GDPR and the Hidden Legal Risks of Phone References
Data Protection & Employment
The Belgian Data Protection Authority's (APD/GBA) Decision 200/2025 has redefined the legal boundaries of one of HR's most established practices: the telephone reference check. The ruling carries direct implications for companies operating under GDPR — and by extension, Turkish KVKK.
What Happened? The Background
An employee left their employer having signed a mutual settlement agreement in which both parties agreed not to make negative statements about each other. When the former employee applied for a new position, their new prospective employer called the former employer for a verbal reference check. The former employer stated that the candidate "lacked management experience" — a negative assessment that led to the candidate being rejected.
The candidate exercised their right of access under GDPR, requesting to know what personal data had been processed about them. Both companies responded inadequately — sending responses to wrong email addresses, providing only generic privacy policies, and failing to provide actual copies of the personal data requested.
Three Key Lessons from the Decision
1. Verbal data transfer IS data processing: The DPA, citing the CJEU's Endemol Shine Finland ruling, confirmed that personal data communicated orally constitutes data processing under GDPR. If the information will influence an employment decision, it falls squarely within the GDPR framework — even if never written down.
2. Former employers need a lawful basis: While collecting references may constitute a legitimate interest for the new employer, the former employer sharing information about the candidate typically requires the candidate's explicit consent — or another clear lawful basis. Without this, the data sharing is unlawful.
3. Data subject access rights are absolute: Sending a response to the wrong email, providing only a generic privacy policy, or responding with "you already know your files" are unacceptable responses to data subject access requests. The right to access is a precise, individual right that demands a precise response.
Practical Recommendations for Employers
Reference consent form: Obtain written consent from candidates specifying which former employers may be contacted and on what scope.
Reference-giving policy: Establish a clear internal policy on what information may be shared as a reference (e.g., dates of employment only, or including performance feedback) and by whom.
Data subject request procedures: Implement a clear, documented procedure for responding to access requests within the 30-day GDPR deadline, providing complete and accurate information.