The Basics
Personal data is information that relates to you as an identifiable individual
Anyone processing your data must be transparent and fair to you: your personal data should be relevant, accurate, kept for no longer than necessary, safe and secure
You can help by using any tools available on websites or by staying in touch to keep your data up to date and complete your preferences as to how you want to be contacted
A data controller needs a lawful reason to process your personal data
GDPR Consent must be freely given, specific, informed and unambiguous
You also have the right to withdraw consent at any time. A data controller must then use an alternate processing ground or erase the data
Relationship with your Recruiters
Keep your recruiters up to date with your most current CV and details
Review your privacy settings across your social media and the job boards you use, making sure you are listed as available for roles
In most recruitment relationships the different parties in the supply chain will all be data controllers – they all hold your data for different purposes and are not acting as subcontractors. For example, an umbrella company is your employer
If you are an agency worker or a professional contractor you will not be the client’s data processor in a standard recruitment business relationship. You are processing their personal data on their computer systems complying with their policies and procedures. They will not transfer data to you for you to process on their behalf
Sourcing your data – Temporary and Permanent Roles
Recruiters obtain your personal data
from a number of sources:
Direct Application – you may apply for a role or submit personal data via a job board, website or email
CV downloaded from a Job board – the ICO has clarified that a recruiter or potential employer can download a CV from a job-board and contact you as you have made clear by being on the site you are interested in job roles
Profile downloaded from LinkedIn or other social media – recruiters and employers can contact an individual may be interested in a job on social media and professional networking sites e.g. LinkedIn
If a recruiter or employer is not clear whether you are interested in finding a role they may ask for your permission to contact you about roles which may be of interest to you
Sourcing your Data – Lawful Processing Grounds
Recruiters need to rely on a lawful processing ground for all uses of
personal data.
The most relevant to the recruitment sector are:
Intention to form a contract:
This can be relied on by the recruiter if you have (or are taking steps with a view to entering into) a contract with a client e.g. you are going through an interview process
Legitimate Business Interests:
Legitimate interests is the most flexible lawful basis for processing. These can include a recruiter’s commercial interests as they require an accurate and current database in order to introduce you to clients for roles quickly. It is likely in this situation that the lawful basis for processing for the recruitment company and their clients is legitimate interests. However, they must consider potential impacts on your rights as well
Consent: means offering you real choice and control. Consent should not be a pre-condition of a service and it is not always the right ground as free choice is not possible. Consent is generally not suitable for an employer relationship
“Just in time” consent when you are introduced to clients and permissions to represent are sensible uses of consent
Privacy Notice for Candidates
Recruiters should provide this to you at the time you choose to provide them with your personal data e.g. there could be a link on their website
If your personal data is taken from a publicly available source or obtained from a third party then notice must be provided within a reasonable time
This is the earliest of:
- First communication with you;
- Or, if the personal data is to be disclosed to someone else before it is disclosed;
- Or, one calendar month from the date you obtained personal data.
What should recruiters and potential employers contain in their Privacy Notices?
They should explain who they are and provide a contact for you to get in touch about data privacy
It should include the type of information collected: e.g. CV, application form, references
Clients may also collect other personal data such as interview notes, psychology test results
Special categories of Sensitive data – equal opportunities information, disability information, health and information on criminal convictions if appropriate to the role
Third parties who supply information: recruiters, credit reference agencies, DBS, background checkers, referees
They should explain how they intend to use the information
They should explain the lawful processing grounds they are relying on for different types of processing
They should confirm the adequacy of their data security – how they retain special categories of data and highly confidential information such as your bank details
Retention – how long they will keep your data for
Your Individual Rights
The GDPR provides the following rights for individuals:
The right to be informed: about the collection and use of your personal data. This will usually done via a privacy notice when data is collected
The right of access: you have the right to access your personal data, this is called a Subject Access Request
The right to rectification: you are entitled to have personal data corrected if it is inaccurate or incomplete
The right to erasure: You can request the deletion or removal of personal data where there is no compelling reason for its continued processing however the right to erasure does not provide an absolute ‘right to be forgotten’. The recruitment business may defend their right to retain the data on the basis it is still necessary for the purpose it was originally collected or there is an overriding legitimate interest to continue the processing
The right to restrict processing: you have a right to ‘block’ or suppress processing of personal data. When processing is restricted, the recruitment business is still permitted to store the personal data, but not further process it. Again, this is not an absolute right and only applies in certain circumstances
The right to data portability: this allows you to obtain and reuse your personal data for your own purposes across different services. This right only applies to processing by automated means and it is unlikely this right will apply in a recruitment situation
The right to object: you can object to processing based on legitimate business interests and marketing. The recruitment business must deal with an objection to processing for direct marketing at any time and at no cost
Rights in relation to automated decision making and profiling: if the recruitment business undertakes automated decision making and/or profiling you have the right not to be subject to an automated decision and be able to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it
Retention and Erasure of Recruitment Data
Under the Conduct of Employment Agencies and Employment Businesses Regulations 2003 recruiters must retain evidence of an introduction or supply for at least one year from the last activity e.g. interview or engagement
Once an interview or engagement has taken place then it is legitimate for a recruiter to hold information on that commercial transaction for the limitation period of a contract claim i.e. 6 years, although they may choose not to do so However, recruiters can decide their own retention periods as long as they have justification
This guidance is for information only, includes our opinion and is not legal advice.