The introduction of the GDPR was always going to be followed by a period where the regulators and courts would use specific examples to establish some of the detail missing from the regulations themselves.
Whilst the initial focus was on the "usual culprits"; the big social network organisations like Facebook, a couple of recent cases have shown how regulators are now starting to focus on how corporates use personal data.
Although these cases are not specifically about recruitment or HR there are some useful indicators of the way the regulators are thinking. This gives organisations the opportunity to amend their processes and systems to become compliant before they are directly challenged.
Consent must be freely given
We have always considered that the new, tighter, rules about consent mean that processing data for the purpose of recruitment marketing needs to be keep entirely separate from that for processing an application. It needs to be clear that a user can apply for a role without their data being kept for marketing - and that needs to be the default option.
Users need to be informed of any processing
In this case the Dutch regulator has found that Microsoft were gathering and storing data from Office 365 users without any notification. They were also not giving users the ability to object to this processing.
They were also storing this data outside the EU - which also requires informing the user.
Recruiters need to be very careful, when deploying any system that tracks user behaviour, that this is done with the informed consent of the candidate. Candidates also need to be given the explicit option to opt-out of this tracking at any point.
In addition when processing a person's data on another platform, for example flagging or making notes on a person on Linkedin, that person needs to be informed and given the option to object.