GDPR: A brief guide for candidates

The Basics

Personal data is information that relates to you as an identifiable individual

Anyone processing your data must be transparent and fair to you: your personal data should be relevant, accurate, kept for no longer than necessary, safe and secure

You can help by using any tools available on websites or by staying in touch to keep your data up to date and complete your preferences as to how you want to be contacted

A data controller needs a lawful reason to process your personal data

GDPR Consent must be freely given, specific, informed and unambiguous

You also have the right to withdraw consent at any time. A data controller must then use an alternate processing ground or erase the data

Relationship with your Recruiters

Keep your recruiters up to date with your most current CV and details

Review your privacy settings on your social media and the job boards you use, making sure you are listed as available for roles

In most recruitment relationships the different parties in the supply chain will all be data controllers – they all hold your data for different purposes and are not acting as subcontractors. For example, an umbrella company is your employer

If you are an agency worker or a professional contractor you will not be the client’s data processor in a standard recruitment business relationship. You are processing their personal data on their computer systems complying with their policies and procedures. They will not transfer data to you for you to process on their behalf

Sourcing your data – Temporary and Permanent Roles

Recruiters obtain your personal data from a number of sources:

• Direct Application – you may apply for a role or submit personal data via a job board, website or email

• CV downloaded from a Job board – the ICO has clarified that a recruiter or potential employer can download a CV from a job-board and contact you as you have made clear by being on the site you are interested in job roles

• Profile downloaded from LinkedIn or other social media – recruiters and employers can contact an individual may be interested in a job on social media and professional networking sites e.g. LinkedIn

• If a recruiter or employer is not clear whether you are interested in finding a role they may ask for your permission to contact you about roles which may be of interest to you

Sourcing your Data – Lawful Processing Grounds

Recruiters need to rely on a lawful processing ground for all uses of personal data.

The most relevant to the recruitment sector are:

Intention to form a contract: This can be relied on by the recruiter if you have (or are taking steps with a view to entering into) a contract with a client e.g. you are going through an interview process

Legitimate Business Interests: Legitimate interests is the most flexible lawful basis for processing. These can include a recruiter’s commercial interests as they require an accurate and current database in order to introduce you to clients for roles quickly. It is likely in this situation that the lawful basis for processing for the recruitment company and their clients is legitimate interests. However, they must consider potential impacts on your rights as well

Consent: means offering you real choice and control. Consent should not be a pre-condition of a service and it is not always the right ground as free choice is not possible. Consent is generally not suitable for an employer relationship

“Just in time” consent when you are introduced to clients and permissions to represent are sensible uses of consent

Privacy Notice for Candidates

Recruiters should provide this to you at the time you choose to provide them with your personal data e.g. there could be a link to their website

If your personal data is taken from a publicly available source or obtained from a third party then notice must be provided within a reasonable time

This is the earliest of:

• First communication with you;

• Or, if the personal data is to be disclosed to someone else before it is disclosed;

• Or, one calendar month from the date you obtained personal data.

What should recruiters and potential employers contain in their Privacy Notices?

They should explain who they are and provide a contact for you to get in touch about data privacy

It should include the type of information collected: e.g. CV, application form, references

Clients may also collect other personal data such as interview notes, psychology test results

Special categories of Sensitive data – equal opportunities information, disability information, health and information on criminal convictions if appropriate to the role

Third parties who supply information: recruiters, credit reference agencies, DBS, background checkers, referees

They should explain how they intend to use the information

They should explain the lawful processing grounds they are relying on for different types of processing

They should confirm the adequacy of their data security – how they retain special categories of data and highly confidential information such as your bank details

Retention – how long they will keep your data for

Your Individual Rights

The GDPR provides the following rights for individuals:

• The right to be informed: about the collection and use of your personal data. This will usually be done via a privacy notice when data is collected

• The right of access: you have the right to access your personal data, this is called a Subject Access Request

• The right to rectification: you are entitled to have personal data corrected if it is inaccurate or incomplete

• The right to erasure: You can request the deletion or removal of personal data where there is no compelling reason for its continued processing, however, the right to erasure does not provide an absolute ‘right to be forgotten’. The recruitment business may defend their right to retain the data on the basis it is still necessary for the purpose it was originally collected or there is an overriding legitimate interest to continue the processing

• The right to restrict processing: you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the recruitment business is still permitted to store the personal data, but not further process it. Again, this is not an absolute right and only applies in certain circumstances

• The right to data portability: this allows you to obtain and reuse your personal data for your own purposes across different services. This right only applies to processing by automated means and it is unlikely this right will apply in a recruitment situation

• The right to be informed: to processing based on legitimate business interests and marketing. The recruitment business must deal with an objection to processing for direct marketing at any time and at no cost 

• Rights in relation to automated decision making and profiling: if the recruitment business undertakes automated decision making and/or profiling you have the right not to be subject to an automated decision and be able to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it

Retention and Erasure of Recruitment Data

Under the Conduct of Employment Agencies and Employment Businesses Regulations, 2003 recruiters must retain evidence of an introduction or supply for at least one year from the last activity e.g. interview or engagement

Once an interview or engagement has taken place then it is legitimate for a recruiter to hold information on that commercial transaction for the limitation period of a contract claim i.e. 6 years, although they may choose not to do so

However, recruiters can decide their own retention periods as long as they have justification

Further information

If you want any clarification on how a recruitment business is processing your data ensure you speak to the recruitment business.

Further information is available on the ICO website.

This guidance is for information only, includes our opinion and is not legal advice