GDPR

GDPR Compliance in Recruitment and HR Processes

GDPR for Recruitment: Complete Compliance Guide for Recruiters, Agencies, HR Teams, and Talent Platforms

Recruitment businesses process large amounts of highly sensitive personal data—CVs, work history, salary expectations, background checks, identification documents, assessments, interview notes, and psychometric results. This makes recruitment one of the most heavily scrutinised industries under the General Data Protection Regulation (GDPR).

This page provides a complete GDPR framework tailored for recruiters, staffing agencies, executive search firms, in-house HR departments, and online talent platforms. It covers lawful bases, CV retention, candidate rights, job-board compliance, marketing vs. sourcing, automated profiling, international transfers, and data governance obligations.

1. Why GDPR Is Critical for Recruitment

Recruitment involves continuous collection, review, sharing, and storage of candidate personal data—often in large volumes and across multiple systems. This includes sensitive or potentially sensitive data such as background checks, diversity information, and interview notes.

GDPR applies to:

  • Recruitment agencies and staffing companies
  • Executive search and headhunting firms
  • HR departments processing job applicants
  • Job boards and talent marketplaces
  • ATS and recruitment software providers
  • Freelance recruiters and consultants

Failure to comply creates risk of complaints, fines, data exposure, and reputational damage.

2. What Personal Data Recruiters Process

The recruitment sector processes exceptionally broad personal data categories. You must identify and document each category processed.

Common data categories include:

  • Identity data: name, address, phone number, email
  • Employment history: CVs, previous roles, references
  • Qualifications: education, certifications, skills
  • Right-to-work documents: passports, visas, identification
  • Salary data: expectations, historical earnings
  • Background checks: criminal record data (special category)
  • Interview data: notes, recordings, assessments
  • Psychometric and personality tests
  • Equal-opportunity data: ethnicity, gender, disabilities (special category)
  • HR system metadata: ATS logs, application timestamps

Special category and criminal-offence data require stricter legal bases and additional controls.

3. Lawful Bases for Recruitment Data Processing

Contract

Used when a candidate directly applies for a role and expects processing as part of the recruitment process.

Legitimate Interests

The most common basis for:

  • Headhunting and proactive candidate sourcing
  • Maintaining a talent pool
  • Contacting candidates about relevant opportunities
  • Initial screening for suitability

A documented Legitimate Interest Assessment (LIA) is strongly recommended.

Consent

Required when processing sensitive information or optional/secondary uses, such as:

  • Holding CVs for future roles beyond necessity
  • Diversity monitoring using special-category data
  • Storing candidate profiles long-term in a talent pool
  • Recording video interviews (if optional)

Legal Obligation

Used for right-to-work checks, criminal-record checks (when legally required), and regulatory compliance.

4. Candidate Transparency Requirements

Recruiters must provide full and clear information when collecting or sourcing data, even when data is gathered from publicly available sources like LinkedIn.

Your privacy notice must explain:

  • What data you collect and why
  • How long you store CVs and profiles
  • Who you share data with (clients, background-check providers)
  • International transfers
  • Candidate rights
  • Legal bases for sourcing and contacting individuals
  • Whether profiling or automated screening is used

You must send candidates privacy information within a reasonable timeframe when sourcing them indirectly.

5. Data Retention Rules for Recruitment

The recruitment sector commonly faces enforcement actions for keeping CVs indefinitely. GDPR requires strict, documented retention schedules.

Common retention periods:

  • Active recruitment process: retain data only as long as necessary
  • Unsuccessful applicants: 6–12 months
  • Talent pool profiles: only with explicit consent
  • Right-to-work checks: based on national employment laws
  • Interview notes: typically 6–12 months

Retention must be enforced with deletion or anonymisation.

6. Sharing Candidate Data With Clients

Sharing CVs and candidate profiles with client employers is a central part of recruitment but must be done transparently and securely.

You must ensure:

  • A lawful basis for sharing
  • Minimum necessary data is provided
  • Candidate is informed of which clients receive their data
  • Secure transfer methods (encrypted email or ATS portals)
  • Clients treat the data as confidential

You must not send candidate data to clients who have not been disclosed in your privacy policy or within your candidate communications.

7. Recruitment Platforms, ATS Systems, and Third-Party Providers

Recruiters rely heavily on third-party systems: ATS (Applicant Tracking Systems), recruitment CRMs, job boards, assessment platforms, background check tools, interview platforms, and cloud storage.

You must maintain:

  • A full list of all processors
  • Data Processing Agreements (DPAs) with each vendor
  • Security and compliance review processes
  • International transfer safeguards

High-risk processors (e.g., video interview platforms, psychometric test providers, cloud ATS) require stricter oversight.

8. Data Security Requirements for Recruiters

Recruitment teams are frequent targets for attacks due to the volume of identity documents and personal data they store. Strong security measures are mandatory.

Required safeguards include:

  • Encrypted storage of CVs and profiles
  • Multi-factor authentication for ATS and CRM tools
  • Role-based access control
  • Secure client communication channels
  • Regular password rotation and device security
  • Restricted access to ID documents and background checks
  • Encrypted backups
  • Staff confidentiality agreements

Recruiters must ensure candidate data is not stored in personal inboxes, messaging apps, or unapproved devices.

9. Automated Screening, Profiling, and Algorithmic Decision-Making

Many recruitment systems use AI, automated scoring, or algorithmic ranking to evaluate candidates.

Under GDPR:

  • Candidates must be informed about profiling
  • There must be transparency about logic used
  • High-impact automated decisions require human intervention
  • Bias assessments and fairness reviews are recommended

Fully automated rejection decisions are high-risk and may be unlawful without safeguards.

10. International Transfers in Recruitment

If recruitment data is stored with non-EU vendors (e.g., US-based ATS providers), GDPR’s strict transfer rules apply.

Transfers must include:

  • Standard Contractual Clauses (SCCs) if needed
  • Supplementary technical measures (e.g., strong encryption)
  • Assessments of foreign privacy laws
  • Vendor compliance documentation

Recruitment agencies must ensure no uncontrolled transfers occur through job boards or cloud-based tools.

11. Candidate Rights Under GDPR

Candidates have extensive rights over their recruitment data.

They may request:

  • Access to all personal data held
  • Correction of inaccurate data
  • Deletion (with legitimate exceptions)
  • Restriction of processing
  • Withdrawal of consent
  • Objection to certain uses
  • Data portability

Requests must be handled within 30 days and logged for audit purposes.

Limitations:

  • Right to deletion does not override lawful retention for legal claims
  • Right to access may exclude confidential client feedback

12. Data Breach Responsibilities for Recruiters

Recruitment breaches often involve CV leaks, identity document exposure, unauthorised access, or accidental emailing of candidate profiles to the wrong client.

You must:

  • Notify the supervisory authority within 72 hours
  • Notify affected candidates when risk is high
  • Record all breach events internally
  • Implement corrective measures and training

Recruitment breaches frequently require notification due to the sensitivity of the information involved.

13. GDPR Compliance Checklist for Recruitment

  • Current privacy notice tailored to recruitment operations
  • Lawful basis register for sourcing, screening, and contacting candidates
  • Strict CV and data retention schedule
  • Consent mechanisms for talent pools and sensitive data
  • Data Processing Agreements with all vendors
  • Secure ATS and CRM with MFA enabled
  • Role-based access controls
  • Secure data transfers to clients
  • Clear log of candidate rights requests
  • Documented screening and profiling logic
  • International transfer safeguards
  • Employee confidentiality and GDPR training
  • Data breach response plan
  • Periodic reviews of sourcing and retention practices

Recruitment agencies, HR teams, and talent platforms face strict GDPR obligations due to the nature and volume of personal data they process. A structured compliance framework—covering transparency, lawful bases, retention, security, vendor management, and candidate rights—is essential to protect individuals and maintain regulatory compliance.

This guide provides the foundation for recruitment GDPR compliance and can be expanded into versions for staffing agencies, enterprise HR teams, job boards, and AI-based recruitment platforms.