Legal reference
Data Protection Guide
Page route: hiveref.com/data-protection-guide
Purpose: Plain-language explanation of GDPR articles relevant to reference checking
Introduction
HiveRef operates to the General Data Protection Regulation (GDPR) as its global data protection baseline. GDPR is widely regarded as the most comprehensive data protection framework in the world. Similar protections exist under Australian law (Privacy Act 1988), Brazilian law (LGPD), and South Korean law (PIPA).
This guide explains the specific articles of GDPR that are most relevant to employment reference checking. It is designed for hiring organisations, candidates, and referees who want to understand their rights and obligations in plain language.
Article 5: Data Protection Principles
What it says
Personal data must be processed lawfully, fairly, and transparently. It must be collected for a specific, explicit, and legitimate purpose and not used for anything incompatible with that purpose. Only the minimum data necessary for the purpose should be collected. Data must be accurate, kept only as long as necessary, and protected with appropriate security.
In reference checking
This means a reference check must have a clear, specific purpose (assessing a named candidate for a named role), must collect only information relevant to that role, and must not be used for any other purpose without separate consent. HiveRef enforces purpose limitation by requiring every reference check to be linked to a specific role and organisation before any data is collected.
Practical example
A reference check conducted for a marketing manager role cannot be reused to assess the same candidate for a finance role six months later. A new reference check with new consent is required.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 6: Lawful Basis for Processing
What it says
Every processing activity must have one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. The lawful basis must be identified before processing begins and communicated to the data subject.
In reference checking
HiveRef uses consent as the primary lawful basis for processing candidate personal data. A candidate must give explicit consent before any referee is contacted. This consent must be freely given, specific, informed, and unambiguous. It cannot be a pre-ticked box or buried in terms and conditions.
Practical example
A candidate who applies for a role and is asked to complete a reference check must be shown a clear consent statement naming the employer and the role before submitting their referee details. If they do not consent, the reference check cannot proceed.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 7: Conditions for Consent
What it says
Where consent is used as the lawful basis, it must be freely given, specific, informed, and unambiguous. The person must take a clear affirmative action to give consent. They must be able to withdraw consent at any time and withdrawal must be as easy as giving consent.
In reference checking
Candidates must actively tick a checkbox or click a clearly labelled consent button. Pre-ticked boxes are not valid. The consent statement must name the employer, the role, and the referees being contacted. Candidates can withdraw consent at any time from their account, which immediately stops the reference check.
Practical example
A consent statement reading "By continuing to use this website you consent to all data processing" does not meet the Article 7 standard. A valid consent statement names the specific purpose, the specific parties, and requires a deliberate action to confirm.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 9: Special Category Data
What it says
Certain categories of personal data are considered particularly sensitive and are subject to stricter protections. These categories are: health data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning sex life or sexual orientation. Processing special category data is prohibited unless one of ten specific conditions applies. In an employment reference checking context, no standard condition typically applies to justify processing special category data about a candidate based on a referee's response.
In reference checking
Reference check questions must never ask about any of the eight special categories listed above. Where a referee volunteers special category information in a response without being asked, that information is flagged by HiveRef's AI with a Data Protection Notice. The flagged content must not be used as a factor in any hiring decision. Using special category information to make or influence a hiring decision may expose the hiring organisation to legal liability under GDPR and applicable national law.
Practical example
A referee states in their response that a candidate "had some health issues last year but has fully recovered." This is health data, a special category. HiveRef flags this sentence with a Data Protection Notice. The hiring organisation must not take the candidate's health history into account when making its hiring decision.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Articles 13 and 14: Right to Be Informed
What it says
When personal data is collected, the data subject must be informed of: who is collecting the data, why it is being collected, the lawful basis, how long it will be kept, their rights, and who to contact with questions. This information must be provided at the time of collection (Article 13) or, where data is collected from a third party, as soon as reasonably practicable (Article 14).
In reference checking
Candidates must receive a privacy notice before they submit their referee details. Referees must receive a privacy notice when they are first contacted. Both notices must be written in plain language and must cover all required information. HiveRef delivers these notices automatically as part of the platform workflow.
Practical example
A referee who receives an invitation to complete a reference check must be told: who is asking for the reference (HiveRef on behalf of the employer), why their information is being collected (employment reference check for a named role), how long their information will be kept (90 days for contact details after check completion), and what their rights are (including the right to decline).
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 15: Right of Access
What it says
Individuals have the right to obtain confirmation of whether their personal data is being processed, and if so to receive a copy of that data along with information about how it is being used.
In reference checking
Candidates have the right to access the reference check report that was generated about them. They can request this through their HiveRef account. The hiring organisation, as data controller, is responsible for responding to access requests within one calendar month.
Practical example
A candidate who was not offered a role may request a copy of their reference check report to understand what information was collected about them. This request must be fulfilled within one month.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 17: Right to Erasure
What it says
Individuals have the right to request deletion of their personal data where it is no longer necessary for the purpose it was collected, consent has been withdrawn, or processing was unlawful. This right is not absolute and does not apply where retention is required by law.
In reference checking
Candidates may request deletion of their reference check data. Requests are routed through the hiring organisation as data controller. HiveRef will action confirmed erasure instructions within 30 days across all storage locations. Consent records and compliance audit logs required for legal purposes are exempt from erasure during their defined retention period.
Practical example
A candidate who withdrew their consent may request that all data collected in connection with that reference check be deleted. HiveRef will delete the check record, referee responses, and report. The consent record itself is retained for 7 years as evidence that the processing was lawful while it occurred.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 22: Automated Decision-Making
What it says
Individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where such processing occurs, the individual must be informed, given the opportunity to express their view, and have access to human review.
In reference checking
HiveRef uses AI to process reference check responses and generate reports. However, HiveRef does not make hiring decisions. The AI produces a structured summary of referee responses for human review. The hiring decision is always made by the hiring organisation. HiveRef's platform is designed so that no automated hiring recommendation is ever generated.
Practical example
HiveRef's AI summarises that a referee described a candidate as "highly capable with strong leadership skills." The AI does not say "hire this candidate" or "do not hire this candidate." The hiring organisation reviews the summary and makes its own decision.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 28: Processor Obligations
What it says
Where a data processor processes personal data on behalf of a data controller, the arrangement must be governed by a written contract (the Data Processing Agreement or DPA). The DPA must set out the subject matter, duration, nature, and purpose of the processing, and impose specific obligations on the processor including confidentiality, security, sub-processor management, and assistance with data subject rights.
In reference checking
Practical example
A UK-based employer using HiveRef to check references for a UK candidate must execute the HiveRef DPA before sending the first reference check. Without an executed DPA, processing the candidate's personal data through HiveRef would be unlawful under UK GDPR.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.
Article 33: Breach Notification
What it says
In the event of a personal data breach, the data processor must notify the data controller without undue delay. The data controller must notify their supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals. Where the breach is likely to result in high risk to individuals, affected data subjects must also be notified directly.
In reference checking
If HiveRef experiences a personal data breach affecting client data, we will notify affected clients within 72 hours with full details of the breach. The client, as data controller, is then responsible for notifying their supervisory authority within 72 hours and, where required, notifying affected candidates and referees. HiveRef maintains an internal breach register documenting all breaches regardless of whether external notification is required.
Practical example
If unauthorised access to reference check reports is detected, HiveRef will notify the affected client organisations within 72 hours. Each client must then assess whether to notify their national supervisory authority (e.g. the ICO in the UK or their national DPA in the EU) and whether to notify the candidates whose data was affected.
Official GDPR text is published by the EU and reproduced on gdpr-info.eu. Always refer to the authoritative legal sources for your jurisdiction.