisions of the GDPR, heavy fines will apply in the case of infringement (including the lack of consent). Data subjects will have increased rights to information, e.g. in relation to the source of information, and may claim compensation when there is an infringement of the GDPR in relation to their data. Increased reviews by data protection authorities can be expected. The standards for effective consent have also been increased by the GDPR in comparison with § 26(2) BDSG: consent must be given on an informed basis, i.e. the data subject must be informed of the purpose of the data collection and that their consent can be revoked at any time, and must be given voluntarily. The dependence of employees (including applicants) on the employment relationship and the circumstances in which the consent is given both must be taken into account when assessing the voluntary nature of such consent.

3.1 Consent for data collection / use

In light of the above, a potential candidate cannot effectively give their consent in the case of “active sourcing”, e.g. the search for candidates via search engines (google or social networks), even if the candidate is responsible for putting the material online.

When an internet user allows data to be uploaded, he is not aware that a potential employer could be using active sourcing and be interested in this data. Any consent therefore cannot be legally effective because it was not “voluntary” in a legal sense. In addition, any consent would not have been made on an informed basis, as will be required by the revised GDPR (Article 4 (11)) and the new BDSG (§ 26(2) fourth sentence) in the future. In the case of active sourcing, it will therefore generally not be possible for data subjects to give effective consent.

If the candidate has already actively applied for a position, any consent will also not be considered voluntary: an applicant applying for a position cannot generally give their consent voluntarily, as they cannot afford to refuse a potential employer their wish. The explanatory memorandum to § 26 (2) BDSG (revised) now clarifies this position, which had already been taken in part in relation to the exisitng legal regime. Data protection authorities, e.g. in Berlin, also assume that consent cannot be given voluntarily in on-going job application procedures.

Keep in mind: During both active sourcing and application phases, potential employees will not be able to give effective consent because any consent will not be given voluntarily.

3.2 Legal rule

Using a search engine to search for candidates (“active sourcing”) means that the “necessary for hiring decisions” justification found in § 32 BDSG (old version) or section 26 BDSG (revised) cannot be relied upon because there is no job application situation. The words “application situation” presumes that there is always active conduct on the part of the applicant. This is not the case with active sourcing.

Under the current law, which applies until May 2018, the legitimacy of an internet search is assessed under § 28 (1) No. 3 BDSG, which can essentially be found in Art. 6 (1) (f) GDPR. Accordingly, on the one hand, the data must be generally accessible and, on the other hand, the interests of the data subject in the non-collection of the data must not outweigh the interests of the employer in the collection of the data. If the data can be found via a search engine, it is considered publicly accessible information. The interests of the employer in collecting and processing data will, as a rule, outweigh the interests of the data subject in such a case, because the data subject uploaded the data to the internet himself. This will not be the case, e.g. when it is clear from the search results that there has been an invasion of privacy (see 2.1.2.3 below for more).

If the data subject has actively applied for a position within the company, the justification in § 32 BDSG and § 26(1) revised BDSG may apply. A job application situation is necessary for these provisions. Within this framework, a balancing of interests must be conducted in order to consider whether the collection of data is actually necessary for the selection of applicants. The result of this assessment will only be in the employer’s favour when there is a discernible connection between the information concerned and the position to be filled.

The elements of the justification discussed under part 2.1.1.1 also apply here. When conducting the necessary balancing of interests between the employer’s interest in the information, on the one hand, and the interests of the internet user in maintaining data confidentiality on the other, a distinction has to be made between “recreational” and “professional” social networks. Today, however, this distinction is often no longer simple. Ultimately, it depends on what an objective third person views as the primary use of the network. The general terms and conditions of the site can also help classify the network.

For recreational networks, such as facebook or google+, for example, where the focus is on the exchange of information between friends, the balancing of interests will fall in favour of the employee. Such networks must therefore not be used for active sourcing. Recreational social networks allow conclusions to be drawn about particularly sensitive personal data, such as political views, religious convictions or the sexual life of the (potential) applicant. Such information could significantly reduce the applicant’s chances of success, e.g. if a religious employer becomes aware of the fact that an applicant is homosexual from social network posts. Users of recreational social networks should also not have to assume that their data will be used for vocational purposes.

Professional social networks are decisively different. Data is made available on such networks in particular because of its commercial use, and there is a connection between the use of such networks and the search for a new job. Often, users upload data specifically in order to make it available to potential employers. The balancing of interests in the case of “professional networks” will therefore fall in favour of the employer, so that information gleamed from such networks can be used both for the selection of applicants and for active sourcing.

In any case, the use of data, which has not been made publicly available on such professional networks, is unjustifiable because there are significant hurdles to acquiring such information (for example, for data in closed groups or where a linkedin profile is only made available to specific contacts).

In any case, the limits of search engine or network research are reached when it is clear that any recourse to the data violates the data subject’s rights to protection of personality, such as where information concerns the private sphere (photos of a marriage to a same-sex partner) or data that may relate to the social sphere, but is conducive of abusive criticism, stigmatisation or social exclusion. In addition, any information, which cannot be addressed in a job interview (e.g. about previous convictions which are not related to the position), cannot be relied upon.

Keep in mind: Active sourcing may generally not rely on information from recreational social networks, while professional social networks may generally be used for such research. In any case, the limits of any such research are reached when the data concerns the private sphere or has obviously been posted by a third party or merely conduces abusive criticism, social exclusion or stigmatisation.

If you have any questions related to this topic, please feel free to contact
Dr Anja Branz (Lawyer, Licensed Specialist for Labour Law ).