Data protection

Header Image

Danish Companies could end up being overrun by GDPR requests

Danish Companies could end up being overrun by GDPR requests 1200 628 HR-ON

When the new GDPR rules come into effect, businesses could be hit by thousands of inquiries from customers about their data.

Next week, the EU’s Personal Data Regulation (GDPR) will come into effect, and so far the main focus has been on the extremely large fines that businesses risk having to pay if they fail to live up to the regulation. However there is another issue looming on the horizon for companies. And it could affect all companies, whether they comply with the regulation or not. According to, up to four in ten consumers will take advantage of their right to gain access to corporate data collected by companies. The figures come from a survey conducted by Veritas involving around 3,000 adults across Europe.

“Although it’s unlikely that all 40% will actually choose to seek this information, it will nevertheless create a huge extra workload. The only thing companies can do is to automate as much of the process as possible,” Ali Cevi explains (director of HR-ON). 

Companies are not prepared for GDPR

However, many companies are not that far ahead in the process and have not yet automated this process. In fact, many of them are not ready for GDPR at all. A recent study, conducted by A&B Analysis on half of HR-ON, shows that more than a third of Danish companies are simply not ready for the new GDPR rules.

“The new GDPR law is very comprehensive, and probably also more comprehensive than most people have realised. I fear that many companies will still be in for a nasty surprise, even if they think they are prepared for GDPR” Ali Cevik says.

The ugly surprise can also come in the form of dissatisfied users. According to the Veritas survey, eight percent of consumers will consider taking advantage of opportunities to take revenge on companies they feel have treated them poorly.

“Basically, companies must modify their systems, so that it is possible to populate all the necessary information with one click. It will be a big task if this needs to be done manually. And if many users approach a company at once, this would be almost impossible to do manually,” Ali Cevik explains and continues:

“In the worst case scenario, a business could be hit by a campaign on social media with thousands of customers suddenly asking for information. If the company is unable to deliver within 14 days, as prescribed by the rules, they risk one of the large fines. For some companies, a fine of that size could even result in closure.”

The Personal Data Regulation comes into effect on May 25, 2018

Banner image

How GDPR affects recruitment and job adverts

How GDPR affects recruitment and job adverts 1200 628 HR-ON

The new GDPR (General Data Protection Regulation) affects recruitment and job advertising. Here is some information to help you get ahead in your recruitment efforts.

Article updated in May 2018.

GDPR is changing the way companies recruit – this is generally good, but it will increase the complexity of online recruitment for some companies. In this article, we will focus on what you need to ask in your job postings and what data you must collect from potential candidates in the future when the new Personal Data Regulation enters into force at the end of this week, on May 25, 2018.

You will find answers to the following questions regarding online recruitment:

  • What kind of data will be allowed in recruitment?
  • What are you allowed to ask your candidates according to GDPR?
  • How to avoid unwanted information?
  • What you should be able to document for data protection?


In reality, there is not a big difference in the kind of data you are allowed to collect before and after the General Data Protection Regulation. The key difference is in your documentation and in the processing of data.

Therefore, you can expect some extra work in the processes before and after the collection of data. For example, it is necessary to argue the reason behind the collection of certain kinds of data in connection with recruitment.

Therefore, as a recruitment officer, you need to cast a critical look at the data you collect about your candidates.


Not all the knowledge and data you collect is relevant to evaluate the best candidate for a specific job vacancy.

With the new Personal Data Regulation you need to look at the application form(s) you use and answer the following questions:

  • Are all questions relevant to find the right candidate?
  • Do you collect sensitive information?
  • Have you documented your assessment and positioning of the above?

When the General Data Protection Regulation comes into force on Friday, it is important, that you have thought about and implemented these questions in your recruitment routine, so your online recruitment process meets the requirements of GDPR. It is very important to understand how GDPR affects your recruitment and to make changes to accommodate the new rules.

Try the risk assessment tool provided by HR-ON.


To start with the first question, it is important that you do not have unnecessary questions on your application form.

Is it still relevant to know your applicant’s place of residence, or is it a superfluous information that can be substituted with the candidate’s general zip-code, to know if they live nearby? Most people already communicate by phone or e-mail, so you probably do not need to send a letter to any of your candidates via mail.

Place of residence is, therefore, in most cases, an example of unnecessary information from your applicants.

When the General Data Protection Regulation comes into force on May 25th, it is important that you expound the information and data, that you gather from candidates. The Data Protection Agency will be critical to both redundant and useless data collection from candidates, which can be at risk – especially if there is sensitive information among them.

Which leads us to the next important point.


In the European Regulation, it is distinguished between two kinds of personal data: general information and sensitive information.

The level of data security and documentation depends on the type of data you want to collect. Especially your measures in case of data breaches and leaks.

Examples of the two different kinds of personal data can be seen in the table:

General information Sensitive information
  • Name
  • Address
  • E-mail
  • Prior offenses
  • Passport, drivers license etc.
  • Journal number
  • Racial or ethnic background
  • Political, religious or philosophical beliefs
  • Professional memberships
  • Health as well as sexual relations or orientation
  • Social security number (Has a grade outside of scale)

If you only want to collect just general information, it makes sense to obtain a so-called ISO 27001 certification.

You can read about ISO 27001 certification here.

As a general rule, you should only collect common information, as sensitive information has much higher information security requirements.


One of the most important points in the new GDPR in relation to recruitment, is documentation.

In order to be GDPR-compliant with your questions in the job post, it is important that you not only have a critical look at the data and questions you ask your applicants , but you must also prove that you have been critical of them.

In practice, this means, that you will need a handbook or documented guidelines for questions, which you can refer to if the Personal Data Agency comes knocking.

For many recruiters, it will therefore make sense to use standardized questions in job vacancies. This will help avoid documentation and argumentation for data collection in all job listings and posts.


Now you know, what you are allowed to ask your candidates and how to document your recruitment process.

But your applicants can still send you sensitive information through mail or your recruitment system. And that can actually become a problem for you. According to the General Data Protection Regulation, you are still obliged to take measures to ensure that you do not receive sensitive information from people.

In the vast majority of cases, it will be sufficient to point out that you do not want to receive your applicants’ sensitive information.

In other cases it’s hard to get rid of them; for example on exam papers, which almost always have the social security number printed on them.

But since HR-ON’s main aim is to make recruitment easier, we have implemented technical solutions that can automatically sort out the sensitive information. Hopefully this article will help you and your business understand GDPR and how it affects recruitment.

Read about the future of e-recruitment here get a demo before the GDPR is coming into force on May 25, 2018.

Fill out the information and we will contact you as soon as possible.


Lad os ringe dig op og aftale en uforpligtende demonstration.

HR-ON Logo

HR-ON er en cloudbaseret programpakke, der gør jeres HR-arbejde lettere, sjovere og ikke mindst meget mere effektivt. Kort fortalt får I styr på hvem, der skal gøre hvad og hvornår. Samtidig har I overblik over, at det rent faktisk også bliver gjort.

Børsens Gazelle pris 2018
Børsen Gazelle pris 2019
Charter mangfoldighed

Østre Stationsvej 27, 3   //  DK-5000 Odense C   //  +45 71 99 07 27   // //  CVR: 34474540