Recruitment agencies process personal data at industrial scale. Every CV submission, every speculative application, every candidate database search involves personal data — and UK GDPR applies to all of it.
Lawful Bases
- Legitimate interests: Processing a CV for a specific vacancy the candidate applied for
- Contract: Payroll and employment management for temp/contract workers
- Legal obligation: Right to work checks, IR35 assessments, HMRC payroll
- Consent: Retaining CVs for future roles (talent pools) — must be explicit opt-in
Talent Pools
Retaining a candidate CV after the vacancy closes requires explicit consent. This must be:
- A separate opt-in from the vacancy application
- A positive action (not pre-ticked)
- Easy to withdraw at any time
Sharing CVs with Clients
- Privacy notice must state CVs will be shared with clients
- Inform candidates before submitting to a specific client
- Clients typically become independent controllers when they receive CVs
Retention Schedule
- Unsuccessful applicants: 6–12 months
- Talent pool (with consent): 2 years then re-seek consent
- Placed permanent candidates: 6 years
- Temp/contract candidates: 6 years (payroll records)
- DBS certificates: maximum 6 months
- Interview notes: 6 months
Job Board Sourcing
When contacting candidates sourced from job boards or LinkedIn, provide your privacy notice at or before first contact (Article 14 UK GDPR).
This guide was produced by Custodia — AI-powered GDPR compliance for small businesses. Scan your recruitment website free.
Top comments (0)