Is This A Breach of GDPR?

[LetGoLetThem1234]

(General Data Protection Regulations: GDPR)

I joined a new small company recently.

During casual conversation one of my colleagues said they had seen my CV.

To be clear: they were NOT involved in any way in my recruitment.

They do not need to see my CV (or any other personal information e.g. proof of right to work in the UK, my NI number etc) in the course of their duties.

They have no payroll responsibilities.

However, I am aware they have access to the drive where confidential information is most likely to be kept.

I am unhappy that my personal information has not been kept safe, and that potentially other members of staff may also had access to it.

My concerns are around the identity fraud etc

Is it unreasonable to expect that my personal information should only be used for purpose it was given?

Is it unreasonable to expect access to personal information be restricted only to those who need that information to fulfil their work responsibilities?

YABU - You are wrong, this has not compromised data protection rules.

YANBU - You are correct, this looks like the rules regarding data protection have been ignored.

I will be writing to my manager about this.

I just want be sure that I have understood GDPR before I do anything.

Could you ask to see their employee privacy policy?

As other PP have said, CVs are often screened & reviewed by people who aren't directly involved interviews, so seeing a CV isn't necessarily a red flag. I would be concerned about who is accessing payroll details though.

@Needtosoundoffandbreathe I agree behaviour is inappropriate. They're young people, 1st/2nd jobs.

@wheelz46 thank you.

You can check on the ICO website. If they are not they probably should be because of payroll, etc.

Which is really shit practice and breaches equalities legislation as "the best fit" is a) not part of the job and b) almost always means "people like us"

Yes it is. You stated clearly that this person had no involvement in your recruitment and your CV likely contains personal data. Some if the answers on this thread indicate worryingly slack attitudes.

Presumably that wouldn't be a breach but as the OPs situation is the opposite in which the other employees have no valid reason to see the CVs it sounds like bringing it to the attention of management is an appropriate action

If you are confident that this colleague wouldn't have been involved in the recruitment process (at my last organisation we would have drafted in colleagues to help review CVs) then my biggest concern would be how she accessed your CV and I think that's the approach you need to take with your mananger i.e. you're concerned about where personal data is being saved and how easily it can be accessed.

They sound pretty clueless, which I suspect a lot of smaller companies are when it comes to GDPR but that's no excuse when they find themselves falling foul of the regulations.

There are separate issues here:
The security of personal data held electronically which should be part of gdpr and data retention policy.
The individual accessing documents which are not required within the scope of their role and then sharing it, which may be a disciplinary matter.

I don't agree with this. Looking for a good fit in my experience (which is fairly significant) can mean checking that the person will fill a skills/temperament gap. I've hired people with loads of commercial xp into a mostly academic team for example. I bounced this off certain team members to get them ready and comfortable with the idea, which included showing CVs.

And you sent it to the company with the explicit purpose of them viewing it. For the purpose of evaluating if op suitable for the role. Not for every tom dick and Harry to take a nosy gander at.

No it's not.

OP has no evidence that it wasn’t viewed as part of evaluating her for the role.

I'm more concerned about some antiquated ideas of what should be on CVs...

Absolutely no date of births/age markers please!

And best fit checks, when done by a decent manager, aren't a bad thing. All identifying information should be redacted...e.g. name, area etc.

Though when I was reviewing CVs the other day someone had sent a headshot...never do that. Ever.

The company has two issues:

• a snooping employee who went out of their way to look at documents they had no reason to want to access
• a failure to secure HR files.

I would report it to HR and ask for it to be investigated.

GDPR is no longer relevant in the U.K. it's a European legislation.

The U.K. has a similar legislation: the Data Protection Act of 2018, so that is what you should refer to if you complain.

This is incorrect UK GDPR is very much a legal requirement in the UK and comes with a hefty fine if breached.

Not really it’s more along the lines of does the skills and experience they bring full the hole we have in our team - not a lot of point recruiting someone who can only do the tasks we already know how to do