How GDPR Affects Recruitment

How GDPR Affects Recruitment
GDPR's effect on recruitment

GDPR affects recruitment by changing how personal data can be collected, stored and used. It will be more difficult to process large volumes of candidates without having an actual relationship with the candidate. How should you best deal with the personal data of candidates, and when must you delete the data? To answer these questions, read this introductory text on how GDPR affects recruitment.

Reading time: 4 min

Data Processing in Recruitment

Recruitment often includes the processing of personal data. The processing generally occurs when the recruiter gathers data on potential candidates and performs a search among them. The recruitment process can include contact information, grades, certifications, CVs, general data, tests and other documents. You can process both tests of personality and skills and document an interview with the candidate.

Update your personal data inventory (records of processing) to reflect your recruitment practices. Respect the retention periods of different data categories and make sure to delete data of unsuccessful candidates as soon as practically possible.

Sometimes it is beneficial to use an external party, such as a specialised recruitment firm. That means that the external party will share personal data with the hiring company. Thus, in that situation, the recruitment firm must only share data on a few selected candidates. The agreement with this external firm must be clear together with a suitable worded data processing agreement.


Looking for a practical guide to the DPO role?

The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.

Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)

GDPR Affects Different Types of Recruitment

There are mainly two different ways to perform recruitment. First, you have the traditional individual job posting. The second is by applying to a recruitment platform. Depending on how you recruit, both the legal basis for processing and the information to provide to the data subjects differ. Therefore, in the following, we describe the legal basis and the information to give in both situations. After that, we describe the special category recruitment of an External Search. We round this article up by describing how to process two data types relevant to the recruitment process.

Individual Job Posting

A data subject applies to the listing of a job. The candidate sends their application to either a recruitment firm or the hiring company.

The main legal basis for the processing is the contract for recruitment. But consent is also possible if it fulfils the legal requirements. That is, it must be e.g. explicit and freely given.

Also, it is important to provide the applicant with relevant information about the processing activity. This information must be clear, and you must give it in an appropriate and easy-accessible way. The information provided to the data subject should advise not to attach sensitive data to the application. Additionally, if the legal basis for the processing is consent, you must inform the applicant of the right to withdraw the consent at any time.

According to GDPR, the applicant must be informed that the data will be stored for future recruitment and must be able to withdraw its consent or object to the processing.

GDPR’s Effect on Recruitment Platforms

As part of recruitment firms or for larger organisations, they use recruitment platforms for processing the data of candidates. The data can include various documents, such as a resume and notes from an interview. The data can be of a more or less sensitive nature. Sometimes it is the combination of data that could be considered intrusive. As a rule of thumb, recruitment platforms use personal data in such ways that mandate a data protection impact assessment. Often there are large-scale data sets, candidates are profiled and scored and data sets are matched from different sources.

The legal basis for the processing can be either contract, consent or legitimate interest.
Legitimate interest is possible to use when first there is a documented legitimate interest. Second, this interest must outweigh the interest of the applicant not to have their personal data processed. Since it is in the interest of the applicant to be recruited, this is normally not a problem. This is because the candidate himself has applied for the work. But, you cannot process more data than you need to fulfil the interest identified: such as giving an effective and purposeful service.

As a rule of thumb, contractual necessity is the most appropriate legal basis for most uses of personal data in a recruitment platform. Keep in mind that all functionalities and uses of data must be spelt out in the terms and privacy policy of the recruitment platform.

Sometimes a hiring company, either on its own or with the help of a recruitment firm, performs an external Search (also called headhunting). This search can be based on legitimate interest, provided that the headhunter respects the potential candidate’s restrictions in terms of availability to the job market. The legitimate interest can e.g. be to find talented candidates for recruitment. Also, the interest can include informing and mediating an offering to these candidates.

When a headhunter has collected some candidates by searching on the web, the headhunter must contact the individual and ask for her or his consent to proceed. The candidate must receive information about, for example: What personal data has been collected, from what sources, retention periods, recipients to receive the data, purposes and legal basis, the individual rights of the candidate and that the candidate may object to further processing.

A rule of thumb is to communicate within the same channel as you found the CVs – such as LinkedIn Recruiter or LinkedIn. Do not export the data into your own CRM or email program and continue the recruitment process without the candidate’s consent.

For an external Search to be compliant with GDPR, it cannot include more data than what is strictly necessary and relevant to the job offer. You must inform the data subject about the processing. Also, you must give the data subject the opportunity to object to it.

Special Category Data

According to the data minimisation principle, a controller must limit the data that it processes to what is necessary. You assess the necessity with consideration to the purpose of the processing. A recruiter cannot process special category data if it is not relevant for the specific job offering, and information about this collection must be provided at first contact, i.e. in the job listing. This includes both health data and data on criminal records.

You may read more about special category data in our article about extra-sensitive data.

Managing the References

In recruitment, it is common to process data of references. These references normally only include a name and a way of contacting them; a phone number. It is the applicant’s responsibility to tell the reference about the processing of their personal data. But, the recruiter must inform the applicant about its responsibility to talk to its references.

In conclusion, how does GDPR Affects Recruitment

  • Update your personal data inventory (records of processing) to reflect your recruitment practices;
  • If you use an external recruitment firm – set clear agreements, including a data processing agreement;
  • Respect the retention periods and delete data of unsuccessful candidates as soon as practically possible. Individual Job Postings – be clear with any specific use of data in the job listing, and ask for the candidate’s consent if you would like to keep the application for future use;
  • Recruitment Platforms – perform a data protection impact assessment before purchasing the service or developing your own to meet the requirements of the GDPR; all functionalities must be made clear in the terms and conditions and privacy policy of the platform;
  • External search and sourcing – always ask and document the candidate’s consent when you wish to progress with the candidate;
  • If you are recruiting for senior job postings that require more in-depth control of any viable candidates, then include any such information in the very beginning, in the job listing itself; and
  • When taking references, make sure that the applicant knows how you will use the reference’s data and make the candidate contact the reference before contact is made.


Please enter your comment!
Please enter your name here