Anuj Menon (name changed) received a job offer at AB InBev GCC in November last year following a two-month interview process. However, the discussion went haywire reading the offer being declined by the company.
Nevertheless, Menon only had one concern: His personal data such as Aadhaar and PAN numbers, and professional data such as salary slips were still with the company. He wrote mail requesting the company to delete the details since he is not part of the company. He is yet to receive a confirmation.
“I requested that my contact information and other personal information that I provided as part of the onboarding process be deleted. But I did not get any confirmation…I even requested clarification by sending a legal notice through email and WhatsApp but I received no response via email,” he said.
Menon’s case is not exceptional. Parag Dabaz (name changed) also has the same concerns since he left his last company, an IT multinational, on a bad note.
“I seriously think the hiring manager or anyone else can cause me damage through the use of my crucial data,” he said, adding that though he worked for 5 years at his last employer, things did not end well.
Current rules
Under the current regime of SPDI (Sensitive Personal Data or Information) Rules, companies may retain data of unsuccessful candidates provided that such retention is required for any future assessment of the candidate for a suitable opportunity, according to Nakul Batra, Partner, DSK Legal.
ALSO READ | Upskilling demand at edtechs jumps as GCCs become Global Competency Centres
In terms of the Digital Personal Data Protection Act, or DPDP Act 2023, while there is no legislative guidance present, it may be argued that the voluntary submission of personal data by a candidate for the specified purpose of exploring employment opportunities can be construed as a legitimate use case for retention – unless the candidate explicitly did not consent to it.
"....when an offer is either declined by a candidate or revoked by the company, any data which is collected, pursuant to which the offer was released, is deleted within one month’s time. If the processing of the data is no longer required, we may securely delete these personal/sensitive data," AB InBev told Moneycontrol.
Though law experts say harm to candidates is limited since large companies have robust data security measures, they feel the dynamic nature of consent is the main game here. As per the rule, companies need to assess all the data they collect, for what specific purpose, put in SOPs for its processing and determine for each purpose, how it will need to be retained. In addition, there should be an option for auto-deletion.
For instance, a company selling cars (X) collects personal data to market and sell its cars to an individual (Y). For facilitating the sale of a car, X may collect the details of the family members of Y to suggest a suitable category of the car (for example, number of family members, age of older members, etc). Post the consummation of the same, such data of Y’s family members ceases to serve the specific purpose for which it was processed, and hence should be auto-deleted.
Changing dynamics
The awareness around the misuse of data has increased in recent times, leading to data activism among job seekers and employees. However, the law does provide certain options that can be exercised in case the consent of the candidate changes afterwards.
As per the rule, the Data Protection Officer is responsible for appointing a person to redress the grievances of Data Principals or candidates. In case the same is not appointed, candidates can withdraw their consent through a Consent Manager who shall be registered with the Data Protection Board, said Rohit Jain, Managing Partner at Singhania & Co.
In a nutshell, candidates can get the data deleted.
Since companies have to determine how data needs to be retained and make way for auto-deletion, DSK Legal has already received requests from major companies and started to work on some contracts for its IT/ITeS clients to make way for the new consent regime under the DPDP Act.
ALSO READ | Online gaming industry looking at layoffs, hiring pause after 28% GST move
The work is specifically about the erasure of personal information, and adding clauses to address the security of personal data, including for breach notifications as mandated under the DPDP Act.
“Companies have come to us to restructure their contracts to make it compliant with the new law. Companies are seeking our advice on preparing a compliance plan to make their data inventory law compliant and to set up a law-compliant consent mechanism,” Singhania & Co’s Jain said.
(The story has been update with AB InBev's response)
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
