DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Recruitment Agencies: How to Handle Candidate and Client Data Compliantly

#gdpr #recruitment #hr #privacy

GDPR for Recruitment Agencies: How to Handle Candidate and Client Data Compliantly

Recruitment agencies sit at the intersection of employment law, data protection law, and commercial pressure. Every day, you collect, process, and share extraordinary volumes of personal data — CVs, cover letters, references, interview notes, salary expectations, right-to-work documents, and sometimes health or disability information. Getting this right under GDPR (and UK GDPR post-Brexit) is not optional. The ICO has taken an increasing interest in the sector, and the consequences of getting it wrong — regulatory fines, reputational damage, and loss of trust from both candidates and clients — are significant.

This guide is written for recruitment agency owners, compliance leads, and managers who want to get their data protection practices in order without a law degree.

Why Recruitment Agencies Process So Much Personal Data

A typical mid-size recruitment agency might hold data on tens of thousands of candidates — active, placed, and passive. That data isn't just a name and email address. It includes:

  • CVs and cover letters — employment history, qualifications, personal contact details
  • References and referee details — third-party personal data you collect about others
  • Interview notes — assessors' opinions, impressions, and assessments of candidates
  • Salary expectations and package history — financial information
  • Right-to-work documents — passports, visas, biometric residence permits
  • Criminal record checks (DBS) — criminal conviction data, a special category
  • Health and disability information — special category data requiring heightened protection
  • Diversity and equality monitoring data — often special category data

This isn't incidental data collection. It's central to your business model. Which means your GDPR obligations are substantial.

Lawful Basis for Processing Candidate Data

One of the most contested areas in recruitment GDPR compliance is lawful basis. The ICO's guidance on recruitment is specific: you need to identify and document a lawful basis for every type of processing activity.

Consent vs Legitimate Interest — The Core Debate

Many agencies default to consent as their lawful basis for holding and processing candidate data. But the ICO has repeatedly signalled that consent is problematic in recruitment contexts because:

  • The power imbalance between a job-seeking candidate and an agency that controls access to opportunities means consent may not be "freely given"
  • Consent must be as easy to withdraw as to give — meaning a candidate can demand you delete all their data at any time
  • Consent needs to be specific — consent to "be considered for roles" is too vague to cover sharing data with multiple employers

Legitimate interest is often a more appropriate basis, but it's not a free pass. You must complete a three-part test:

  1. Purpose test — Do you have a genuine legitimate interest? (Placing candidates in suitable roles: yes)
  2. Necessity test — Is processing the data necessary for that purpose?
  3. Balancing test — Does your interest override the candidate's privacy rights and reasonable expectations?

The ICO's view is that legitimate interest can support much of what agencies do — but you need to document the legitimate interest assessment (LIA) and be prepared to show it. Candidates must also be informed you're relying on legitimate interest, and they have an absolute right to object.

Contract as a Lawful Basis

Once you have a candidate registered with your agency and actively seeking placement, you can rely on contract performance (Article 6(1)(b)) for processing necessary to carry out that placement service. This covers verifying right-to-work, conducting background checks where required, and sharing CVs with prospective employers.

Special Category Data Requires More

For criminal conviction data, health information, and disability data, Article 6 isn't enough. You need both a standard lawful basis and a condition under Article 9 (or Schedule 1 of the Data Protection Act 2018 for criminal records). The most relevant conditions are:

  • Explicit consent (Article 9(2)(a)) — strong but revocable
  • Employment, social security, and social protection (Article 9(2)(b) / DPA 2018 Schedule 1 para 1) — applies to pre-employment vetting where there's a legal framework
  • Substantial public interest — for DBS checks in regulated sectors

The CV Retention Question: How Long Can You Keep Candidate Data?

This is one of the most frequently asked — and most frequently ignored — questions in recruitment compliance.

Unsolicited CVs

When a candidate emails your agency speculatively, without being asked, the ICO's position is that you should not retain that CV indefinitely just because you received it. You should:

  1. Acknowledge receipt and explain what you'll do with the data
  2. Determine whether the candidate fits roles you're currently working on
  3. If not, either delete the CV or obtain proper consent to retain it for future consideration — with a defined retention period

The ICO recommends six months as a reasonable retention period for speculative CVs, absent any ongoing relationship. Many agencies retain for two years, which is defensible if communicated to candidates upfront.

Active Candidates

For candidates actively engaged with your agency, retention should reflect your genuine business need. Common approaches:

  • Active candidates: Retain while actively working with them
  • Placed candidates: Retain for the duration of the placement plus a reasonable period to handle disputes (typically 2-3 years)
  • Unsuccessful candidates: Review after 6-12 months; delete or seek renewed consent

Whatever your retention policy, it must be documented, communicated in your privacy notice, and actually enforced. Having a policy that says "we delete CVs after 12 months" but never running the deletion process is potentially worse than having no policy — it demonstrates you've identified the obligation and ignored it.

Your ATS as a Data Processor: Bullhorn, Greenhouse, Workable, Lever

If you use an applicant tracking system — Bullhorn, Greenhouse, Workable, Lever, or any other — that vendor is almost certainly a data processor under GDPR. That means:

  • You are the data controller; they process data on your behalf
  • You need a Data Processing Agreement (DPA) in place with them (check their standard terms — most major ATS vendors include DPAs in their agreements)
  • You remain responsible for ensuring they process data only on your instructions
  • If they're based outside the UK/EEA, you need appropriate transfer mechanisms (Standard Contractual Clauses, UK International Data Transfer Agreement, or adequacy decisions)

Practical steps:

  • Review your ATS vendor's DPA — is it actually signed/accepted? Many agencies tick a box during setup without realising they've entered a DPA
  • Check where your ATS stores data — US-based systems need SCCs or equivalent
  • Ensure your ATS has appropriate security controls (SOC 2, ISO 27001, or equivalent)
  • Make sure you can fulfil data subject access requests and erasure requests through your ATS — most have this functionality but it needs to be configured

Sharing Candidate Data with Client Employers

This is the core activity of your business — and one of the most data-protection-sensitive moments. When you share a candidate's CV with a hiring employer, you are disclosing personal data to a third party.

What Disclosure Is Required?

Candidates must be informed — in advance, in your privacy notice — that their data may be shared with prospective employers, and ideally that you'll seek their permission before sharing with any specific client.

Best practice:

  • Explicitly inform candidates when you intend to share their profile with a specific employer, before you do so
  • Give them the opportunity to object
  • Record their permission (or their objection)
  • Only share what's necessary — don't send full application packs (including references, right-to-work documents) to employers who only need to assess fit at CV stage

Client Agreements

Your contracts with client employers should include data protection clauses specifying:

  • The employer receives candidate data as a data controller for their own recruitment process
  • They must not use candidate data for any other purpose
  • They must handle data in compliance with applicable data protection laws
  • They must delete candidate data if the candidate isn't progressed

Background Check Providers as Data Processors

DBS checks, right-to-work verification services, reference checking platforms — all of these are data processors. The same rules apply as for your ATS:

  • DPA in place before you start processing
  • Appropriate security standards
  • Transfer mechanisms if data leaves the UK/EEA
  • Contractual restrictions on further processing

For DBS checks specifically: you can only retain DBS certificate information for as long as necessary. The Disclosure and Barring Service guidance recommends not retaining copies of certificates at all — noting the result and date is usually sufficient. If you do retain copies, they should be kept securely and destroyed once no longer needed, typically within six months.

Direct Marketing to Candidates: PECR Rules on Email Outreach

This is where many agencies unknowingly break the law. The Privacy and Electronic Communications Regulations 2003 (PECR) govern unsolicited marketing emails — including outreach to candidates about roles.

The Rule

Under PECR, you need opt-in consent to send marketing emails to individuals (as opposed to businesses). Sourcing a candidate's email from LinkedIn or a job board and cold-emailing them about a role is likely marketing, not a service communication — meaning you need prior consent.

However, there's a "soft opt-in" exception: if someone has previously enquired about your services or been in a client/candidate relationship with you, you can market similar services to them, provided they were given a clear opportunity to opt out when their data was collected, and every subsequent message includes an opt-out.

Practical Implications

  • Building email lists from scraped LinkedIn data and bulk-messaging candidates is high-risk under PECR
  • If you purchase candidate lists, obtain evidence of valid consent from the list provider
  • Include a clear unsubscribe mechanism in every outreach email
  • Track opt-outs and enforce them promptly

Social Media Sourcing: LinkedIn Scraping and GDPR

LinkedIn sourcing is standard practice in recruitment. But it sits in legally uncomfortable territory.

What's Permissible

A recruiter viewing someone's public LinkedIn profile and making a manual note for a specific live vacancy is generally within the spirit of legitimate interest — particularly if the candidate has indicated they're open to opportunities.

What's Not

  • Automated scraping of LinkedIn profiles at scale (LinkedIn's own terms of service prohibit this, quite apart from GDPR)
  • Building a database of scraped LinkedIn profiles for future use without informing those individuals
  • Treating a public LinkedIn profile as blanket consent to contact someone about any role at any time

The ICO has been clear: processing publicly available personal data doesn't remove GDPR obligations. You still need a lawful basis, and you still need to be transparent with individuals about how their data is being used.

Best practice: When you source a candidate from LinkedIn or another social platform for the first time, disclose this in your first communication — explain who you are, why you're contacting them, how you found their data, and give them the opportunity to opt out of further contact.

Right to Erasure for Rejected Candidates

Under Article 17 of GDPR, individuals have the right to request erasure of their personal data in certain circumstances. For rejected candidates, the right is particularly relevant:

  • Where processing was based on consent (which they've now withdrawn)
  • Where the data is no longer necessary for the purpose it was collected
  • Where they've objected to processing and there are no overriding legitimate grounds

What "Erasure" Actually Means

You can't simply archive a record. You need to delete the personal data. This means:

  • Removing the candidate record from your ATS
  • Deleting CVs, cover letters, interview notes, and correspondence
  • Removing data from backup systems within a reasonable timeframe
  • Informing any processors (ATS vendors, background check providers) to delete too

You can retain a minimal record — for example, a note that a candidate existed, the date of an erasure request, and confirmation it was fulfilled — for compliance demonstration purposes, provided this doesn't include unnecessary personal data.

Time limit: You have one calendar month to respond to an erasure request, with a possible two-month extension for complex cases, provided you inform the individual within the first month.

GDPR Compliance Checklist for Recruitment Agencies

Use this checklist to assess your current position:

Lawful Basis and Documentation

  • [ ] Identified and documented a lawful basis for each processing activity
  • [ ] Completed Legitimate Interest Assessments where LI is relied upon
  • [ ] Separate basis identified for special category data (health, criminal records)
  • [ ] Basis communicated to candidates in privacy notice

Privacy Notice

  • [ ] Privacy notice published and accessible on your website
  • [ ] Notice covers: what data you collect, why, who you share it with, how long you keep it, and candidate rights
  • [ ] Candidates given the notice at point of data collection (job application, registration)

Retention and Deletion

  • [ ] Written data retention policy in place covering all candidate categories
  • [ ] Automated or scheduled deletion process implemented in your ATS
  • [ ] DBS certificate retention policy in line with DBS guidance
  • [ ] Speculative CV retention communicated and enforced

Third Parties and Processors

  • [ ] DPA in place with your ATS provider
  • [ ] DPA in place with background check providers
  • [ ] Transfer mechanisms in place for non-UK/EEA processors
  • [ ] Client employer agreements include data protection obligations

Candidate Rights

  • [ ] Process in place to handle Subject Access Requests within one month
  • [ ] Process in place to handle erasure requests
  • [ ] Candidates can easily opt out of marketing communications
  • [ ] Objections to legitimate interest processing documented and honoured

Marketing and Outreach

  • [ ] PECR compliance reviewed for all email outreach to individual candidates
  • [ ] Unsubscribe mechanism in all outreach emails
  • [ ] LinkedIn sourcing policy in place; candidates informed of data source on first contact

Security

  • [ ] ATS access controls reviewed (role-based access, MFA)
  • [ ] Policy on device use and remote access to candidate data
  • [ ] Data breach response plan documented
  • [ ] Staff trained on data protection obligations

Where Custodia Fits In

Your website is also collecting data — through contact forms, job application forms, cookie trackers, and analytics tools. These are often overlooked in agency compliance programmes.

Custodia scans your website and identifies what data is being collected, what third-party trackers are active, and what privacy documents you need. It's a practical starting point for agencies that want to tighten their compliance posture.

Run a free scan of your recruitment agency website →

This post provides general information about GDPR compliance for recruitment agencies operating in the UK and EU. It does not constitute legal advice. For advice tailored to your specific circumstances, consult a qualified data protection solicitor or the ICO's website at ico.org.uk.

Top comments (0)