Legal Framework for the Retention of Rejected Employee Candidates’ Personal Data and Recent Developments
Melis Mert Managing Associate - Attorney at Law
Irmak Ulusinan Associate - Attorney at Law
Under the Turkish data protection legislation, namely the Law on the Protection of Personal Data numbered 6698 (“LPPD”), its secondary regulations and the decisions of the local Data Protection Authority (“DPA”), there are no pre-defined general periods envisaged for the retention of specific categories of data. Thus, the main rules and principles set forth regarding data processing activities within the LPPD must be taken into consideration in order to determine lawful retention periods for the processed personal data, which are as follows:
· Personal data processing must be relevant, limited and proportionate to the purpose for which data are processed (Art. 4 of the LPPD),
· Personal data must be retained for the period required by the relevant legislation or for the time necessary for the purpose for which they are processed (Art. 4 of the LPPD),
· Personal data must be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the person concerned in the event that the reasons for its processing disappear (Art. 7 of the LPPD).
Within this scope, personal data may be retained as long as its purpose which is based on a valid legal basis (such as legitimate interest, performance of a contract etc.) continues to exist.
II. Applicable Legal Bases for the Retention of Personal Data of Rejected Candidates
In cases where personal data of employee candidates whose applications have been accepted are retained, the relevant purposes and legal bases for such retention are clearer than those applicable for the retention of personal data within the job application files (such as CVs) of the rejected candidates, due to the below presented reasons.
Firstly, as the personal data within these job application files are likely to change within short periods of time, it would not be easy to argue that such data would still be up-to-date and can be considered relevant for the purposes of the data controller after relatively long periods of time. Since the LPPD foresees general principles for the processing of personal data (similar to those of EU’s) which are applicable and enforceable to the retention of data; storing and processing inaccurate / not up-to-date rejected candidate data shall constitute a violation of the LPPD.
Secondly, a valid legal basis must exist along with the lawful and legitimate (existing) purpose. In the specific case of rejected candidates’ personal data, the legal bases which may be relied on for the relevant purposes that the data controller wishes to retain these documents are very limited.
Ø The legal basis of “the processing of data belonging to the parties of a contract being necessary for the establishment or performance of a contract” will not be applicable for the candidates whose applications have already been rejected.
Ø The legal basis of “data processing being necessary for the data controller to be able to fulfil their legal obligations” or “Data processing being expressly envisaged by law” will not be applicable as there are no general legal obligation of the employer to retain job application files envisaged under Turkish laws.
Ø The legal basis of “data processing being necessary for the establishment, exercise or protection of a right” may be applicable to the extend where there is a risk of a lawsuits/legal actions to be initiated by the rejected candidate against the employer relating to the recruitment process (e.g. claims relating to discrimination). In such cases, employer may argue that it is entitled to retain this data for a longer period than normal in order to use it as evidence in a potential legal proceedings.
Ø The legal basis of “data processing being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject” may be applicable in limited cases where the legitimate interest of the data controller can be demonstrated via a legitimate interest balance test, similar to the one under the EU’s data protection legislation.
For example, retaining personal data within the job application files of a rejected employee candidate during an appropriate period in order to be being able to offer the job position in case the (initially) accepted candidate becomes unavailable to take the position may be considered lawful.
The DPA recently rendered a decision assessing the issue of the legal ground of “legitimate interest” being relied on in order to retain data relating to rejected employee candidates as detailed below.
Ø The legal ground of “explicit consent of the data subject” may be applicable in cases where no other legal basis exists. It should be noted the principles set forth under the Article 4 of the LPPD must still be respected and the explicit consent criteria must be met; being (i) freely given, (ii) based on being informed and (iii) specific.
III. DPA’s Decision Regarding the Retention of Rejected Candidates’ Personal Data
The DPA recently rendered a decision regarding the retention of data belonging to a rejected employee candidate who had applied to a bank and requested the data controller bank to delete his/her personal data ("Decision”). The Decision includes the assessment of the DPA regarding the issue of the legal ground of “legitimate interest” being relied on in order to retain data relating to rejected employee candidates.
The DPA stated in its Decision titled “The continuation of the processing of personal data after the rejection of the job application of the data subject to the data controller bank numbered 2021/670 and dated 06/07/2021” which was published on its official website on December 27 2021 that legitimate interest cannot be considered as a valid legal basis in order to retain job application files of rejected candidates if the candidate has requested the employer to delete such data;
“It is necessary to evaluate the defense of the data controller on the basis of legitimate interests for the purpose of “retaining the personal data of the data subject for possible future applications by the data subject in order to confirm the personal data to be submitted to the data controller in these applications” […] the legitimate interest of the data controller in keeping the data of the data subject is not clear and specific, the expected benefit of the data controller from the processing activity can be obtained in another way and method without the processing of personal data and since it is considered that the data processing activity in question does not provide an institutional benefit to affect a large number of people, the legitimate interest of the data controller in the processing of the said personal data does not override the fundamental rights and freedoms of the data subject […]”
The DPA further instructed the data controller to destroy the personal data within the job application files of the applicant data subject and the personal data within of every other rejected candidate, if any.
With this Decision, it is seen that relying on the legitimate interest for the purposes of retaining these files “to be able to take the previous application of the candidate into consideration in the evaluation of the job applications to be made by the same candidate in the future” where the candidate has requested the deletion of such data carries a risk of enforcement of administrative sanctions by the DPA.
In conclusion, currently, data controllers must diligently assess their retention purposes with regard to the rejected candidate data and;
(i) in cases where the data controller relies on its legitimate interest, a legitimate interest balance test must be carried out by the controller in line with the following criteria;
a. Whether the fundamental rights and freedoms of the person concerned are at a competitive level with the benefit to be obtained as a result of the processing of personal data,
b. Whether the processing personal data is necessity of in order to achieve the said benefit,
c. Whether the legitimate interest already exists, is specific and clear,
d. Whether it is possible to obtain this benefit by other means and methods without processing personal data,
e. Whether the benefit in question affects a large number of people and is not only for the economic benefit of the data controller but it helps facilitate business processes or a functionality based on transparent and accountable criteria,
f. Whether the data subject is kept away from all foreseeable, clear and imminent dangers in order to prevent damage to his/her fundamental rights and freedoms, especially the protection of their personal data,
g. Whether all kinds of technical and administrative measures to ensure the security of personal data are taken,
h. Whether general principles set forth under Article 4 of the LPPD are complied with.
(ii) if there is no other legal basis for the relevant retention, explicit consent of the data subject (candidate) must be obtained. As mentioned under the Introduction section above, explicit consent criterion should be duly met.
In either case, the processed data must always be relevant, limited and proportionate with respect to the relevant purposes.
Once the legal bases are duly determined, retention period should be foreseen in line with the general principles mentioned above, as set forth within Article 4 of the LPPD. Due the fact that certain documents (mainly CVs) are likely to not be up-to-date within a short period of time, retention period should be determined with a relatively strict approach.
Lastly, it should be noted that once the retention period ends (purpose linked with the controller’s legitimate interest ceases to exist, data subject requests the deletion of his/her data, or the data subject revokes his/her explicit consent), the relevant data must be deleted, destroyed or anonymized in accordance with the Regulation on Erasure, Destruction or Anonymization of Personal Data.
 “The following principles shall be complied within the processing of personal data: (i) Lawfulness and conformity with rules of good faith. (ii) Accuracy and being up to date, where necessary. (iii) Being processed for specific, explicit and legitimate purposes. (iv) Being relevant with, limited to and proportionate to the purposes for which they are processed. (v) Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.”