GDPR for Temp and Contract Recruitment: Candidate Data, DBS Checks and Agency Compliance

How temp and contract recruitment agencies can comply with GDPR when handling candidate CVs, DBS check data, right to work documents, and client submissions.

---

Recruitment agencies sit at the intersection of two distinct GDPR roles simultaneously. You are a data controller when you decide why and how to process candidate information. You are a data processor when a client instructs you to screen, assess, or manage candidates on their behalf. Understanding which hat you are wearing at any given moment — and documenting it clearly — is the foundation of GDPR compliance for any staffing or contract recruitment business.

Temp and contract agencies face additional complexity that permanent placement firms often avoid. IR35 changes, short notice engagements, rolling contracts, and high candidate volumes create a processing environment where data flows quickly, retention decisions get deferred, and DBS check data and health information can accumulate without clear ownership.

This guide covers the key GDPR obligations for temp and contract recruitment agencies operating in the UK and EU, including the lawful bases that apply, the risks attached to special category data, ATS platform compliance, and practical steps to reduce your regulatory exposure.

---

Controller, Processor, or Both? Getting the Basics Right

The distinction between controller and processor matters because it determines your obligations, your liability, and what you need to document.

When you receive a CV speculatively, decide to register a candidate, set up their profile in your ATS, and begin marketing them to clients, you are acting as a data controller. The decision about what to collect and why belongs to you.

When a client engages you on a managed service basis — asking you to screen candidates against their job specification, manage their interview pipeline, or administer their on-boarding checks — you may be acting as a data processor on the client's behalf. In that case, you need a Data Processing Agreement (DPA) with the client before processing begins.

Many agencies operate as both, depending on the engagement. The practical implication: you need to identify which role applies at each stage of a candidate's journey, document your lawful basis for each processing activity, and ensure the correct contractual framework is in place with every client.

---

Candidate CVs and Personal Data: Lawful Bases

Candidates submit CVs expecting you to process them. But GDPR requires a documented lawful basis for every processing activity, not just good intentions.

For candidate registration and job matching, the most defensible bases are:

• Legitimate interest — matching candidates to relevant roles is a core business function, and candidates who submit CVs to a recruitment agency have a reasonable expectation that this will happen. Conduct and document a Legitimate Interests Assessment (LIA) to confirm the balance of interests.
• Contract — once a candidate signs a registration agreement, processing necessary to perform that contract (placing them in roles, managing payroll for temp workers) can use contractual necessity as the basis.
• Consent — required for speculative submissions (sending a CV to a client who has not advertised a vacancy), marketing communications, and profiling candidates for roles outside their stated search criteria.

Do not rely on consent as the blanket basis for all candidate processing. It creates an obligation to withdraw processing entirely if consent is revoked, which is impractical in an active staffing operation. Use consent where it is specifically required, and document legitimate interest or contract for day-to-day matching activities.

---

DBS Check Data: Special Category and Criminal Records

Disclosure and Barring Service (DBS) checks reveal criminal record information, which is classified as special category data under GDPR Article 9 and subject to additional restrictions under the UK GDPR Schedule 1 of the Data Protection Act 2018.

Agencies placing candidates into roles that require DBS checks — care workers, childcare, healthcare support, security personnel — must:

• Identify a Schedule 1 condition that permits processing. For employment purposes, this is typically Paragraph 1 of Schedule 1 (employment, social security, and social protection), combined with an appropriate policy document.
• Maintain a written policy document explaining why you process criminal records data, what it is used for, how long you retain it, and when it is destroyed.
• Ensure that only the minimum necessary personnel have access to DBS results.
• Never store DBS certificate numbers or full certificate details longer than necessary to make a placement decision — the Information Commissioner's Office recommends not retaining DBS certificates at all once the recruitment decision is made.
• Obtain DBS checks only through the appropriate Registered Body channel and ensure your verification procedures comply with the DBS Code of Practice.

Mishandling DBS data is one of the highest-risk areas for recruitment agencies. An internal breach involving criminal record information will almost certainly require notification to the ICO under GDPR's 72-hour breach notification rule.

---

Right to Work Documents and Identity Verification

Right to work checks involve passports, biometric residence permits, Settled Status confirmation letters, and other identity documents. These are not special category data in the GDPR sense, but they contain significant personal information and must be handled with care.

Key obligations:

• Conduct checks only when a role requires them and retain copies only as long as required to demonstrate compliance with right to work obligations (currently the duration of employment plus two years under UK immigration rules).
• Store copies securely, with access restricted to those who need it for compliance purposes.
• Do not use identity documents obtained for right to work purposes for any other processing purpose.
• Candidates have the right to access copies of their own documents held by your agency under Article 15 GDPR.

---

Sharing Candidate Profiles with Clients

Every time you share a candidate CV or profile with a client, you are transferring personal data to a third party. This requires a lawful basis and, in most cases, a Data Processing Agreement or a controller-to-controller transfer agreement.

If you are sending CVs to clients and those clients will make their own decisions about candidates (who to interview, who to hire), both parties are acting as independent controllers. You should have a written agreement that specifies the purpose of the transfer, each party's obligations, and what the client may do with the data.

Where clients engage you on a managed service arrangement and direct your processing activities, they may be the controller and you the processor. In that case, you need a full DPA in place under GDPR Article 28 before processing begins.

Practically speaking: review your client contracts. Most standard agency terms do not contain adequate data protection provisions. Update them.

---

Candidate Consent for Speculative Submissions

Sending a CV to a client who has not advertised a specific vacancy — a speculative submission — requires the candidate's explicit, informed consent before you submit.

A pre-ticked box on a registration form saying "I consent to my CV being sent to clients" is not sufficient. GDPR requires consent to be specific, meaning the candidate should understand who you are submitting their profile to and why.

Practical approach: before any speculative submission, send the candidate a brief message naming the specific client, the type of role, and asking for their confirmation. Record that confirmation in your ATS. Do not submit without it.

This protects the candidate's dignity and your compliance position. If a candidate later complains to the ICO that their CV was shared without consent, you need a record to demonstrate consent was obtained.

---

ATS Platforms and Data Processing Agreements

Your Applicant Tracking System processes significant volumes of personal data on your behalf. Whether you use Bullhorn, Vincere, JobAdder, or another platform, your ATS vendor is a data processor and you must have a Data Processing Agreement in place.

Most enterprise ATS vendors publish standard DPAs or GDPR-compliant data processing addenda. Check that yours:

• Clearly defines the scope of processing (what data, for what purpose)
• Restricts the vendor from processing candidate data for their own purposes
• Addresses international data transfers (many ATS platforms host data on US servers — confirm whether Standard Contractual Clauses or UK International Data Transfer Agreements are in place)
• Includes security commitments appropriate for recruitment data
• Specifies the vendor's obligations in the event of a data breach

If your ATS vendor cannot provide a signed DPA, you should not be using them. Running Custodia's website scanner on your ATS vendor's public-facing pages can surface what third-party trackers and data processors they embed — a useful first step in assessing their data hygiene.

---

Candidate Data Retention After Placement

Many recruitment agencies retain candidate data indefinitely "in case they want to be placed again." This directly conflicts with GDPR's storage limitation principle: data must not be kept longer than necessary for the purpose it was collected for.

A defensible retention policy for a temp and contract agency might be:

• Active candidates (available for work): retain while the candidate is engaged and for a reasonable period after last contact (typically 12–24 months)
• Placed candidates: retain for the duration of the contract plus a period to handle any disputes or references (12–24 months after final engagement)
• Unsuccessful candidates: delete within 6 months of the role being filled, unless the candidate has consented to being considered for future roles
• DBS check data: do not retain certificate details after the placement decision is made

Review your ATS settings to configure automatic retention alerts or deletion workflows. Manual retention management in a high-volume agency is not reliable.

---

IR35 Contractor Data

The 2021 off-payroll working reforms brought significant new data flows into recruitment agencies. Where you are the fee-payer in an IR35 supply chain, you will receive Status Determination Statements (SDS) from end clients and process financial and employment status data that you did not previously hold.

From a GDPR perspective:

• SDS documents contain personal data about individual contractors and must be handled in line with your data retention and security policies.
• Your obligations as a processor under the off-payroll rules create a legitimate interest basis for retaining relevant contractor tax and payment data for the period required by HMRC (typically six years).
• Contractors have the right to request access to data held about them, including SDS records, communications about their IR35 determination, and payroll records.

Ensure your IR35 compliance process includes a data protection layer: who holds the SDS, for how long, and who has access.

---

Health and Disability Data in Occupational Roles

Roles in healthcare, childcare, social care, and manual labour often require candidates to disclose health conditions or undergo occupational health assessments. This is special category data under Article 9, and processing it requires both a Schedule 1 DPA 2018 condition and a written policy document.

Do not ask about health conditions unless the role genuinely requires it. If an occupational health questionnaire is required, it should be administered through a qualified occupational health provider — not retained as a raw document in your ATS.

Reasonable adjustments disclosures made by candidates under the Equality Act 2010 should be treated as special category data. Restrict access strictly to those involved in the placement decision, do not pass the information to clients without explicit candidate consent, and delete it once the role is filled.

---

Subject Access Requests from Candidates

A candidate can submit a Subject Access Request (SAR) at any time, asking you to provide all personal data you hold about them. You have one month to respond, with a possible 30-day extension for complex requests.

For temp and contract agencies, SARs from candidates are relatively common — particularly from individuals who were not placed or who believe their data was shared without consent.

Your SAR process should include:

• A clear intake mechanism (email address or web form dedicated to DSARs)
• Identity verification before disclosing data
• A systematic search across your ATS, email, CRM, shared drives, and any third-party platforms where candidate data is held
• Redaction of third-party information (e.g., notes that reference another candidate by name)
• A template response letter confirming what data you hold, the lawful basis for holding it, and the candidate's rights

Custodia can help agencies audit what personal data flows through their online presence — run a free scan at app.custodia-privacy.com/scan to identify any third-party data collection points your candidates interact with when visiting your website.

---

Marketing to Candidates and Clients Under PECR

The Privacy and Electronic Communications Regulations (PECR) govern marketing by email, SMS, and automated calls. They sit alongside GDPR and have separate requirements.

Marketing to candidates:

• If a candidate has registered with your agency and you are marketing relevant roles to them, you can rely on the soft opt-in exemption under PECR, provided you give them the option to opt out on every communication and market only similar services to those they registered for.
• Marketing unrelated products or services to candidates (such as referral schemes or financial services) requires separate, explicit consent.

Marketing to clients:

• Business-to-business marketing by email to corporate email addresses (e.g., hr@company.com) is subject to a softer standard under PECR — you must offer an opt-out, but prior consent is not required.
• Marketing to individual professional email addresses (e.g., john.smith@company.com) where the individual can be identified is treated more like consumer marketing and requires consent or a clear legitimate interest basis.

Review your email marketing lists for both candidates and clients. Ensure unsubscribe mechanisms work, unsubscribe requests are processed promptly, and suppression lists are maintained.

---

Data Breaches Involving Candidate Data

A data breach in a recruitment context could be a laptop containing candidate CVs being stolen, a rogue employee downloading candidate records, an ATS vulnerability exposing candidate profiles, or accidentally emailing a candidate's CV to the wrong client.

Under GDPR, you must report breaches that are likely to result in a risk to individuals' rights and freedoms to the ICO within 72 hours of becoming aware. High-risk breaches (such as exposure of DBS data, health information, or financial records) must also be communicated to the affected candidates.

Every temp and contract agency should have a documented breach response procedure that includes:

• A designated point of contact for reporting suspected breaches internally
• An assessment process to determine reportability under the 72-hour rule
• Template notifications for the ICO and for candidates
• A log of all breaches, reportable or not (required under GDPR accountability obligations)

---

REC Membership and GDPR Alignment

The Recruitment and Employment Confederation (REC) publishes a Code of Professional Practice that includes obligations around data protection and candidate confidentiality. REC membership does not substitute for GDPR compliance, but the two frameworks are largely aligned.

REC members are expected to:

• Handle candidate data confidentially and professionally
• Not pass candidate information to clients without the candidate's knowledge
• Maintain appropriate records of candidate consent and communications

These REC obligations map directly onto GDPR requirements. Agencies that build robust GDPR compliance programmes will find REC audit processes significantly easier to navigate.

---

Practical GDPR Compliance Checklist for Temp and Contract Agencies

Work through this checklist to identify gaps in your current compliance position:

Lawful basis and documentation

• [ ] Identify your lawful basis for each category of candidate data processing (matching, payroll, DBS, health, marketing)
• [ ] Complete and document Legitimate Interests Assessments where you rely on legitimate interest
• [ ] Maintain a Record of Processing Activities (ROPA) covering all candidate and client data flows

Contracts and third parties

• [ ] Review client contracts for data protection provisions — update where necessary
• [ ] Obtain signed DPAs from your ATS provider and all other data processors
• [ ] Confirm international data transfer mechanisms are in place for any processors based outside the UK/EEA

Special category data

• [ ] Implement a written policy document for processing criminal records (DBS) data
• [ ] Restrict DBS certificate retention to the minimum necessary period
• [ ] Apply the same written policy document requirement to health and occupational data

Candidate rights

• [ ] Implement a clear SAR intake and response process with documented timelines
• [ ] Ensure your privacy notice covers all processing activities and is accessible to candidates before they register
• [ ] Build opt-out and consent withdrawal mechanisms for all marketing communications

Retention and deletion

• [ ] Set documented retention periods for each data category
• [ ] Configure your ATS to alert you when retention periods are exceeded
• [ ] Establish a deletion workflow for unsuccessful candidates and inactive records

Breach readiness

• [ ] Document your breach response procedure
• [ ] Test it at least annually
• [ ] Maintain a breach log

---

How Custodia Supports Recruitment Agency Compliance

Custodia is an AI-native privacy compliance platform designed for businesses that need to get compliant without a dedicated legal team. For recruitment agencies, Custodia can scan your website and candidate-facing pages to identify third-party trackers, data collection points, and consent gaps — giving you a clear picture of your external data posture in under 60 seconds.

Run a free scan at app.custodia-privacy.com/scan to see what your website is collecting and whether your consent mechanisms meet GDPR requirements.

---

This guide is for informational purposes only and does not constitute legal advice. Temp and contract recruitment agencies with complex processing activities, DPO obligations, or regulatory investigations should seek specialist legal advice.