Google may be facing investigations over potential violations of the GDPR (General Data Protection Regulation) by keeping the personal data of potential job candidates for years, reports Fortune (paywall) and Yahoo Finance.  

It comes after a London-based contractor, Mohamed Maslouh, who was assigned to enter data into Google’s internal gHire recruitment system on September 2023, noticed that the database contained the profiles of thousands of people in the EU and UK whose names, phone numbers, personal email addresses and CVs dated back as far as 2011.

Maslouh said he had received data-protection training from Randstad and was aware of GDPR, which remained part of UK law after Brexit. Last year, he was an employee of Randstad, which was contracted by Google to identify potential job candidates and enter their publicly available information, derived from services such as LinkedIn, into gHire, Google’s applicant tracking system.

Google may now face investigations over potential violations of the GDPR, after Maslouh filed protected whistleblower complaints with the UK’s Information Commissioner’s Office (ICO) in November and with the Irish Data Protection Commission (DPC), which has jurisdiction over Google’s activities in the EU, in February.

Prior to the whistleblower complaints, Maslouh says Randstad advised him to write an anonymous whistleblower report about the GDPR issue to Google, through the tech company’s submission portal. He did so in mid-October.

“Randstad encourages the reporting of any concerns via our misconduct reporting procedure, which is available to all employees, talent, and third parties,” a Randstad spokesperson said in a statement.

The complaints also claimed that Google obtained some of the personal data though ‘scraping’ it online. The term’ scraping’ refers to the automated extraction of online data. Google, which points out that it recruits people from a wide range of backgrounds, strongly denies scraping potential candidates’ non-public data, according to Fortune.

The tech company has previously been fined tens of millions of euros over GDPR violations, by authorities in France, Spain, and Sweden.

According to Fortune, Google said it deployed a global automatic deletion tool last year to ‘protect the privacy’ of job applicants and candidates in gHire, in line with GDPR demands. The rollout ended in the autumn, after Maslouh raised his concerns with Randstad and Google, but Google says it announced the tool internally as early as 2021.

If the data in question had been deleted as Google says, the timeline would indicate over four years of non-compliance after the GDPR came into effect in May 2018.

Maslou departed Randstad soon after the complaints.

When Maslouh refused to continue working on the Google account until he was satisfied that the work was GDPR-compliant, he says the staffing giant asked if he would prefer to work on another account, then failed to provide any such options and asked if he would prefer to leave Randstad. Maslouh agreed to leave, and after filing a constructive dismissal case, he received four months’ pay in compensation.