Impacts of GDPR on the processing of an application to a job by a candidate

ABBL Published 11.05.2018

On the 25th of May, the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly referred as the General Data Protection Regulation (GDPR), will enter into force with all the implications it will have on an organisation’s daily business.

Beside the impact on the commercial activity of the financial institutions, organisations will also be impacted as employers whether in their relation with the employees not only during the execution of their employment contract or after the end of it but also before having started any working relationship with the candidates.

In facts, as soon as an employer receives an application, directly linked to a job offer or via spontaneous application, the employer has, at the time when personal data are obtained, an obligation to give the candidate information about:

  • the identity and the contact details of the controller (i.e. employer) and, in certain situations, its representative;
  • the contact details of the data protection officer, when the organisation has appointed one;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (i.e. assessment of profile in view of the conclusion of an employment contract);
  • the recipients or categories of recipients of the personal data;
  • where applicable, the fact that the employer intends to transfer personal data to a third country under certain specific circumstances;
  • the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the employer access to and rectification or erasure of personal data.

Employers should bear in mind that, in principle, the personal data should only be processed for the purpose for which it has been collected.

In case the employer intends to use the personal data for a purpose other than that for which the personal data were collected, the employer shall, prior to that use, inform the candidate on that other purpose and provide him with any other relevant further information.

Sometimes, employers do not receive certain personal data directly from the candidate, but via headhunters, for example. In such situation, the employer must inform the candidate of the personal data treated within a given period of time, i.e. not more than 1 month after the reception.

It has to be mentioned that the candidate shall not be charged with any fees to receive this information or exercise any of its rights and that all theses conditions should also apply to the case of a spontaneous application.

Furthermore, employers should keep in mind that a contract between the organisation and a subcontractor (for example a head hunter with a mandate) is always needed to process data received by the latter.

Finally, when a candidate has been chosen for the job, the procedure for the conclusion and fulfilment of the employment contract applies. The employer (or the head hunter respectively) must also inform the unsuccessful candidates of the decision and of the treatment of the personal data communicated. In this context, the personal data shall be kept in a form permitting the identification of candidates for no longer than is necessary.


By Cristelle Cervellati-Bretnacher, ABBL Legal Adviser


Association des Banques et Banquiers, Luxembourg


12, Rue Erasme L-1468 Luxembourg

Phone Fax
Opening hours

Monday to Friday from 8:00 to 17:30.