In the activity report for 2021, the Bavarian State Office for Data Protection Supervision (BayLDA for short) — external link: — highlighted an interesting topic from the everyday work of every organization. Namely the handling of applicant data in the context of the organization of job interviews. In most organizations, several people usually take part in job interviews. An appointment invitation via Outlook or comparable tools brings the necessary internal people and the applicant(s) to the table at the right time. From the BayLDA’s point of view, everything that can go wrong from the point of view of data protection can be found from page 50 of the TB 2021 (linked above).
Scheduling appointments with applicants via (Outlook) calendar invitations
Among other things, applicant management requires appointments for the job interviews. Current collaboration tools such as Outlook manage the appointments for the necessary job interviews, along with the associated invitations to the necessary people in the calendar of the organizing HR department, but also of the participants. The entries usually contain the name of the applicant and mostly information about the position to which the interview relates. In some cases additional information is added. Occasionally, the application documents are even attached again so that information can be distributed.
Calendar entries quickly become a data protection problem
The BayLDA has no problem with the applicant’s name being on the calendar and the invitation. It also doesn’t mind that the keyword “application interview” is included. With everything that goes beyond that, the BayLDA sees the following data protection problems and requirements
Restricted access to the applicant’s data (confidentiality) and compliance with a suitable deletion concept must be ensured
Organizations may only store applicant data in a location that is appropriate from a privacy perspective. This storage location must meet at least two criteria:
- An access concept must exist. It must therefore be precisely defined who can access the data. The circle of authorized users must be limited to a minimum.
- It must be clear when and how the applicant’s stored data will be deleted again. They may only be stored for as long as is necessary. This principle is not new in data protection either.
With calendar entries and shared calendars, both are often difficult
Important here: These concepts should not only exist on paper, but also be lived — verifiably and comprehensibly. The BayLDA is not entirely wrong in commenting that “The two aforementioned criteria for calendar usage are not met in most practical use cases.” This usually fails due to the usual substitution regulations for mailboxes and calendars. They mean that employees who are not involved in job interviews at all have access to data again and again.
Outlook and other tools lead to generous access regulations
Such calendar releases are often designed very generously. This should make it easier to schedule appointments among several participants, which is quite practical. But it can also result in employees having access to calendar data when they shouldn’t. The same applies to group mailboxes that several people have access to.
Consequence of the BayLDA: Additional documents do not belong in the Outlook calendar
Against this background, the BayLDA is very critical when application documents, interview notes and preparation notes for an interview are saved in the Outlook calendar. They don’t belong there, but rather in the care of the person responsible for the organization’s human resources affairs. If there is a specific need, this can grant access to people who have to be involved in the application process.
The deletion of all data must be ensured (deletion concept)
The BayLDA attaches particular importance to the proper deletion of data after the completion of an application process. It is quite clear that even then access to applicant data may still be necessary. This applies, for example, if the organization has reporting obligations, for example to the employment agency.
Beware of the trap: Applicants’ right to information goes very far
In practice, one should ask oneself whether one should not even do without the name of the applicant in the Outlook calendar. Because it happens again and again that an applicant claims information according to Art. 15 DSGVO. This is particularly common when someone has not gotten the job and claims, for example, that this is due to discrimination against them. Many lawyers are of the opinion that the right to information then also extends to the entries in the Outlook calendar.
The effort that this creates is considerable. The organization must have the entire Outlook calendar searched. In addition, it may be necessary to query which employees have taken entries from it and saved them locally. All of this can be avoided if the candidate’s name is not included in the Outlook calendar.
Conclusion: Structure and organization-wide regulation necessary
As part of a structured application process, every organization should already take these aspects into account and establish binding procedures. This facilitates a uniform and simplified procedure compared to the method “Everyone does what they want” 🙂