Beware of the GDPR: why oral references are not risk free

11 April 2024

Many employers rely on oral references to assess the suitability of candidates for a job, but a recent court ruling has confirmed that this practice is not exempt from the data protection rules under the GDPR.

As an employer, you may have thought that giving or receiving an oral reference on a candidate was a dynamic solution to mitigating the legal risks of defamation, negligent misstatement and discrimination that can be engaged when providing a critical reference. As the UK courts have previously held that the Data Protection Act 1998 does not apply to purely verbal communications, it was reasonably safe to assume that the principles and conditions laid down by the UK GDPR were not engaged in such circumstances. 

However, a recent case from the Court of Justice of the European Union (CJEU) has confirmed that oral communications are not exempt from the GDPR, indeed the court held that the possibility of circumventing the GDPR by disclosing personal data orally rather than in writing would be “manifestly incompatible” with the objectives of the GDPR. Although this judgment is not binding on UK courts, it is likely that employers can no longer avoid their obligations under the UK GDPR through oral communications. 

Case facts

The case concerned a Finnish production company that organised a competition and wanted to check the criminal record of a participant. The company made an oral request to a court for information on possible ongoing or completed criminal proceedings concerning that person. The court refused to disclose such information, arguing that it would constitute processing of personal data under the GDPR. The company appealed to a higher court, which referred the case to the CJEU for a preliminary ruling.

The CJEU held that the concept of “processing” referred to in the GDPR necessarily covers the oral disclosure of personal data provided that the data that is the subject of that processing forms part of, or is intended to form part of, a “filing system”. A filing system is a broadly defined term meaning any structured set of personal data and so this test will likely be satisfied when an employer draws on information it holds about a candidate to provide the oral reference. 

Consequently, the CJEU held that an oral disclosure of personal data may only take place if it complies with the principles and conditions of the GDPR, such as lawfulness, fairness and transparency, and that the oral disclosure of information on criminal convictions is subject to the strict conditions and safeguards provided by the GDPR.

Implications of the judgment

This judgment has important implications for employers who give or receive oral references, particularly where such references contain special category or criminal data. Picking up the phone is not as risk free as previously thought. Employers should ensure that they:

  • have a legal basis for processing the personal data in this way;
  • limit the disclosure of personal data to what is relevant and necessary for that reference; 
  • ensure that the reference is given or received in a secure and confidential manner, and that the personal data is not shared with any third parties without legal justification; and 
  • respect the rights and interests of the candidate including those to access, rectify, erase or object to the personal data (noting the relevant exemptions relating to the content of a confidential reference).