Approached about job oppertunity, gdpr breach?

[ScottishStottie]

Just wondering whether something has been done incorrectly here, doesnt feel right but not really sure?

Got a couple of missed calls, a voicemail, a whatsapp message and a linkedin request from an unknown number/person, wanting to discuss a job opportunity. Took me by surprise as im not currently looking for other work, and was pretty sure that my number wasnt on linkedin.

Let the person know via message that i was not looking for other work and asked where he had got my details from. He replies saying he got my details from my cv that i uploaded to a recruitment company 8 years ago.

8 years ago i was newly graduated and looking for work. My situation has obviously changed a lot in 8 years. Surely the recruitment company shouldmt have kept my details on file and still be giving them out to people after so long, especially since gdpr rules have come into play since then??

AIBU to kick up a fuss about why my details have been passed out to people? I dont have my personal number on linked in as i feel email/linkedin message at initial stage is plenty for any contact, personal phone contact (especially with the number of missed calls/messages from this person in a short period) feels very invasive.

[Joker0fGotham]

YABU. If you put your cv on a job board (I doubt a recruiter would have got your cv from another recruitment company!), any recruitment agency can access your details and they pay a fee to have this access. If you don’t want contacting just ask them to remove your details from their database and they will.

[ScottishStottie]

From 8 years ago though?? It seems like a very long time to still be circulating my details.

[dayslikethese1]

I don't think it's technically illegal/maybe borderline but it's very bad practice on the recruiters side (the recruiters website guys that is). They should be making sure the details they hold are up to date and accurate and letting you know how you can remove details if you wish to. Most companies send emails at regular points if you are inactive (or just anyway) so you can update/remove stuff when needed. A lot did it just before GDPR came in as well (25th May 2018) to make sure they had a legal basis for holding the details they had in their systems. They should have done this really. But I suppose they can argue that as you added your CV and haven't told them to remove it, you accepted their T&Cs and so the legal basis for holding that data is a contract (I think!) Very bad practice though and doesn't make sense from their business point of view!

[ScottishStottie]

Yeah i remember getting emails from.lots of companies at the time of gdpr, all saying they needed me to confirm that they were still allowed to hold my details, amd if they didn't hear then they would delete. I defo didnt let this company continue using my details at this point, as far as i can remember they never contacted me at all.

Yes i agree it seems stupid business practice, that if this man is trying to recruit, hes not going to have much luck with such old details on file...

[ErickBroch]

Happened to me. I reported them to the commission for it. Once I told them I would be doing so they never contacted me again.

Regarding LinkedIn: It's different. The T&C you agree to lets people contact you and be GDPR compliant. If you wouldn't want to be contacted on there then cancel your account.

[bellinisurge]

Did the company specifically contact you? If they did and you didn't follow through, definitely sounds like a breach. Ask the company directly to delete your data and if it doesn't, report to ICO.

[ScottishStottie]

Linkedin wasnt a problem though. This guy added me there after finding my name on the cv from 8 years ago that was sourced from the recruitment company. Because i had the phonecalls and request i checked my settings and my number isnt listed there. I dont mind being contacted on linkedin, i have in the past with no issues, but it was the contact on my mobile that was the concern.

No contact was made from the recruitment company. At point of gdpr or at the time of passing my details on just now.

[ScottishStottie]

So i went onto their website and found a link to deactivate my profile. But in the small print it said that they would still have my details on file in case i ever wanted to re-register. So found a different like to delete completely, followed the instructions amd got an email welcoming me to the company and info on what i could now do as a member.... 😒

Really not happy with them atm. Sent an email stating i wanted my details deleted and that i wanted confirmation when this happened.

[sirfredfredgeorge]

I think the company can easily argue that you are a customer - 'cos you're not disagreeing you were a customer at the time - and retention for that period is reasonable, in fact given that they have almost certainly been passing your CV to prospective employers many times since eight years ago, then the retention since it was last used is unlikely to be 8 years.

There might be a question if they've been fulfilling their requirements to keep it correct, however that really depends on the nature of the site, as you obviously have a login to the site yourself then I think it's difficult for them to do anything else - particularly if as is likely you ignore any of their emails as spam.

As to if they should've deleted because of your expectation that "all saying they needed me to confirm that they were still allowed to hold my details", then this is certainly wrong, only companies who were acting illegally previously or had very dubious provenance for their data would have been doing that, it certainly wasn't required.

I would not consider it a breach on the information provided.

Certainly your attempt to delete sounds very poor though, that should be as easy as signing up of course.

[Joker0fGotham]

I totally agree with everything sirfredfredgeorge has said. It annoys me how people think they are well versed in GDPR when they barely know the basics!

[NeverTwerkNaked]

Also agreeing with what @sirfredfredgeorge said.

This almost certainly isn't a data breach and if it were it certainly isn't anything to get worked up about. The ICO won't be interested.

I think there was so much hype about GDPR at the time that it is easy to assume that even the most tenuous of breaches is something that can get a company in a lot of trouble but (thankfully) that isn't how it works.

[HansBanans]

I had something similar yesterday OP! Three calls from a number that just said "Unknown" one after the other. Then they left a voicemail that was completely incoherent but said something about a job with hours of 9pm to 1am?

[IwishIhadaMargarita]

I had a message at work, the woman was sketchy about the details. It wasn’t a name I recognised so I called back. She was recruiting for my companies competitor and basically found me on LinkedIn then called my workplace to talk to me about moving. I was raging thats she had the cheek. Then I got it in the neck from my boss that my profile must show me as looking for work. She was actually out of order but that’s another story.

[bellinisurge]

If the company was using tbe cv for the last 8 years, they weren't very successful.

[ScottishStottie]

Haha well yes indeed, it was a pretty rubbish CV with no real experience on it, so surprised this guy contacted me at all 😂

[GinDaddyRedux]

Did you want to "catch them out" somehow, it feels like you're reaching to find something to take offence to?

Someone called you to talk about a job. There are plenty of folk who would be extremely happy to receive such a call, and perhaps would as a result forgive any minor oversight (if any actually occurred, which in this case isn't one).

I think GDPR has been misappropriated or misunderstood by some as a "I want privacy" charter where anyone who has ever had personal data could be up before the beak at any point someone feels they shouldn't have it.

Unfortunately or not, it doesn't work like that.

[chancechancechance]

Yanbu, this is not GDPR compliant.

However I would just email the recruitment agency and tell them to take you off their books and explain to them they breached GDPR. Not sure I would report them.

[bellinisurge]

The point I was making, op, was that your 8 year old cv is out of date personal data that, quite apart from the GDPR issue is not a live asset for them. Kinda pathetic of this agency to flog it as such.

[notheragain4]

You would need to look at the privacy statement you agreed to when you handed over your CV to see if they have breached the agreement.

That said, 8 years is quite excessive and I think if challenged they would have a difficult time justifying still having your data as I doubt they could pass the basic principles such as being accurate (as it'll be outdated now).

You would be well within your rights to complain, question their retention periods, and I would ask for the data to be removed. Hopefully this is just inherited poor historical practices that haven't been tidied up yet and their data protection is tighter going forward. Sounds like it needs addressing either way.

[DGRossetti]

Surely they should have contacted the OP when GDPR came in to ensure they were still holding data with their consent ? Like the rest of the world had to ?

One of the principles of GDPR is that the organisation holding your data can demonstrate you explicitly gave them permission to do so.

However, since there's stuff all you can do except complain to the ICO who will just make a mixtape of it, it's your call.

[sirfredfredgeorge]

No-one had to contact you when GDPR came in, the law didn't really change on grounds for processing, and consent would be unlikely to be the grounds that were in use anyway. Anyone that contacted you was doing it for marketing reasons, or because they were breaking the laws existing at the time and their GDPR compliance work highlighted it.

GDPR does not require permission, so an organisation does not require demonstration of permission.

[StudyBuddy]

Are you joking? This is like me saying I put my name on my Facebook and then think it's unacceptable when people know my name. No one is distributing your details. You created a profile and posted your information on the publicly accessible internet. It's no one else's responsibility to take that down just because you forgot about it.

[Backbackandforth]

You’re misunderstanding GDPR. If you don’t want people to contact you take your details off the website you uploaded them to and then get on with your day?

[notheragain4]

@DGRossetti no I would think their legal basis would be contract rather than consent. That's why Op would need to know what she signed up to, but as it was pre GDPR it's probably not as well documented or thought out as it would be now.

But I still doubt the company is working compliantly as an 8 year old CV will be massively out of date and therefore not meeting one of the main principles.

[DGRossetti]

@DGRossetti no I would think their legal basis would be contract rather than consent. That's why Op would need to know what she signed up to, but as it was pre GDPR it's probably not as well documented or thought out as it would be now.

I just remember preparing for GDPR at my last employer and contacting everyone whose details we held with a clear summary of (a) what and (b) why it was held with an option to review and remove details. Obviously data needed to fulfil the service was exempt. But the consent had to be explicit and recorded to be valid.

And we were emphatically told you could just assume someone had consented because they hadn't said they didn't, if that makes sense ?

Mind you, we were a financial services company and had our fingers burned by the FSA (as was) over pre ticked consent boxes from pre-GDPR days. So maybe there was a touch of ultra-caution going on ?