Recruitment Agencies and GDPR: How to Share Candidate Data Legally

Using recruitment agencies makes hiring easier. But under GDPR, sharing candidate data with third parties creates legal obligations and risks fines if done wrong.

GDPR Basics for Recruitment

What is Personal Data?

Any information about an identifiable person:

• Name, contact details
• CV and work history
• References
• Interview notes
• Assessment results
• Right to work documents

Special category data (extra protection required):

• Health information
• Race or ethnicity
• Religious beliefs
• Sexual orientation
• Trade union membership
• Criminal convictions

The 6 Lawful Bases for Processing

To process candidate data, you need one of these:

1. Consent - Clear, specific agreement (candidates can withdraw) 2. Contract - Necessary to enter contract with them 3. Legal obligation - Required by law (e.g., right to work checks) 4. Legitimate interests - Your business need, balanced against candidate rights 5. Public task - Not relevant for private sector recruitment 6. Vital interests - Life or death situations (not relevant here)

For recruitment: Usually legitimate interests or consent.

Your Role: Controller vs Processor

Data Controller

Makes decisions about what data to collect and how to use it.

In recruitment: Usually both you and the agency are controllers.

Your obligations as controller:

• Determine purposes and means of processing
• Provide privacy notice to candidates
• Ensure lawful basis for processing
• Implement security measures
• Respond to data subject requests
• Report breaches to ICO if required

Data Processor

Processes data only on controller's instructions.

Rare in recruitment because agencies usually make their own decisions (which roles to submit candidates for, how to assess them, etc.).

If they were a processor: You'd need a data processing agreement (Article 28).

Joint Controllers (Most Common)

Both you and agency make decisions about candidate data.

Example: Agency sources candidates, does initial screening, shares CVs with you. Both deciding what to collect and why.

Your obligations:

• Written data sharing agreement
• Agree who handles data subject requests
• Agree who notifies breaches
• Both liable for GDPR compliance

Data Sharing Agreements with Agencies

What to Include

1. Parties and roles:

• Who is controller/joint controller/processor
• What each party does with data

2. Purpose and scope:

• Why data is shared (recruitment for specific roles)
• What data is shared (CVs, interview notes, references)
• Retention period

3. Lawful basis:

• What lawful basis applies (usually legitimate interests)
• How candidates are informed

4. Security measures:

• How data is shared securely (encrypted email, secure portal)
• Agency's security standards
• Access controls

5. Data subject rights:

• Who handles access requests, erasure requests, complaints
• How to coordinate responses

6. Breach notification:

• Agency must notify you within 24 hours
• Your obligation to notify ICO within 72 hours if serious

7. Sub-processing:

• Can agency share with third parties? (Usually no without consent)
• If yes, what safeguards

8. Data retention and deletion:

• How long agency keeps data
• When and how it's deleted
• Confirmation of deletion

9. Audit rights:

• Can you audit agency's compliance?
• Frequency and notice

10. Liability:

• Who is liable for breaches
• Indemnities

11. Termination:

• What happens to data when contract ends
• Deletion or return of data

Sample Clause

"The Agency will process candidate personal data only for the purpose of recruitment services for the Client. The Agency will implement appropriate technical and organizational measures to ensure data security, including [specific measures]. The Agency will notify the Client within 24 hours of becoming aware of any personal data breach."

Candidate Consent and Privacy Notices

Do You Need Consent?

Not always. Legitimate interests may be sufficient for basic recruitment processing.

When consent is better:

• Sharing with multiple third parties
• International transfers
• Special category data
• Candidates prefer clear control

Consent requirements:

• Freely given (not conditional on applying)
• Specific (clear what you're consenting to)
• Informed (told who data shared with, why, how)
• Unambiguous (clear affirmative action)
• Withdrawable (easy to withdraw consent)

Privacy Notice Requirements

You must tell candidates:

Who you are:

• Your company name and contact details
• Data protection officer (if you have one)

What data you collect:

• CV, cover letter, application form
• Interview notes, test results
• References, right to work documents

Why you collect it:

• To assess suitability for role
• To comply with legal obligations

Lawful basis:

• Legitimate interests (assessing applications)
• Consent (if relying on this)
• Legal obligation (right to work, tax)

Who you share with:

• Recruitment agencies (name them or say "third party recruiters")
• Interview panel members
• Reference providers
• Background checking services

How long you keep it:

• Successful candidates: For employment
• Unsuccessful: 6-12 months then deleted

Your rights:

• Access your data
• Rectify inaccuracies
• Request erasure
• Object to processing
• Complain to ICO

International transfers:

• If agency uses non-UK servers, state this

Where to Provide Privacy Notice

On application form:

• Link to full privacy policy
• Or brief summary with link

During recruitment:

• Reference in job ads
• Provide before/at interview
• Include in offer letter

Using Recruitment Agencies: Practical Steps

1. Choose GDPR-Compliant Agency

Check they have:

• Privacy policy that mentions GDPR
• Security measures (encryption, access controls)
• Data breach notification process
• Staff trained on GDPR
• Willingness to sign data sharing agreement

Ask:

• "Are you GDPR compliant?"
• "Do you use sub-processors?" (Who else sees candidate data?)
• "Where is data stored?" (UK, EU, or outside?)
• "How long do you keep data?"

Red flags:

• Won't sign data sharing agreement
• Vague about security measures
• Uses unsecure methods (unencrypted email)
• Keeps data indefinitely

2. Sign Data Sharing Agreement

Before sharing any candidate data.

Negotiate if needed:

• Retention periods (shorter is better)
• Sub-processing restrictions
• Liability allocation
• Breach notification terms

3. Provide Candidate Privacy Notice

Tell candidates:

• "We may use recruitment agencies to help fill this role"
• "Your CV may be shared with [agency name / 'third party recruiters']"
• "For more information, see our privacy policy [link]"

Where:

• Job ad
• Application form
• Acknowledgement email

4. Share Only Necessary Data

Share:

• CV and application form
• Job title you're recruiting for
• Selection criteria

Don't share unless necessary:

• Home address (give general location if relevant)
• National Insurance number
• Bank details
• Health information
• Anything not relevant to recruitment

5. Use Secure Transfer Methods

Good:

• Password-protected documents
• Encrypted email
• Secure file sharing portal
• Agency's secure applicant tracking system

Bad:

• Unencrypted email with CVs attached
• WhatsApp or text message
• Public cloud storage links without password

6. Monitor Agency Compliance

Periodically review:

• Are they following the agreement?
• Any data breaches reported?
• Are they deleting data as agreed?
• Still using secure methods?

Annual review: Check agency still GDPR compliant.

7. Delete Data When No Longer Needed

When role filled:

• Tell agency to delete unsuccessful candidate data
• Or specify retention period in agreement (6-12 months)
• Get confirmation of deletion

Handling Candidate Data Subject Rights

Right of Access

Candidate requests: "Show me what personal data you hold about me."

You must:

• Respond within 1 month
• Provide copy of all their data
• Tell them if you shared data with recruitment agencies
• Coordinate with agency to provide their data too

Tip: Ask agency to provide their data directly to candidate, or forward to you for consolidated response.

Right to Erasure

Candidate requests: "Delete my data."

You must:

• Delete if no longer needed for recruitment
• Tell recruitment agencies to delete too
• Confirm deletion to candidate

Exception: Can keep if needed for legal claims (e.g., they threatened discrimination claim).

Right to Rectification

Candidate requests: "Correct inaccurate information."

You must:

• Correct inaccuracies
• Tell agencies to correct their copies
• Confirm to candidate

Right to Object

Candidate requests: "Stop processing my data."

You must:

• Stop processing unless compelling legitimate grounds
• Tell agencies to stop processing
• Remove from future recruitment communications

Data Breaches

What is a Breach?

Unauthorized access, loss, alteration, or disclosure of candidate data.

Examples:

• Sending CV to wrong person/company
• Lost laptop with candidate data
• Hacked recruitment portal
• Accidentally cc'ing all candidates (revealing emails)

Your Obligations

Within 72 hours:

• Report to ICO if breach likely to harm candidates
• High risk: identity theft, discrimination, financial loss

Without undue delay:

• Notify affected candidates if high risk to them

Tell them:

• What happened
• What data was affected
• What you're doing about it
• How they can protect themselves

If agency causes breach:

• They must tell you within 24 hours (per agreement)
• You report to ICO (you're responsible as controller)

Fines for failing to report:

• Up to £8.7m or 2% of turnover

International Data Transfers

If Agency Uses Non-UK Systems

Is data stored in:

• UK: No extra requirements
• EU/EEA: Check if adequacy decision in place
• US: Check if adequacy decision or safeguards in place
• Other countries: Need appropriate safeguards

Appropriate safeguards:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Adequacy decision

Tell candidates:

• Their data may be transferred to [country]
• The safeguards in place

Penalties for Non-Compliance

GDPR Fines

Tier 1 (up to £8.7m or 2% of turnover):

• Failure to notify breach
• Inadequate security measures

Tier 2 (up to £17.5m or 4% of turnover):

• No lawful basis for processing
• Not providing privacy notice
• Violating data subject rights
• Sharing without agreement

Other Consequences

• Candidate complaints to ICO
• Damage to reputation
• Loss of trust with candidates and agencies
• Legal costs investigating/defending breach
• Having to notify all affected candidates

Key Takeaways

✓ Both you and recruitment agencies are usually joint controllers ✓ Need written data sharing agreement before sharing any CVs ✓ Provide privacy notice telling candidates you may use agencies ✓ Only share data necessary for recruitment ✓ Use secure methods to share data (encrypted email, secure portal) ✓ Coordinate with agency on data subject rights requests ✓ Agency must notify you within 24 hours of any breach ✓ Delete candidate data when no longer needed (6-12 months max) ✓ Check agency is GDPR compliant before working with them ✓ Fines up to £17.5m for serious breaches

Using recruitment agencies is fine under GDPR, but you must have the right agreements, notices, and safeguards in place. Get it wrong and both you and the agency are liable.