Skip to main content
Answer to CVs

Do I have to answer to CVs to comply with the GDPR?

One of the most common doubts in companies to comply with the GDPR is to answer to CVs or not. Sometimes, companies organize selection processes but, many others, candidates send their CVs without there even being a selection process open, through generic emails that can appear in the different communication channels of the company, such as their website.

In these already somewhat confusing circumstances, at the end of August, the news was published in different media that not responding to the sending of a CV informing of the company’s Privacy Policy could be punished by the AEPD.

What are the circumstances of the penalised case?

Indeed, the AEPD imposed a fine of € 2,000 on a company for not responding to the sending of a CV by a candidate via WhatsApp, but as always, it is necessary to understand the circumstances of the case to fully understand what the AEPD establishes.

  • The penalised company had an open selection process on its website, providing candidates with different means of sending their CVs.
  • On the website of the aforementioned company, where the job offer was available, in no case was information provided on the Privacy Policy in relation to the data that the candidates send, nor was it reported once the CV had been submitted by the candidate by any of the available means.
  • Additionally, the company did not comply with the prior request of the AEPD or present allegations at any time when it had the right to do so.
  • In these circumstances, the AEPD imposes a € 2,000 fine on the company for breach of the duty of transparency and information to the data subject.

Should I then answer to CVs that you send me?

The answer is plain and simple: NO. As long as a prerequisite and essential requirement is fulfilled: to inform of the company’s Privacy Policy in relation to the data collected at the time it is requested. If you report this fact at the time of data collection (the CV, in this case), under the terms of Art. 13 of the GDPR, you do not have to issue any type of acknowledgment of receipt, as that information has already been provided and the candidate already knows what you will do with his or her data.

This case reminds me of how common it is to include the company’s Privacy Policy at the bottom of emails, when this information should be provided when the data is collected and not when you already have it.

If you collect a CV in a selection process or are simply sent it, remember that….

  1. You must update the company’s Privacy Policy to include this fact. On many occasions, the Privacy Policies published on company websites are limited to informing of the conditions for processing the data collected only by that means (the website). You report the conditions for processing all the data handled by the company in this Policy, along with that of any CVs, even if you do not receive them via that means.
  1. Always collaborate with the AEPD. In addition to being a legal obligation, ghosting the AEPD is not usually a good strategy. In this specific case, I am unaware of the circumstances that led this company not to answer, but as I said, the AEPD usually values ​​the level of collaboration of the inspected companies. In some cases, the inspection can even end with a “simple” warning .

If you have questions about data protection in relation to your selection processes, please contact us!

    Information on data protection

    Company name
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.

    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.

    Further information
    See the Privacy Policy.