Many times a poorly interpreted rule can seem contrary to common sense. In today's article I want to clarify an issue that has surely generated more than one headache for human resources selection colleagues; Well, although it may seem simple, it is a topic with many edges.

Data protection regulations

The data protection regulations apply materially to «the totally or partially automated processing of personal data, as well as the non-automated processing of personal data contained or intended to be included in a file». Let's break down this definition at a high level:

First of all, let us remember that it is considered «personal data» any information relating to an identified or identifiable natural person. In other words, any data that, alone or in combination with others, allows its association with a person (e.g. the data “Zaragoza address” associated with a name and surname) or its identification (e.g. a full name or a DNI). ), generating information about it.

Secondly, the term "treatment» means any operation carried out on personal data: collect, store, structure, send, modify, interconnect, etc.

The concepts of «automated or non-automated» do not present great complexity, fundamentally it means that the regulations cover both the processing of digital data and that of paper data. For his part, "file» means any structured set of personal data, accessible according to specific criteria, whether centralized, decentralized or distributed functionally or geographically.

The last part of the definition, however, may contain the key to answering the question asked. The regulations apply when personal data is contained or intended to be included in a file.

Therefore, depending on the specific context, we will find different nuances to the question “do data protection regulations prevent requesting references from a former employee?”

Variables involved

As an example, the following variables could intervene:

If the candidate has proactively provided contact information for people to ask for references or if the company has asked for it.
If the company has directly contacted the company listed on the CV.
Whether or not the references are going to be stored somewhere (whether internal notes from the recruiter captured after a phone call or a written document certified by the HR Department of the previous company).
The content requested or provided in the references.

These factors will intervene in the assessment of the legality condition whether or not it protects the selection company to collect and include these data in a file of candidates, which, for their validity, must be complemented in any case with the fulfillment of various obligations required by the regulations, such as the duty of information. , data security and attention to rights.

On the other hand, from the perspective of the company from which references are requested, we must also ask ourselves if it could give them without incurring a breach. Again, there will be as many assumptions as we can think of.

Does data protection prevent asking for references from a former employee?

Broadly speaking, it is interesting to distinguish between those references given verbally by a worker from the candidate's former company those provided in writing, as well as those that are impressions or subjective evaluations of those that are concrete data on performance (e.g. José G. sold a 53% more than the rest of his colleagues in the first half of last year).

So, for example, the references consisting of subjective assessments provided verbally, from the point of view of the respondent, in my opinion, do not fall within the scope of application of the data protection regulations.

Well, although the AEPD has clearly said that they also constitute personal data, at the time they are provided by the respondent they are not contained in any file nor are they intended to be incorporated into a file of the respondent.

These same data, however, do involve processing for the recruiter when he plans to record them in a file under his responsibility or on behalf of a third party (think of selection consultancies that act as intermediaries for a client), at which time that data protection regulations will apply in their entirety.

Do you want to specialize in Compliance Management and data protection?

He Master in Compliance and Data Protection Management will turn you into a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad