Some examples of the types of personal data that is collected from prospects (or candidates) in the recruitment/ job placement industry are as follows:

  • CVs (inclusive of work history and education)
  • Contact details (e.g. telephone, email, address)
  • References (including third party data of referee)
  • All forms of identification (often two types are requested)
  • Government-issued right to work permits/ certifications
  • Test records/ results e.g. psychometric test results
  • Call recordings and interview transcripts

In most if not all cases, all of the personal data collected will fall within the material and territorial scope of the GDPR. As a result, the personal data must be ‘processed’ in line with the law of the GDPR.

Article 4(2) of the GDPR defines ‘processing’ very broadly as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

So, you can safely take from this that ‘processing’ is any act performed on data!

The lifecycle of a typical recruitment company involves various data processing activities from the initial headhunting and researching of prospective candidates, invitation of and acceptance of CV submissions, tailoring of CVs, storing of candidate details in databases, to the transfer and sharing of candidate details in whole or in part to colleagues and/ or clients.

As a data controller who decides the purpose and means of all of the above processing activities, the recruitment company has various obligations under the GDPR. Data Processors who process data on behalf of a data controller and in line with the data controller’s instructions are often part of the process. For example, they might be cloud providers or operate online job boards. What both these roles have in common are the following:

  • each can be a natural person, legal entity, public authority, agency or other body;
  • they both have accountability e.g. record keeping i.e. it is key to monitor data processing activities and to keep records of all of this…from the type of data collected, why it is collected, where it is stored, how the right to process came about i.e. the lawful basis being relied on, the source of the data (if indirectly collected), the transfer of the data to data processors within the same country or outside etc. (Article 30 – record keeping);
  • they are both responsible for personal data security;
  • they must ensure compliance with international data transfers; and,
  • they are subject to administrative fines and compensation fines.

Article 5 of the GDPR Principles are clear and are set out as follows:

  • Lawfulness, Fairness & Transparency of Processing requires openness with candidates about the processing activities. There needs to be at least one lawful basis under Article 6 that a recruitment company must be able to rely on to enable them to lawfully process personal data. This could be consent (6(1)(a)) or, under contract (6(1)(b)), or, some other legal basis such as legitimate interests (6(1)(f)).
  • Purpose Limitation requires collecting and processing for the specified ‘purpose’ only e.g. sourcing a job for a candidate; sourcing a candidate for a client. Numerous different purposes should not be bundled and authorised by garnering just one consent to cover all bases.
  • Data Minimisation & Proportionality means processing only personal data that is relevant and necessary for the ‘purpose’ which means that only the bare minimum required to fulfil e.g. the sourcing should be collected and no more i.e. it must be relevant and proportionate.
  • Data Quality & Accuracy includes processing up-to-date and accurate personal data. Recruitment companies need to act on requests from candidates/ clients to rectify any out-of-date or incorrect information being held about them or to delete it.
  • Storage Limitation means retaining only personal data that is relevant and necessary for the ‘purpose’. Once a candidate has accepted a placement with a client or has otherwise been unsuccessful for a specific role then unless the recruitment company has their consent to retain their data i.e. to process their data, the general consensus is that it should be deleted. In any event, a thorough cleansing of candidate databases is advised for details held for 2+ years.
  • Integrity & Confidentiality requires ensuring that the personal data stored is secure using robust IT security measures to reduce the risk of a data breach.
  • Accountability means processing personal data responsibly and demonstrating compliance with data protection laws.

Failure to follow the GDPR on all this can result in monetary penalties. These are 2-tiered as follows:

  • the larger of 20 million euros or 4% of total worldwide annual turnover (examples of breaches of that may incur this tier include breaches of data protection principles, data subject rights and international transfers); or,
  • the larger of 10 million euros or 2% of total worldwide annual turnover (most other infringements including security breaches)

Moreover, personal data breaches can result in bad press and media publicity and civil and group claims which might make a company rather unpopular.

To determine the fine to be imposed the supervisory authority will take in to account factors such as the nature, gravity, duration of infringement; the nature, scope and purpose of processing; the no. of data subjects concerned; the infringer’s degree of responsibility/ cooperation with the authority; data categories etc

Options that a recruitment company has to support its data protection compliance programme include:

  1. Budgeting for its data protection compliance programme; and,
  2. Record keeping as mentioned above (Article 30); and,
  3. Carrying out data mapping exercises and audits. Checkout our GDPR Support Package, which offers a sensible and affordable DIY audit solution to suit your budget that you can use for your business to:
  • understanding what you need to do and assess your own preparations for, and levels of, GDPR compliance; and,
  • assist with the implementation of your own GDPR Compliance Programme. The document fully aligns with your key obligations in the GDPR. Get more information on the consultant-led audit.
  1. Assigning the role of chief privacy officer to a contractor or internal member of staff (or a Data Protection Officer where mandated (Article 37 – 39);
  2. Being extra vigilant where special category data may be processed or where any profiling i.e. automated decision making without human intervention is taking place as both of these are prohibited unless certain exceptions apply or safeguards are met respectively;
  3. Ensuring your contracts and policies internally and with candidates, clients and third party data processors (including cloud service providers) are GDPR compliant. Redraft and renegotiate where required and only use a trained legal professional for this task;
  4. Putting in place appropriate insurances for data breaches.

IT Security

Having the appropriate organisational and technical measures in place to protect personal data on your systems is a major responsibility. If you can’t protect it, then don’t collect it!

The more data you collect, the more risk you have. Minimise data. Cleanse and refresh data. Redundant data is burdensome so get rid!
With the retained data, the IT systems deployed must be secure and maintain high standards/ levels of “confidentiality, integrity, availability, restoration and resilience”.

Employ a ‘privacy by design’ approach to ensure that personal data concerns are dealt with at the outset of a new project and ensure maintenance of this by employing a ‘privacy by default’ approach as a follow on. For more information see here.

Take action now to demonstrate that you take the requirements of the GDPR seriously and respect its aims and objectives with regards to the protection of, and lawful processing of, a data subject’s personal data. Start with an audit and go from there.

Just like anything, it will become easier to manage!

Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals


CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: