THEORETICAL AND PRACTICAL ISSUES OF DATA PROCESSING RELATED TO THE PRE-EMPLOYMENT RELATIONSHIP IN THE LIGHT OF THE HUNGARIAN, SLOVAK AND CZECH LABOR LAW

Thanks to the European Union's General Data Protection Regulation (GDPR), the rules on the protection of personal data have entered a new level of protection, which imposes strict requirements on data controllers. One of the most basic, yet very exciting and sensitive areas in the field of personal data processing is the processing of personal data related to employment. However, little attention is paid to the data processes carried out by data controllers prior to the establishment of the employment relationship, to which, of course, the provisions of the GDPR also apply. The purpose of this study is to provide theoretical and practical guidance to data controllers on how to comply with the requirements for pre-employment data processing. In the study, I mainly examine pre-employment data processing in a general way in the light of the GDPR, but in order to shed light on the individual issues in dispute, I examine the provisions of Slovak, Czech and Hungarian labor law. establishment of an employment relationship. Although in the study I focused on the necessary rules to be taken into account in this procedure, it is important to emphasize that in the case of data processing that violates data protection regulations, as a result of a supervisory official procedure, data controllers may even face severe administrative fines and other ways of prosecution.

The study aims to map the requirements for data processing during the recruitment procedure, thus providing a crutch for data controllers to design this data process under the law. In the second chapter of the study, I examine the general requirements for data processing, such as the enforcement of the purpose limitation principle and the requirement of the lawfulness of data processing. In the third chapter, I examine specific data processes related to the topic. In writing this study, I examine and compare the law of three countries, including Hungarian, Slovak and Czech labor law regulations.

II. LEGAL PURPOSE AND LEGAL BASIS OF THE DATA PROCESSING
If a controller needs to implement a processing of personal data, the primary and fundamental obligation is to define the legitimate purpose of the processing, in accordance with the personal data necessary to process must be precisely defined and the data processing should be limited to these data. The latter requirement stems from the principle of data minimization, which is a self-proclaimed principle but is practically inseparable from the purpose limitation principle. 11 Compliance with the purpose limitation principle is a precondition for data processing, which accompanies the whole process and must be complied with at all stages. 12 Typically, two purposes can be identified in the data processing: (i) the broader purpose of the data processing; (ii) the independent purpose for which each personal data are processed. These two purposes are in part-whole relation, and the latter must obviously be in line with the purpose of the data processing, as it is a sub-purpose.
The data controller is also expected to perform only data processing operations which are related to the purpose of the data processing and are necessary to achieve it. In the first part of this chapter, I examine certain issues related to the procedure for establishing an employment relationship as a purpose of a data processing in a broader sense, during which I take into account the provisions of Czech, Hungarian and Slovak labour law. In addition to defining the legitimate purpose of the data processing, another important requirement is that the lawfulness of the data processing must be ensured by one of the legal bases in Article 6(1) of the GDPR. In the second part of this chapter, I examine the legal bases that can ensure the lawfulness of the data processing in the context of the employment recruitment.

Legal purpose of the data processing
During the development of the data processing, the primary requirement is that the data controller have to determine the legitimate purpose of them. The broader purpose of the recruitment is to find the most suitable person to fill the vacant position at the data controller to establish an employment relationship. Concerning the purpose of data processing in Hungarian law, we can find a provision in § 10(1) of the Labor Code 13 (hereinafter "Hungarian LC"), according to which "The employer may require the employee to make a statement or disclose personal data that is relevant to the establishment of the employment relationship (…)." On the one hand, the Hungarian regulation defines the purpose of data processing, and on the other hand, it restricts data processing to the handling of relevant data, thus declaring the principle of data minimization. It can be observed that this provision uses the terms "employer" and "employee" for the processing of data for the purpose of establishing an employment relationship, which is clearly incorrect, as persons involved in the recruitment procedure do not participate in the negotiations as employer and employee, but as a job advertiser and an applicant. The question arises as to whether the provision of the Hungarian LC has to be interpreted narrowly, and it would apply only to the period following the end of the recruitment procedure (when the employee has been selected) and for the period immediately before the conclusion of the employment contract. or it should be interpreted broadly and applied to the entire recruitment process. Of course, in practice, these two events blur very often, making it difficult to find the boundary between them. What's more, potential employers are already seeking to obtain all personal information during the selection process, which is a manifestly flawed process for reasons explained later.
In the Slovak Labor Code 14 (hereinafter "Slovak LC"), the legislator distinguishes between the legal relationships before and after the conclusion of the employment contract. According to § 41(5) of the Slovak LC, "an employer may only request information from a natural person who is applying for a job for the first time related to the work to be performed by him or her. The employer may request an employer's assessment of his previous employment from a natural person who has already been employed." 15 The conceptual discrepancy also exists in this regulation, as we cannot yet speak of an employer, however, this provision uses the term "natural person applying for a job" rather than the employee. It can be observed that the Slovak legislator does not distinguish between the procedure immediately preceding the establishment of the employment relationship and the procedure related to the application. The provision also keeps in mind the principle of purpose limitation, from which we can also deduce the principle of data minimization. The question can also be asked in the context of the Slovak legislation, should the provision apply to the entire recruitment procedure?
In my view, the cited provision of both the Hungarian and Slovak regulations must be interpreted broadly, so the data controller must apply it from the moment he defines the framework of the employment relationship, i.e. the all data processing carried out for this purpose, including recruitment.
In my opinion, the most sophisticated solution can be found in the Czech Labor Code 16 (hereinafter "Czech LC"), which regulates the recruitment as a pre-employment procedure and the procedure immediately preceding the establishment of the employment relationship separately, thus recognizing the special and separable nature and thus the data processing in connection with these of these procedures. The § 30(1) of the Czech LC contains requirements concerning the recruitment as follows: "in selecting a natural person to apply for a job, the employer is entitled to determine the qualifications, requirements for filling the job or other special abilities, unless otherwise required by other legislation. This provision is without prejudice to the requirements of any other legislation applicable to a natural person as an employee." It is noticeable that the regulation only partially has respect to the differences between the two procedures. On the one hand, it correctly uses the term 'natural person applying for a job', but on the other hand, this legislation also uses the term 'employer' instead of a potential employer who advertises a job. In terms of content, the provision is similar to the Slovak regulation, as it determines the quality of personal data that can be processed by the job advertiser, and from this we can deduce the purpose of data processing. The provision explicitly states that the potential employer may, unless otherwise required by law, determine in his own discretion the requirements for filling the job. The data controller may request the person applying for the job to provide personal data in the light of these requirements. From this rule we can deduce the principle of data minimization and the principle of purpose to, and we can state that the provision also formulates the requirement that the job advertiser have to plan the whole process concerning to recruitment. The § 30 (2) of the Czech Labor Code stipulates as a requirement for the process before the signing of the employment contract that "During negotiations before the establishment of the employment relationship, the employer may only request information from the natural person or other person directly related to the employment contract." In that provision, the Czech legislature therefore lays down the rules on personal data which may be processed directly in the context of an employment contract procedure. This provision underlines the fact that several personal data do not need to be disclosed in a recruitment procedure (e.g. in particular, the applicant's identity, place of birth, individual ID numbers and other identification numbers), however these could be necessary to contract with selected person.
From the point of view of labor law, the broader purpose of data processing can be formulated in the conduct of the procedure for establishing an employment relationship, while the purposes of the processing of individual personal data are necessary sub-objectives to achieve the purpose of this process.

Legal basis of the data processing
In general, the lawfulness of data processing requires the existence of a legal basis in Article 6 (1) (a) to (f) of the GDPR. When examining the legal basis of the procedure for establishing an employment relationship, the applicability of several legal bases may arise, and in my practical experience, data controllers often determine the lawfulness of their data processing on different legal bases. In this subsection, I would like to examine these legal bases and take a position on which one I consider to be actually applicable. First of all, an important fact needs to be identified. The need for a legal basis for the lawfulness of data processing is not a requirement for the data processing as a process, but the certain personal data processed in the framework of the process. Because of this, the data controller may process personal data on a different legal basis for the same purpose in the context of a same data processing.
The first legal bases to be examinedwhich is often referred to in practice 17is the consent of data subject referred to in Article 6 (1) (a) of the GDPR. Consent of the data subject according to Article 4 (11) of the GDPR "means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." The reference to this legal basis is based onat least often referred to by data controllers the fact that the application for the advertised position is voluntary, it depends on the applicant's free will. Thus, by submitting the application, but typically also by filling in a statement, the applicant gives his or her consent to the data processing. Well, in my view, that is incorrect, since there are several conjunctive conditions for the validity of the consent which must exist for the consent to be valid. In my view, the assertion is incorrect because a much deeper examination is required to establish the voluntary nature than the fact that the applicant submitted his application on his own will. 18 Consent may be voluntary if the data subject has a real discretion to grant and withdraw consent, if this is not the case, the consent cannot be voluntary. 19 The European Data Protection Board issued Guidelines 5/2020 on consent under Regulation 2016/679, 20 in which is stated that the voluntary nature could not be defined in a relationship of dependence, such as that between the employer and the employee or the prospective employee, since the person concerned was not in a position to dispose of his data freely. There is also a dependency relationship in the procedure for establishing an employment relationship, as all the circumstances of the data process are determined by the data controller advertising the job. In this respect, the most significant limitation on the right to selfdetermination, and thus on the scope and content of consent, is that the data subject cannot decide which personal data he or she contributes to. Given that one of the conditions for the validity of the consent is missing, it cannot justify the lawfulness of the data processing. 21 According to Article 6(1)(b) of the GDPR, data processing is lawful if it "is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." This provision shall apply in the case of a contractual relationship between the parties, which shall mean not only the relationship between the related parties within the meaning of civil law, but also the employment contract which creates a subordinate order. It can be observed that the cited provision actually separates two data processing processes, (i) data processing in connection with the performance of an existing contract, and (ii) data processing performed before the conclusion of the contract. The question arises as to whether the legal basis under point (ii) applies to the processing of data in the context of the recruitment procedure or only to the last phase of the process, i.e. the phase immediately preceding the conclusion of the contract. To answer this question, we have to proceed from the purpose of data processing. In my view, the purpose of the procedure is, in a broad sense, to conclude an employment contract which is which is just a smallthe last but not leastslice of data processing. In a narrow sense the purpose of the procedure is to select a suitable person to fill a post. These are not the same but previous does not exist without the latter. Given that Article 6(1)(b) of the GDPR can only be interpreted narrowly, it would in principle apply to the procedure immediately preceding the conclusion of the employment contract. This assertion is also problematic, as it is difficult to interpret the condition for the application of this legal basis that the steps have to be 'taken by the request of the data subject' before the conclusion of the contract. The procedure for concluding an employment contract is not initiated by the data subject, but by the controller after his or her selection procedure. What's more, the data controller has the option to make a decision not to enter into an employment contract with any of the applicants. However, the question is whether applying for a job can be interpreted as being initiated by the person concerned. This can only be accepted if Article 6(1)(b) is interpreted broadly, as the application is made through a selection procedure. In my view, a broad interpretation of Article 6(1)(b) of the GDPR would be correct, since the ultimate aim of a job competition is to conclude an employment contract.
Sometimes, in the case of certain activities, a special requirement is prescribed by law, due to which the data controller must process the personal data specified in the law. In this case, the data controller does not have the freedom to decide on the data processing or its circumstances, because it has to fulfil the legal obligation. 22 In these cases, the legal basis for processing these data will be Article 6 (1) (c) GDPR.
In many cases, the processing of a personal data is not necessary for the conclusion of an employment contract and its processing is not required by law, but its processing is justified by the interests of the data controller. In this case, the legal basis for data processing will be the legitimate interest set out in Article 6(1)(f) of the GDPR. 23 This presupposes that the controller carries out a test of proportionality, in which he considers whether his interest takes precedence over the data subject's freedoms and rights, and whether the data processing is necessary and proportionate to achieve the aim pursued. In my view, the processing of data during the selection procedure should be classified as a legitimate interest in the event of a narrow interpretation of Article 6(1)(b) of the GDPR. In this case, the lawfulness of the processing carried out during the selection procedure is based on the legitimate interest of the controller in filling the post advertised.
The lawfulness of data processing should also include the processing of data belonging to a special category of personal data. As part of the job-filling procedure, job advertisers typically process health data, 24 which typically covers the candidate's basic physical health, but data on the mental condition of the person concerned are also often processed. Concerning to the processing of sensitive data, the GDPR imposes strict requirements and, as a general rule, prohibits the processing of special categories of personal data. 25 However, it is possible to process specific data in case of coexistence of one of the ten additional conditions set out in Article (2) of the GDPR and one of the legal basis for the processing. In the recruitment procedure, Article (2)(b) is often applied, according to which the processing of special data is "necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection." In this case, there must be a mandatory requirement for the data controller that justifies the data processing, so the controller has no discretion as to the processing of the data.
In this context, we have to mention the data processing carried out in connection with the examination of the future employee's suitability, including mental and physical (i.e. health) for work, which, in addition to the legal requirement, is undoubtedly also in the interest of the prospective employer. 26 Its legitimacy can be ensured by Article (2)(h) of the GDPR. According to this data "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, (…) on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3" The application of this provision is subject to the additional condition in Article (3) that the data "may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies." Such a professional is a person authorized to provide a healthcare service who is subject to medical confidentiality. It is important to emphasize that this data processing is not performed by the employer but by the health professional entrusted by him. In this respect, the employer can only manage the information on whether or not the prospective employee is suitable for the given job, to work. The provisions of § 10 (3)  Hungarian LC, 27 the § 32 of the Czech LC 28 and § 41(2) of the Slovak LC 29 are in line with this. With regard to all three provisions, it should be noted that, in accordance with Articles 88(1) and (2)(b) of the GDPR, 30 the employment relationship rule, and thus the norm imposing this obligation, may also be a collective agreement. There is a significant problem with Article (3) of the GDPR and the cited provision in the Labor Codes. Article (3) of the GDPR provides that health data may be processed only by a health professional contracted by the employer and not by the employer. In contrast, the cited provisions of the Labor Codes require the employer to examine the state of fitness for work. To do this, the prospective employee must present a certificate from a health professional as to whether or not he or she is medically or otherwise fit for the job. Given that health data are all data relating to the health or mental condition of the data subject, such as fitness for the job, so these data clearly relates to the health or mental condition of the data subject. 31 The GDPR does not prohibit the employer from processing specific health data, but generally the health data of the employee, in this case the applicant.

III. CERTAIN DATA PROCESSING OPERATIONS
There are many methods of recruitment procedure that job advertisers use separately but typically together. The relationship between the job-seeker and the data controller is preceded by the information on the existence of the job, the most typical form of which is the publication of the job advertisement. This is the phase of the process in which data processing doesn't take place yet, but is part of the process. The data processing wouldn't be possible without it, therefore the rules on data processing should apply. The data subject contact the data controller based on the job advertisement, typically by sending a document containing his or her personal data (this primarily, but not exclusively, the data subject's CV, cover letter and documents attached to application) to the data controller. 32 The controller will then carry out a prescreening these documents, based on which he will select the person or persons who best meet the criteria for filling the position. Data controllers use this phase of the data process as a prescreening and have a personal meeting with the selected persons. During the job interview, several methods are used that involve the processing of personal data, e.g. they ask questions to which the data subject is assessed, but it is often the case that the data subject is asked to complete a theoretical, professional written test, which also qualifies as personal data. In this subsection, I examine the rules of these data processing.

Data processing related to job advertising
I have emphasized above that the data controller must plan precisely the entire process of the job application. Concerning the job advertisement, it is necessary to specify what personal data is required to fill the position. In that regard, it is not sufficient to specify that the applicant is required to submit a curriculum vitae, but must specify precisely what personal data must be provided in the curriculum vitae. To comply with the purpose limitation principle, the data controller may only process personal data that is necessary for the selection of a suitable person to fill the position. The scope of personal data has to be interpreted narrowly, and in fact, they can be limited to only the necessary personal data, e.g. in my view, there is no need for the applicant's portrait, 33 marital status, nationality 34 etc. The § 41(6) of the Slovak Labor Code explicitly contains the data that the advertiser may not request from the natural person applying for the job, such as data on pregnancy, marital status, or criminal record unless otherwise it is required by law, or the nature of the job requires impunity, 35 and no information may be requested from a natural person about his or her political and religious views or labor union membership. A similar regulation is contained in § 316(4) of the Czech Labor Code, according to which "the employer may not request the employee to provide data that is not directly related to the work," so he may not request information about pregnancy, sexual orientation, origin, religion or belief, or any other organizational membership. Notwithstanding, the provision is established in the employer-employee relationship, it must be interpreted broadly, and the data controller may not process the listed personal data in the procedure before the establishment of the employment relationship. 36 A similar restrictive provision can be found in the § 12(2) of the Czech Employment Act, 37 according to which "during the selection of the employee, the employer may not apply for information about nationality, racial or ethnic origin, political and religious opinion, sexual orientation, membership in a professional organization." In my view, the most appropriate procedure would be for the job advertiser to indicate in his job advertisement not only the personal data he is requesting but also specifically the data which he is not. This partly avoids the problem that the applicant also provides additional information, and this data will also be processed by the job advertiser. Obviously, the problem can only be partially avoided, because if the applicant still provides the data, the job advertiser will inadvertently become his data controller. In the event that the applicant nevertheless provides such data, the controller shall take all necessary measures to terminate the processing of such data, e.g. through anonymisation. 38 A good solution could be, for example, if the data controller operates his own website, through which he receives job applications, e.g. by filling in a form in which the candidate can provide only the data specified in advance by the job advertiser. 39 An important element of the job advertisement is that the applicant has to be informed about the data processing related to the job application. The data controller must comply with this obligation in accordance with Articles 12 and 13 of the GDPR. This therefore also means that the controller must accurately inform the data subject about the data controller's data and contact 33 I note that most job advertisements require a photo to be submitted, in my opinion incorrectly. This is because the portrait of the applicant as personal data, cannot really influence the filling of the position, at least it is difficult to imagine a situation where the applicant's portrait is relevant. This may be the case for jobs that specifically require the use of an image. 34 Of course, this does not apply to jobs where the existence of a nationality is required by law. 35 In this context, the § 11(3) of the Hungarian Labor Code explicitly stipulates that the employee's criminal record as a personal data may only be processed in the case specified by law or if the employer determines such a restrictive or exclusionary condition based on the nature of the job. However, the employer has the option of the latter only if the employment of the person concerned in the given position is a) a significant property interest of the employer, b) a secret protected by law or c) in context of the § 11(2) (b) -(d) would be liable to prejudice the interests protected by law. I note that I consider the processing of personal data relating to a criminal record to be irrelevant, as the reliability of the employee is not determined by the current state of an arrow record. 36  details, 40 as well as certain information about the data processing. 41 A job advertisement containing an e-mail address for the purpose of sending applicants CVs cannot be considered lawful. The obligation to provide information for data subject can be fulfilled in several ways, e.g. directly by placing it in the vacancy notice or informing it of its availability. In the latter case, an additional requirement is that the information must be available at all times throughout the data processing. 42 It should be emphasized that, in view of the general requirements in Article 12(1) of the GDPR, the information should relate to the specific processing. It is therefore inappropriate for the data controller to inform the data subject in general about his or her data processing or, in a strict sense, about the data processing related to his or her job applications. An exception to the latter is, of course, if all job applications are advertised and evaluated solely on the basis of one type of job and under the same conditions.

Questions related to the assessment of the applications
With regard to the assessment of the submitted applications, the most important requirement from a data protection point of view is that the data controller determines in advance the personal circle who is entitled to get acquainted with the personal data submitted during the job application. This includes the requirement that only those persons who are entitled to decide in this regard should be aware of the job applications submitted. This requirement can be deducted from the data security requirement in Article 32(2) of the GDPR as an appropriate organizational measure for data processing.
This data processing includes informing the data subjects about the outcome of the procedure, among which it is important to emphasize that it must always be done in a personalized way, not in groups.
Another important issue is determining the fate of personal data after the job application. In this context, a distinction should be made between successful and not successful job applications. In the case of the former, the continuation of data processing is justified, as the person with whom the data controller enters into an employment contract will come out of these applicants. In contrast, job applications that have a negative result must be deleted, because the purpose of the data processing ceases at the moment when the result of the job application is established. However, it may be interesting to examine whether there is a legitimate interest in the controller which may justify the continued storage of the submitted documents (see chapter III.4.). In certain cases may be his interest in properly developing his defence strategy if a claim is made against him on the ground that he did not meet the requirement of equal treatment in the assessment of the job application, so that his conduct was discriminatory. 43 This, of course, requires the performance of an appropriate test of proportionality to verify the lawfulness of the data processing. In this case, a further issue is to determine the duration of the data processing, which must be in line with the limitation period for claims which justify a legitimate interest. 44 It is very common for a job advertiser to view, precisely to check the personal profile of job applicants on a social page, typically Facebook and Instagram, to find out about the candidate's behaviour, uploaded pictures, etc. and draw conclusions based on their activities on social media. Through their activities on social media, individuals gain access to their privacy by disclosing information about them. 45 Given that the original purpose of a job advertiser's data processing is to select the right person for the job, which must be independent of that person's privacy, the data controller must decide whether viewing the social media site is necessary and proportionate to the purpose of the data processing. If justified by the legitimate interest of the data controller, it is lawful to view the profile of the applicant on the social network as a data processing operation. However, this requires an interest which justifies the processing and is both necessary and proportionate to achieve the purpose of the processing, while the data subject's rights and freedoms, in particular the data subject's right to privacy and the right to protection of personal data, must not take precedence. In my view, such data processing can only be justified in exceptional cases. In practice, the reason most frequently mentioned is that the data subject voluntarily disclosed his or her data, as the purpose of disclosing the data is not to provide information to a particular controller to decide to fill a post. 46 If the data controller still considers the data processing is justified, he must also inform the data subject at the latest before the data processing starts. On the other hand, concerning the applicant's activity in closed groups of social media, the processing is no longer justified, as it has been disclosed by the data subject to the closed community, and in particular not to the data controller. Besides, mention should be made of personal profiles created specifically for job searching, as well as viewing them (e.g. a portal called LinkedIn) is absolutely justified. I emphasize that informing job seekers about such data processing cannot be left out in this case either.
Commonly, prospective employers want to check the authenticity of the qualifications of their applicants. For this purpose, it is frequent that the institutions providing secondary or higher education receive a request for data verification to certify the authenticity of the data concerning the qualifications of the person applying to them. In my experience, data controllers do all this without prior informing applicants in advance. From a data protection point of view, such a practice is a matter of concern, as educational institutions are not allowed to provide data directly on their pupils or students, given that there is no adequate legal basis for data transfer. Because of this, it would be a good practice for the candidate to be informed in advance in the job application that the candidate would like to check the qualifications in the context of the job evaluation. The legitimacy of this would be ensured if the data controller ad1. requests the expressed consent of the applicant, which shall be sent to the educational institution with the request; ad2. may ask the applicant to inquire about verification of his data directly the educational institution. In my opinion, the second of the two methods outlined is the correct one, because, in the case of the first solution, there are concerns about the validity of the consent -its voluntary nature. Attention must be drawn to the fact that whichever method the data controller uses, he must in all cases inform the data subject about the data processing and its circumstances.

Certain issues of data processing in job interviews
The data controller advertising the job typically decides during a face-to-face 47 job interview, which applicant choose for the job. There are generally two types of data processing in an interview; (i) the person acting on behalf of the data controller asks questions orally to the data subject; (ii) the jog advertisers assess the professional knowledge of the candidates by completing various competency assessment tasks. In both cases, they must be pre-defined questions, the sole purpose of which can be to examine the candidate's suitability for the job. In the first case, the question arises as to whether we are talking about data processing of the verbal answers (actually the informational content of the answers) as personal data, specifically if the answers are not recorded. Can data recording in the mind of the data controller's representative be considered as manual data processing and even as a filing system? There is no doubt that the answers to the questions will be used by the data controller's representative when judging the job application, but it is questionable whether this use constitutes data processing under the GDPR. In my view, the content of data processing operations must be interpreted broadly, and the recording of data in this way must also be regarded as a data processing operation falling within the scope of the GDPR. If the answers to the questions are recorded in any way, there is no question as to the need to apply the data protection rules. Concerning the method of recording, I note that, in my view, there is no reason to record a video and audio of the interview or only a sound recording.
Completing the written test is also considered as a data processing, so the data protection rules must be applied in this context as well. An important requirement in connection with the content of the test is that it may contain only questions that are related to the filling of the position, related to the professional competencies and preparedness of the candidate. It is important that the duration of data processing can only be limited to the time of the job application.

Case of a special data processing -The 'CV register'
In practice, it is common for data controllers to keep the CVs in a separate register in order. Purpose of this data processing is typically to contact the data subject in the event of a vacancy in the future. 48 It needs to be examined which of the legal bases in Article 6(1) of the GDPR can ensure the lawfulness of this data processing. In my view, such processing may be based on the consent of the data subject. In this case, the problem of volunteering explained above does not exist because the data subject gives his consent for purpose to be contacted by the controller in connection with the filling of the position and is not related to the application for a specific position. There are two directions in which the consent can be obtained: (i) the consent can be obtained by applying for a specific job application but not by him, but the controller draws his attention to the possibility that, if he consents, the may be registered; (ii) the other option is for the controller to maintain the possibility of submitting curricula vitae to the data subjects on an ongoing basis, regardless of the vacancy, which can be solved using various methods (e.g. an IT system set up for this purpose). With regard to the former, there is also a position that in case of the failure of the job application, the legitimate interest of the data 47 Face-to-face interview does not necessarily mean direct physical presence, it can be realized e.g. via an electronic system capable of transmitting a live image. As we write these lines, we are living in a time of a pandemic, which has also resulted the online job interviews. Concerning online job interviews, new requirements arise from a data protection point of view, e.g. the data controller must select a secure communication channel to conduct the interviews. There may be a need to record job interviews, which in my opinion can only take place in extremely exceptional cases, as such data processing is not necessary to achieve the basic purpose of the data processing. The legal basis for such processing may be the legitimate interest of the controller, possibly a third party, the lawfulness of which must be substantiated by a test of proportionality. 48 KLADIVOVÁ, T.: GDPR v podnicích a související poradenství. Diplomová práce. Brno 2019, p. 29.; https://is.muni.cz/th/qmg63/Diplomova_prace_Tereza_Kladivova.pdf, (2020-12-28).
controller may also justify further data processing. 49 Given that the original purpose of data processing is to fill a specific position, i.e. the processing of personal data in the context of a specific job application, the primary legal basis for data processing other than the original purpose, in accordance with Article 6(4) of the GDPR may be the consent of the data subject. In both cases, the data controller needs to comply with the prior information obligation under Articles 12 and 13 of the GDPR, especially given that one of the conditions for the validity of the consent given by data subject is to be informed.
The data controller is also obliged to ensure that the personal data processed by him is accurate and up-to-date. 50 So, it means that the data controller must also strive to be accurate when handling CVs. In this regard, the data controller should first specify a period of time for which he wants to process data. There is a view that a period of between 6 months and 1 year can be accepted as proportionate to the duration of the data processing. 51 In my view, this would be an extremely short period of time, so that, in addition to ensuring compliance with the principles of timeliness and accuracy in other ways, the data processing can continue. The data controller has a chance to remind the data subject at certain intervals, indicating the personal data of the data subject and to provide the possibility to clarify, supplement or, at the request of the data controller, delete the data or terminate the data processing. In this case, the data processing may continue, and the withdrawal of the data subject's consent may be granted for the duration of the data processing.

IV. SUMMARY
It can be stated that pre-employment data processing is a separate data process with an independent purpose and means, which must be structured by the relevant data protection regulations. In this context, the data controller must define in advance, precisely the entire process of data processing. Within this, the controller must, following the principles of purpose limitation and data minimization, specify the personal data that are necessary to achieve the purpose of the data processing, i.e. to select the right person from among the applicants. This also includes that the data controller has to determine exactly which data have to provide the data subject, which is needed to carry out the selection procedure. The planning of the process involves determining the exact course of the selection process, indicating the persons who are entitled to know the personal data of the data subject and to make a decision based on them.
The controller must, following the principles of lawfulness, fairness, and purpose, identify the additional data processes that he may wish to carry out during the selection procedure. In this respect, the most common data process is the control of certain activities and manifestations of the data subject on social media, which raises difficult issues regarding the protection of the data subject's privacy and the definition of personal data necessary for the establishment of an employment relationship.
In many cases, data controllers may request the provision of specific data, in particular medical data (e.g. during a medical or psychological examination) or personal data relating to the criminal history of the data subject, before the establishment of the employment relationship. Such data can only be processed if there is an appropriate legal basis, the alternatives of which have been described in the study.
An important requirement is that the data controller must inform the data subject about the data processing and all related information before the data processing, which is required by