What would count as sharing data with a third party? For example, if we are booking employees on an external training course where we would only provide their name, would this amount to sharing data with a third party?

The sharing of an employee’s name with an external training provider would certainly amount to the processing of his personal data for data protection purposes. The employer would therefore have to be able to identify the lawful basis for the processing, essentially either legitimate interests, legal obligation or consent. Which one applied would depend on the nature of the training relative to the employer’s business:

If the training were a legal requirement (i.e. the employee could not lawfully do the job without having undergone it – an HGV licence for a lorry driver, for example) then this would be either a statutory obligation or a legitimate interest. If it were a matter of refining or updating of technical skills necessary for the best service to customers, that would be a legitimate interest of the employer. If it were merely a nice-to-have or some form of self-development for the employee then consent should be sufficient, but that would only safely be the case where the training was voluntary, i.e. the employee would not be penalised or dismissed if he chose not to do so.

Two further points should also be borne in mind. First, whatever justification you use has to apply to all the data being provided to the training company. If its request goes beyond names to (for example) phone numbers or home addresses or job titles, you would need to be sure that that information was genuinely required by it for the proper provision of the training services. Second, where you rely on employee consent it must be clear, specific, unambiguous and freely given, so you will need to obtain consent to X data being provided to Y training company for Z purposes, not just a blanket OK to unspecified personal data being sent to such external companies as the employer sees fit from time to time as many employers use at present.

As always, keep a note of the conclusions you reach as to justification and the thinking behind them.

How will the GDPR affect recruitment companies that hold large CV databases?

Recruitment companies will definitely be caught by the GDPR if they are processing data about EU residents and the impact may be significant.

If they hold large CV databases then this will constitute the processing of personal data for GDPR purposes and they will need to comply with their obligations under the GDPR. This will include, for example, informing candidates about the data they hold about them, the purposes for which they hold and use it, etc. More specifically:

  1. A candidate seeking a role via a recruitment company will need to be told in very clear terms what use will be made of the data he gives it, to whom it will supplied and for how long it will be retained if he (a) is and (b) is not successfully placed by the recruitment company. He will need to consent to that by positive opt-in rather than opt-out (in other words, “tick the box to confirm your consent” is fine but “you will be deemed to consent unless you tick the box” is not).
  2. Having a huge database of contacts may no longer make a recruitment company look so attractive, especially if many of those entries are old and inactive. Even simply storing personal data is processing it, so all those old candidates will now have strengthened rights of portability, deletion, correction and indeed to be “forgotten”, i.e. removed from your systems altogether. In principle, they should each now be notified of those new rights, even though they may not have heard from the recruiter or vice versa for years. How far this will be complied with in practice is a separate question.
  3. So one impact of the GDPR’s emphasis on “minimisation” is likely to be a pre-emptive cleaning of recruitment company databases wherever there is no demonstrable need to retain candidate data. We have heard it said that little more than 10% of the candidates on such databases are ever actually placed, so that leave a lot of “dead wood”. Big may no longer be beautiful in these circumstances – now it will just mean a greater risk of inadvertent infringement and a higher data maintenance burden.