Employee data protection: What are the deletion deadlines for applications under the GDPR?

In every application there is inevitably personal data. For the HR department, employee data protection begins with applicant management. On the one hand, this is rather harmless information such as the name and address of the applicant. But even the detailed information on professional qualifications in the curriculum vitae and certificates are not intended for the public. Applications can also contain data from the special categories of Art. 9 GDPR with their further increased protection requirements. Just think of information about a possibly existing severe disability or the naming of the denomination.

When do applications have to be deleted according to the GDPR?

The principle of Art. 17 GDPR that data must be deleted as soon as the original purpose of the data processing has expired also applies here. Therefore, application documents and thus the personal data they contain must be deleted as soon as the purpose of the data processing has been achieved or is no longer available.

The purpose of processing information from application documents is to fill a vacancy in the company with a suitable person. As soon as a company has examined an application and made the decision against hiring the applicant, the application process is over. From this point in time, the purpose of data processing is fulfilled and the data must be destroyed or deleted as a matter of principle.

Obligation to delete also for recruited applicants?

However, this does not apply to the application documents of those applicants who are hired. A company is allowed to include their documents in the personnel file, since the original purpose has been replaced by a new purpose. If these documents are the basis of the employment relationship and their further storage is therefore permissible according to Section 26 Paragraph 1 Sentence 1 BDSG.

Storage permitted for 4 months

However, a company also has a legitimate interest in long-term storage of application documents that have not been considered.

In a statement, the supervisory authorities have now recognized this and made it clear that the obligation to delete does not occur immediately after the end of the application process. Rather, the application documents may be kept in the company for a period of 4 months after the end of the application process.

Concrete measurement of the retention period

But how did the supervisory authorities proceed when measuring the specific retention period? The background to this is the possibility of a lawsuit under the General Equal Treatment Act. According to this law, applicants can sue for compensation if a company discriminated against them in the application process, for example on the basis of their origin or gender, and therefore did not take them into account when they were hired.

Of course, a company must be able to defend itself in the event of a lawsuit and needs the application documents received for this.

However, the period of action under the General Equal Treatment Act is very short. Therefore, the risk of a lawsuit can only justify retention of 4 months beyond the end of the application process.

Are there any exceptions?

The term application documents is quite broad. It is therefore essential to carefully examine all documents to determine whether a longer retention period does not apply in individual cases due to other laws. For example, if a company reimburses travel expenses, it must keep the receipts for the deadlines from the tax code.

Employee data protection and applicant pools

Of course, a company can also have reasons for longer retention. An example of this is what is known as an applicant pool. Interesting applications can be collected here, but they cannot be considered for the current job advertisement.

However, this procedure is only permitted with the applicant’s express consent in accordance with Art. 6 Para. 1 lit. a GDPR permissible.

Do you have questions about employee data protection and are you looking for competent advice for your HR department or your data protection officer? Call us on 08505 919 27-0 or fill out our contact form. We’re here to help!

This post is also available in: German