Most of the data processing that HR undertakes may take place without express consent.
HR is authorised to process personal data to fulfil the employment contract, cf. Article 6(1)(b) and (e) of the General Data Protection Regulation.
Certificates of criminal record: Consent is deemed to have been given, on the grounds that applicant obtains and submits the certificate as part of the employment process. Criminal records are obtained on a case-by-case basis for the person you wish to offer the position to, if it is objective and has significant relevance for employment in the position.
Working with children permits: The university is obliged to obtain a ‘working with children permit’ (børneattest), a certificate from the police verifying that the applicant has no prior convictions for offences against minors, in connection with jobs involving direct contact with children under the age of 15. The employee must provide digital consent in connection with the collection.
In case of both types of certificate, a short note must be added to the personnel file in Workzone once they have been received, stating the date of the certificate, and that the content of the certificate has been reviewed and does not present an obstacle to employment.
Certificates of criminal records are processed on the basis of Article 6(1)(e) of the General Data Protection Regulation if they do not contain information about criminal offences and Section 8(1) of the Danish Data Protection Act if they contain information about criminal offences.
Both certificates of criminal record and working with children permits must be deleted as soon as the objective for which they were obtained has been fulfilled.
Personality tests of applicants and employees are not sensitive data and can be processed on the basis of Article 6(1)(e) of the Regulation.
Information about employees may be disclosed to a trade union or union representative if the disclosure is made in order to comply with a legal obligation or collective agreement, or if the trade union/union representative has a legitimate interest in the disclosure of the information and this interest takes precedence over consideration for the interests of the employee, cf. section 12 of the Danish Data Protection Act.
If section 12 of the Danish Data Protection Act does not authorise the disclosure of specific personal data to a union representative/trade union, explicit prior consent must be obtained from the employee in order for the disclosure of the data to take place.
The publication of employee portrait photos on the website, in emails and on office doors requires their consent. Employees may upload their own photos in accordance with the workflows agreed in their unit.
Obtaining and disclosing references is covered by the data protection rules if the information is obtained/disclosed/recorded electronically, by telephone or a memo is drafted for record-keeping purposes. See section 13 of the Access to Public Administration Files Act regarding the duty to record.
The university is authorised to obtain reference information in accordance with Article 6(1)(e) of the General Data Protection Regulation and to disclose reference data in accordance with Article 6(1)(f).
Explicit consent is not required for the university to obtain or disclose general personal data in a recruitment process.
The university must ensure predictability and transparency, which includes ensuring that the applicant for a vacant position is aware of and accepts that references will be obtained, including from whom and when and what information will be obtained. This can be done, for example, by stating in the job advert that references will be obtained or if the applicant has provided the reference themselves.
When disclosing and obtaining information of a more sensitive nature, such as medical history, the hiring and current/former manager will need to take particular care to make sure that the employee is informed and agrees that this information will be obtained/disclosed.
As a general rule, the person who discloses reference information can assume that the employee agrees to the collection of information about themselves if the hiring manager informs them of this.
References will be used to obtain information concerning the following:
In accordance with Section 9 of the Danish Data Protection Act, Sensitive personal data may not be obtained or disclosed without explicit (prior) consent, (data on racial or ethnic origin, political, religious or philosophical beliefs or trade union membership, genetic or biometric data, health data or data concerning sexual relations or sexual orientation).