Consent could indeed be a valid legal basis for storing job applicants’ CVs. Another possible legal basis could be legitimate interest. In that case, you would have to carry out a balancing test to prove that your organisation’s legitimate interests outweigh the applicants’ rights.

At any rate, you will have to inform the candidates that you plan to store their data and for which purposes.

More information:

• Process personal data lawfully

When there are two or more data controllers who jointly determine the purpose and means of processing, they are considered joint controllers. They decide together to process personal data for a joint purpose. Joint controllership can take many forms and participation of the different controllers may be unequal. Joint controllers must therefore determine their respective responsibilities for compliance with the GDPR.

It is important to note that joint controllership leads to joint responsibility for a processing activity.

• Example of joint controllership:  Companies A and B have launched a co-branded product and wish to organise an event to promote this product. To that end, they decide to share data from their respective client and prospective client databases and decide on the list of invitees to the event on this basis. They also agree on the modalities for sending the invitations to the event, how to collect feedback during the event and follow-up marketing actions. Companies A and B can be considered joint controllers for the processing of personal data related to the organisation of the promotional event as they decide together on the jointly defined purpose and essential means of the data processing in this context.

More information:

• Data controller or data processor

1. Make sure that the data that you received was collected legitimately and that the individuals concerned have been informed about the processing of their personal data.
2. In case a third party is processing personal data on your behalf, make sure you have a controller-processor contract, which details the processing operations and means to process personal data.

And of course, comply with all the obligations of controllers.

More information:

• Data controller or data processor

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

• may not give instructions to the DPO with regard to the performance of their DPO duties;
• may not penalise or dismiss the DPO for performing their tasks.

More information:

• Data Protection Officer

The GDPR foresees specific rights for individuals that have to be respected. You can do this by:

• informing individuals whose data you process about your processing operations and the processing purposes when you collect their data, for example via a privacy statement on your website;
• by responding to individuals’ requests to exercise their rights, such as access, rectification, objection, erasure or portability requests.

Organisations that are transparent about their use of personal data and that respect the rights of individuals are less likely to become subject to complaints.

More information:

• Respect individuals’ rights

A personal data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

• If the data breach poses a risk to the individuals concerned, you must report it to the relevant data protection authority within 72 hours.
• If the breach is likely to result in a high risk to individuals, you will also need to communicate that breach to the individuals concerned without undue delay.

In any case, for all breaches – even those that are not notified to a DPA - you must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response.

More information:

• Data breaches

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

• if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
• if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

More information:

• Respect individuals’ rights

Publishing the names of the winners of a competition on your website could be considered as a legitimate interest, if you can prove this by carrying out a balancing test to determine whether your legitimate interests outweigh individuals’ right.

A good practice would be to set up an internal procedure in which the rules on publishing personal data of winners are explained.

In addition, the processing of personal data for these purposes should be part of the competition’s privacy policy, so that participants are informed in advance about how their data is going to be processed.

More information:

• Process personal data lawfully

For consent to be considered valid, it must be:

• freely given;
• specific;
• informed; and
• unambiguous.

This means that individuals must have a genuinely free choice regarding whether or not they agree with the processing of their personal data; they need sufficient information so that they can understand which data is processed, for what purpose, and how this is done; they also need sufficient granularity in consent requests.

In addition, there should be a clear affirmative action from the individual (without pre-ticked boxes and made separately from applicable general conditions).

In addition, individuals need to be able to freely withdraw their consent (without any negative consequences) if they change their mind later on.

More information:

• Process personal data lawfully

You cannot store personal data forever.

As a rule, personal data can only be stored for as long necessary in light of the purposes for which the personal data is processed.

In some cases, the storage period can be determined by specific laws, for example, labour regulations determine a storage period for payroll lists.

Organisations should put in place data retention policies to make sure that personal data is not kept longer than is necessary. Individuals’ personal data must be deleted or anonymised once this data is no longer necessary for the purpose for which is was processed. 

More information:

• Data protection basics