GDPR – What Is It & How It Affects Candidates and Recruitment Agencies

By February 15, 2018 No Comments

GDPR and data protection

What is the GDPR?

GDPR stands for the General Data Protection Regulation (1). It is a regulation that the European Union has passed with the intention to standardise and strengthen data protection across the EU (2). This regulation was enforced on 25th May 2018. Because it is a regulation and not a directive, it means that national governments don’t need to pass enabling legislation. After a 2-year transition period, it will become directly enforceable across the EU.

Why Is Data Protection Important?

In the modern era, organisations of all types (governments, NGOs, private businesses, etc.) collect data on partners, clients, and employees. Not in a paper filing system but on digital databases accessible via the Internet. This data can contain sensitive information like names, addresses, contact information, employment history, medical information, etc.

When used responsibly and correctly, it can be very useful and efficient to have this data. But there are also some risks and dangers to its use, such as:

  1. The data could get into the hands of people who may use the information for ill-intentions
  2. Stored data may contain information about persons (which may or may not be fair and accurate). But this inaccurate information can be shared and spread very quickly, which can lead to unfavourable outcomes
  3. Digital data can be easily copied and shared, unlike paper where more steps need to be taken.

What Laws Exist Already for Data Protection?

The GDPR replaces the EU Data Protection Directive of 1995. The latter states that personal data may not be processed at all unless three categories of conditions were met. These are transparency, legitimate purpose and proportionality (3).

  • Transparency conditions generally stipulate that the data subject has given their consent and that there are clear reasons behind the data collection.
  • Legitimate purpose conditions stipulate that the data must be used for lawful, useful and well-intentioned purposes.
  • Proportionality conditions stipulate that the collected data is relevant and kept only for as long as needed.

You can access the official information about the data protection directive here. (available in all EU languages) (4).

How Does the GDPR Build on Existing Legislation?

The GDPR goes above and beyond the 1995 directive, adding more protection and widening the geographical scope of the protections (5). The key changes are:

  • Wider geographical applicability: Perhaps the biggest difference in the GDPR compared to the previous directive is that the protections will affect all organisations that process data of persons living in the EU, irrespective of the organisation’s location.
  • Penalties: The fines for an organisation that breaks the GDPR laws will have to cough up much larger sums of money for their breaches. The fines can be as much as 4% of their annual revenue or €20 million, whichever is greater.
  • Consent: Giving consent, as well as withdrawing/declining consent must be easy and accessible to data subjects. Previously, organisations would use lengthy terms & conditions documents in order to get people’s consent, this will no longer be allowed.
  • Breach Notification: If any data breach occurs, this must be notified within 72 hours.
  • Right to Access: Data subjects will have the right to access and view their personal data held by any organisation, free of charge, in an electronic format.
  • Right to be forgotten: The data subject will have the right for all of their personal data to be erased. Further dissemination of the data must be stopped.
  • Data Portability: Data subjects may demand their personal data in a ‘commonly used and machine-readable format and may transmit this data to another organisation.
  • Privacy by Design: This concept means that organisations must create and put in place GDPR compliant systems and processes from the start. As opposed to adding various measures in an ad hoc manner post-factum.

 You can read more details about the key changes here:  https://www.eugdpr.org/key-changes.html

Blue Lynx is GDPR Compliant Recruitment Agency

As a recruitment and HR services company, Blue Lynx receives a lot of data in the form of CVs, employment contracts, etc. We have already taken all necessary measures to ensure the safety and privacy of all individuals who interact with us. Many of these added rulings will not require us to implement changes.

What Does the GDPR Mean for Job Seekers?

The GDPR means that we all, as citizens of the EU, will receive better protection. This is something Blue Lynx is pleased about. Job seekers will now have better control over what type of personal data agencies store and process. We believe in the importance placed on privacy and security by the GDPR. So you can be assured that your data is safe with Blue Lynx when you register as a job seeker.


  1. EU GDPR website: https://www.eugdpr.org/
  2. GDPR on Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
  3. Data Protection Directive on Wikipedia: https://en.wikipedia.org/wiki/Data_Protection_Directive
  4. Data Protection Directive summary: http://eur-lex.europa.eu/summary/en/LEGISSUM:l14012?celex=CELEX:31995L0046
  5. EU GDPR Key Changes: https://www.eugdpr.org/key-changes.html