AI and Personal Data: a Job Seeker's rights

What happens to your data when you apply for a job? With the advent of AI in the recruitment process, a notice issued by the CNIL regarding the management of candidates' personal data highlights issues of transparency and ethics.

What types of data are companies allowed to collect about candidates?

By definition, personal data is information that allows for your direct or indirect identification as an individual.

The CNIL (National Commission on Informatics and Liberty) ensures that information technology remains beneficial to French citizens. In the context of recruitment, it authorizes the collection of such data only if it proves to be relevant. For example data that identifies, verifies skills, and evaluates the professional abilities of the candidate. It recommends minimizing the amount of collected data, emphasizing that they should be legitimate, explicit, and limited.

In the recruitment process, the company collects your data directly when you submit your CV and cover letter. The collection also occurs indirectly when a recruiter contacts your former employers or reviews your activities online. Finally, during a video interview, the recruiter may want to record the exchange or use a solution analyzing your facial micro-expressions and assessing your skills. This process must be explained to the candidates, who should (in theory) also consent to the examination of their LinkedIn profile or references. They must also give their consent if they are recorded during an interview.

In case the company uses a platform with an algorithm that collects data to preselect candidates, the candidate must be informed during the application submission.

An automatically received email: we acknowledge the receipt of your application... We will proceed to review your file. However, if within a period of three weeks, you do not hear back from us, we invite you to consider another opportunity. — In the context of an automated email, the receipt message informs you of the time required for sorting - and possibly that your application is preselected.

In case of rejection of an application, what can I do?

If your application has been rejected by a robot, you can directly contact the company's recruitment manager. You have the right to request a copy of your data and access information on which the recruiter relied to make a decision. The goal is to have a person verify that the algorithm rejected you based on job-related criteria, not due to discriminatory biases.

A significant risk when an algorithm has been trained to receive profiles with identical physical and moral characteristics: it may tend to select the same type of candidates during preselection.

For instance, in 2014, the e-commerce giant Amazon attempted to automate its technical recruitment process in France. However, the program unintentionally learned that the ideal candidate was a man, based on applications received over a decade. The tool tended to give higher ratings to male applications, even rejecting very qualified female profiles. Despite multiple corrections by the IT team, the program never managed to be impartial, and the company had to abandon the software.

In case of a complaint, the responsible person reviews the file and gives a final decision. The candidate must then have time to request an explanation of the reasons for this rejection before the recruitment process is closed.

If the rejection of the application is related to tests conducted during the process, the candidate must be able to request the test results along with elements for interpretation.

How long can my data be retained?

3 months

duration recommended by the CNIL for the retention of personal data of unsuccessful candidates.

To feed the pool of candidates, your personal data can be retained for up to two years if you tacitly accept it. If the agreement is not renewed, HR software allows for the automatic deletion of this data.

Throughout the recruitment process, the candidate can at any time request the removal or correction of their personal data from the company's databases.

An email stating that collected personal data will be automatically deleted after 30 days without a renewal request.

A lengthy complaint procedure

Over the past 5 years, we observe that the personal data of job seekers is better protected - especially when the recruitment software with a selective algorithm is European. Currently, the European Parliament continues to negotiate with (or even sanction) software that does not comply with the GDPR. In case of non-compliance with regulations, the company may be fined up to 4% of its turnover.

In practice, it can be difficult to contact someone in charge, especially when receiving an automated response with the famous "no-reply." But who is responsible for data collection: the internal recruiter? The designer of the preselection software? The recruitment agency mandated by the company? Here are a few elements: