Search confidential references and GDPR

[inmortus]

Just curious,

I am no expert in GDPR, but I was wondering what would happen if a Europe-based teacher requests from Search Associates all data they store based on GDPR? Given Search is UK based I assume they have to follow GDPR, but I am wondering if then this means they would have to turn in all your information including the confidential references past employers may have filled in?

Any GDPR experts? I just thought about it and found the idea interesting.

[expatscot]

We've had this discussion before here - my view is that they would, even under the old Data Protection Act requirements. However, they can also choose who to represent and who not, and I suspect that anyone making a request would find that (a) they'd make it as difficult as possible within the law, and (b) they were suddenly rejected by Search.

[sid]

I suspect that we all explicitly gave permission for them to collect and store confidential references. We even told them exactly how to find the people to write them. So I doubt we have the right to see them now.

[expatscot]

sid wrote:
> I suspect that we all explicitly gave permission for them to collect and
> store confidential references. We even told them exactly how to find the
> people to write them. So I doubt we have the right to see them now.

Permission to collect and store is different from the request to view.

[sid]

The articles out there seem to say confidential references are exempt. Here’s one.
https://www.businesswest.co.uk/members/ ... disclosure

[expatscot]

That's clearly a change then so Search would have a bit more protection. However, I could see a situation where, after Brexit, that gets changed again (especially under a Labour government.)

[PsyGuy]

While the forum has had this conversation before, none of the previous contributors comments are relevant. SA isnt based in the UK, at least not the entity that collects and maintains the database elements. Those SA offices and business entities are all licenses (much like a fast food franchisee and the corporate HQ) that have access but not ownership or possession which is held by Amazon on a server in Virginia by a US business entity, too which GDPR can not be enforced. Those four associates with EU offices just license access to the data that comprises a candidates profile, they dont collect, own, or maintain it.

So while GDPR has been recently updated and provides less access than the previous DPA (exempting confidential references) a candidate could still get access to that in a number of countries though various mechanisms, it would likely result in the same outcome as previously discussed, youd spend significant resources if you ever got to see it, and SA would promptly drop their repping you as a candidate.

[inmortus]

I would invite you to read the full text (if you have time, it's quite long). The short version is: the law follows the data, with little relation to where it ultimately ends up stored (provided they are somehow related to EU, as Search is). That is why certain businesses/websites simply will not work when you try to access through an EU IP address as they simply worried about breaching the law.

In any case it was just a hypothetical question, nothing else. I agree that if someone tried to do that they would find themselves banned from Search pretty quickly.

[PsyGuy]

@inmortus

I have read it, its a bit of a slog. The law can purport to do whatever it wants, but just as the EU wont be able to enforce GDPR once the UK completes Brexit, nor can it enforce anything against the SA entity that owns the data in the US. Whats the law going to do, GDPR enforcement is based on fines, and the EU can send demands of fines to the US entity all it wants, SA can ignore them with impunity. That SA entity isnt related to the EU, just because SA has some licenses with access to its data that are in the EU.