25
Wed, Dec
91 New Articles

How to Lawfully Navigate Social Media Checks in Recruitment

Bulgaria
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In today's digital age, social media has become a ubiquitous presence in our personal and professional lives. For employers, these platforms offer a valuable yet complex tool in the hiring process. While the potential to gather additional insights about job candidates is enticing, it also raises significant legal questions regarding privacy and data protection.

This article explores the legal boundaries surrounding employers' use of social media in the recruitment process, particularly under the framework of the General Data Protection Regulation (GDPR). By gaining this understanding, employers can navigate the recruitment process more effectively, ensuring they respect candidates' privacy while making informed hiring decisions.

Legal Basis for Collection of Information from Job Candidates' Public Social Media Profiles by Employers

The collection of information about job candidates from their publicly accessible social media profiles constitutes personal data processing. Employers can engage in this activity only if they have a legal basis and have duly informed the candidates.

Typically, this processing is grounded in the so-called "legitimate interest" of the employer, acting as a data controller. Legitimate interest is one of the six legal bases allowing for the lawful processing of personal data under the GDPR.

For an employer to claim legitimate interest, they must conduct and document a "balancing test." This involves weighing their legal interests against the rights and freedoms of the data subject (the job candidate), considering the candidate's reasonable expectations. This test must be done before data collection, and its outcome determines whether the employer can lawfully use this basis for processing.

The employer's interest will be justified if the data processing includes only relevant, limited, and necessary information for the recruitment purposes, and it aligns with the candidates' reasonable expectations. This typically involves information about education, professional experience, and other relevant data publicly shared by candidates on professional networks like LinkedIn.

Next, consent can also be an appropriate basis for personal data processing provided that the data subject has a genuine choice to grant or withhold consent without facing negative consequences. If these conditions are not met, the consent is not considered freely given and is therefore invalid.

Given the imbalance of power in the relationship between employer and (future) employee, it is unlikely that the data subject would be able to refuse to give their consent to the employer for data processing without fearing adverse consequences as a result of that refusal (e.g., the risk of their application being rejected and losing the job opportunity). Consequently, the European Data Protection Board finds it problematic for employers to process the personal data of current or future employees based on consent.

Notification Obligations and Right to Object

It is advisable to notify candidates that their social media activity (and on which platforms) will be checked before they enter the recruitment process - for example, by including this information in the privacy notice accompanying the job advertisement. If this has not been done, or if the candidate applies “spontaneously” without there being a published job advertisement, the notice should be provided during the initial contact after receiving the application, before any checks and corresponding data processing begin.

It should be noted that a job candidate can object to checks of their social media activity, and the employer must inform them of this right.

Upon objection, the employer must cease the processing unless they can demonstrate compelling legal grounds that outweigh the candidate’s interests, rights, and freedoms.

Employers should not exclude candidates from the recruitment process for objecting to social media checks. Doing so would excessively infringe upon the candidate's rights and interests. It would be challenging for the employer to justify that no other methods, less intrusive than social media checks, could achieve the same processing purposes.

Data Minimization

The employer has the right to collect only such data that are relevant and limited to what is necessary in relation to the purposes for which they are processed – this is the so-called "data minimization" principle outlined in the GDPR. Collecting information about marital status and personal opinions on various public topics will generally violate this principle, and the employer is not entitled to do so. Moreover, processing such data poses a risk of discrimination in the selection process based on, for example, ethnic origin, religion, or beliefs, as a result of obtaining personal information.

Enforcement and Sanctions

The GDPR has gained notoriety for its stringent sanctions, which can amount to €20 million or 4% of a company's global annual turnover, whichever is higher, underscoring the critical importance of data protection compliance.

So far, based on the publicly available information regarding the practices of data protection authorities in EU member states, no sanctions have been imposed on employers for unlawfully collecting information from candidates' social media profiles.

However, issues related to the lawfulness of such checks by employers (or recruitment agencies) have caught the attention of supervisory authorities, leading to clarifications in various opinions, guidelines, and other documents. For instance, Italy has an approved code of conduct for recruitment agencies, stating that checks should be conducted only on candidates’ profiles in professional networks, and information collection should be limited to relevant professional qualifications.

Key Takeaways

In conclusion, it should be noted that the internet offers employers vast opportunities to access information about candidates that they would not have the right to request during recruitment, such as “sensitive” data about political views, religious beliefs, health status, or sexual orientation. Although the employer does not have the right to use such information, learned for example from a candidate's personal Facebook profile, the hiring decision may still be influenced by it. Therefore, it is important for individuals to be aware that they can have control over the information about them on the internet and to be mindful of the "digital footprint" they leave behind.

When it comes to employers, the integration of social media checks into the recruitment process presents both opportunities and challenges. It is essential for them to navigate this area with caution, adhering to legal requirements and respecting the privacy rights of candidates. 

This article is subject to copyright. It expresses the opinion of the author and should not be considered as a recommendation to take certain actions or legal advice.

By Irena Koleva, Senior Associate, Deloitte Legal

Deloitte Legal at a Glance

Deloitte Legal Adriatic is a unique law firm consisting of teams of highly specialized lawyers, providing a vast range of legal services, and part of the commercially integrated Deloitte Legal Group. Deloitte Legal Adriatic has a team of 50 legal professionals, qualified in their jurisdictions, at offices across 8 countries: Albania, Bosnia, Croatia, Kosovo, Montenegro, North Macedonia, Serbia and Slovenia. Across the Adriatic region, our offices assist clients in this interlinked, highly complex, and dynamically developing region. We are among the largest law firms in our jurisdictions and have offices in each of the most important business centers. With a multi-lingual international team, all of whom are fluent in English, we can assist clients through our dedicated language desks including in Chinese, German, French, Russian, and many other languages, including all the Balkan languages.

Deloitte Legal Adriatic’s bundled, technology-enhanced, cross-border capable service array is a step ahead in providing clients with effective business solutions, and in these challenging times is even more important than ever before in our Adriatic Region. Our team has a collaborative orientation as well as the country specific and international legal and business savvy your business needs. Like our clients, we also know that sure success, in addition to everything else, usually requires winners to simply work both harder and smarter. We are here for our clients to do just that.

Across the Adriatic, we offer a full scope of legal services in the main commercial practice areas, including: 

  1. Banking & Finance – regulatory, real estate, syndicated projects, securitization, NPLs, restructuring, and insolvencies
  2. Business Integrity – investigations, compliance, privacy, GDPR, anti-trust, and competition
  3. Corporate – day-to-day operational, governance, and family protocols
  4. Digital – technology, media, and communications
  5. Employment – full spectrum services including mobility services
  6. Environmental – internal/external due diligence, and compliance advice
  7. GDPR – privacy issues, cyber-attacks, AI, legal, technical and organizational aspect of GDPR compliance
  8. Litigation – including tax, white collar, and discovery support services
  9. M&A – including due diligence, JVs/alliances, and post-transaction restructuring
  10. Real Estate & Construction – transactions of all types as well as development & planning
  11. Commercial – including full coverage supply-chain and distribution contractual coverage

Besides traditional legal fields, we are building prominence in growing fields such as Business Integrity, Legal Management Services, Tax Litigation & Controversy, E-commerce, and Fintech. We take pride in being able to pioneer in industries and practices ahead of many other law firms. We have the benefit of accessing cutting-edge data, technical aspects, and operational realities of various industries through our internal Deloitte collaboration with various service lines (Consulting, Financial Advisory, Tax, and others). This market intelligence is again unparalleled among  our competition and presents a wealth of opportunities for genuine insights to evolving trends.

Our client service resonates with an individual approach, genuine relationship building, dedication, availability, efficiency, and high-quality communication, on top of understanding our clients’ commercial, financial and tax needs and the requirements of the market.

Authentic synergies with our financial and tax teams, as well as our colleagues’ professional experience and education, make our firm one of the most experienced, effective and efficient firms in the Adriatic region, with expertise in a wide variety of legal fields. Our positioning on the legal markets has been noticed and recognized by both mainstream international attorneys-ranking agencies – Chambers & Partners, IFLR and the Legal 500, which distinguishes us across all significant legal areas and functions.

Local contacts:

1. Albania and Kosovo

Deloitte Legal Sh.p.k

Sabina Lalaj, Attorney-at-Law, Managing Partner

slalaj@deloitteCE.com

2. Croatia

Krehić & Partners in cooperation with Deloitte Legal

Tarja Krehić, LL.M. (DUKE)

Attorney-at-Law, Managing Partner

tkrehic@kip-legal.hr

3. Serbia, Montenegro and North Macedonia

Law Office Antonić

Stefan Antonić, independent attorney at law in cooperation with Deloitte Legal

santonic@deloittece.com