translations
Skip to content
close
region-roundle
Select your region
  • Results:
  1. Home
  2. Member hub
  3. Legal services
  4. Gdpr faqs

GDPR FAQs

These FAQs are intended to be easy to read and give guidance to recruiters on specific concerns. Therefore, the information is simplified and may not be sufficient for your needs.

 

Commentary on issues specific to recruitment is partially based on opinion, in light of the writer’s knowledge of GDPR and the recruitment industry’s response to it at time of writing. These FAQs will be updated periodically and give guidance on: 

 

  • A recruiter's lawful basis for processing
  • Rights for individuals
  • Contracts and Documentation
  • Data breaches 
  • Retention

Top 5 most frequently asked questions

1. Do we need to obtain explicit consent from candidates to keep them on our database?

You will only need to do this if you have chosen consent as your basis for processing; it will depend on your approach to the GDPR. You may choose to rely on legitimate interest for holding data on your database (as long as you have considered the balancing test properly, see FAQ number 2), whilst another recruiter may decide that they will only hold data for which they have explicit consent to undertake specified activities. 



Given that the ICO has stated that "if consent is difficult look for an alternative legal basis" it would make sense to consider using legitimate interest over consent. If you rely on consent, anyone who refuses to consent or who doesn’t reply, must be removed from your records. Individuals are also free to withdraw their consent at any time, which again means that they would have to be removed. You know your organisation best and should be able to identify your purposes for processing personal information. Only consider using consent where no other lawful basis applies. We strongly suggest that members review some of the Myths and Facts produced by the ICO to get a better understanding of why consent is not the "silver bullet".



If you have set a specific retention period in your retention policy and that time period is up, we would recommend you to ask if the individual in question still wants to be on the database. This in order to not retain the data for ‘longer than is necessary’. However, this is mainly if you have not been using the data. If you for example, are actively using a temporary worker that has been on your database for the set retention period, it can be assumed that the worker would like to remain on the database.



It’s already a legal requirement when making an introduction of an identifiable CV to a client to obtain consent from the candidate under The Conduct of Employment Agencies and Employment Businesses Regulations (Conduct Regulations). However, in the act of finding a suitable role for which to introduce the candidate you could be relying on your legitimate interest, as that is the service you provide. See below information on legitimate interest. Once a contract is anticipated or is entered into then the contract ground is appropriate.


If you have a statutory obligation to retain data for a certain period, you are relying on legal obligation and again under the Conduct Regulations, there is a duty to retain records for at least a year after their creation and at a least one year after the date on which you last provided work-finding services.



You should always consider whether you are being sufficiently transparent and whether the data subject would expect the particular use of their data. 


The Privacy and Electronic Communications Regulations (PECR) relates to how people send electronic communications to their customers. There are some very important points in here for recruiters. The GDPR focuses more on how the data is collected, stored and used on an ongoing basis.


Under the PECR you need consent to market to individuals (including Ltd company workers), unless you have marketed them about similar services to those you’ve performed for them previously. It is expected that PECR will also be updated and that GDPR consent will be required. However, the ICO states that you can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR. Therefore the question of what is marketing in the context of your communications with your candidates and contractors will be very important.

2. Can we use legitimate business interest for our processing so we don't need to get consent from everyone?

Processing is lawful if it is necessary for the purposes of the legitimate interest pursued by the controller (you) or a third party except where protecting the interests and rights of the data subject are more important, particularly if the data subject is under 18.

 

To make this decision you need to do a “balancing test”.

 

Legitimate interests is the most flexible lawful basis for processing and probably the most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. It is our opinion that legitimate interest is suitable for most of your processing as a recruitment company.

 

The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity or to grow your business. Therefore, you would imagine that an individual who has applied directly for a role or has advertised their role on a job board would reasonably expect processing of their data.

 

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

 

There are three elements to the legitimate interest’s basis. It helps to think of this as a three-part test. You need to consider:

 

  • Purpose test: are you pursuing a legitimate interest?
  • Necessity test: is the processing necessary for that purpose?
  • Balancing test: do the individual’s interests override the legitimate interest?

 

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

 

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

 

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

 

You need to document your decisions on legitimate interests so that you can demonstrate compliance under the GDPR accountability principle. You must also include information about your use of legitimate interest and your purposes for processing in your privacy notice. See more information about your privacy notice in the toolkit.

 

If you have decided to use legitimate interests as your lawful basis please review the ICO guidance thoroughly.

3. Can we contact individuals on LinkedIn and download CVs from LinkedIn?

If a LinkedIn profile states that the person in question is happy to be contacted, it is likely that you will be able to rely on legitimate interests as your ground for processing. You can read the ICO guidance on legitimate interest here.

 

ICO Example: An individual creates a profile on a social networking website designed specifically for professional networking. There is a specific option to select a function to let recruiters know that the individual is open to job opportunities.

 

If the individual chooses to select that option, they would clearly expect those who view their profile might use their contact details for recruitment purposes and legitimate interests may be available (subject to compliance with other legal requirements, and PECR in particular). However, if they choose not to select that option, there is no such expectation, and their interests in maintaining control over their data overrides any legitimate interests of a recruitment agency or recruiting organisation.

 

Although reasonable expectations is an important factor, it does not automatically determine the outcome. Simply having warned the individual in advance that their data will be processed in a certain way does not necessarily mean that your legitimate interests always prevail, irrespective of harm. And in some cases you may still be able to justify unexpected processing if you have a compelling reason for it.

 

Therefore in our opinion when individuals upload data to LinkedIn they are aware through LinkedIn current terms that their data can be downloaded by third parties (unless they restrict the privacy settings). 

 

Similar to the situation with downloaded job board data, you need to show compliance with the principles of data protection and a ground for fair processing once the personal data hits your system. The individual may be aware that recruiters will be downloading data to process for its legitimate business purposes. However, to comply with the principles the individual should be aware of who holds their data and why.

 

There is a potential issue with obtaining details from LinkedIn and relying on legitimate interest as the candidate may not have actively stated they are looking to be contacted for a job role. At the same time, the following is stated in LinkedIn’s privacy policy: “Our Services allow you to explore careers, evaluate educational opportunities, and seek out, and be found for, career opportunities. Your profile can be found by those looking to hire (for a job or a specific task) or be hired by you.” This statement could be interpreted as the members of LinkedIn are aware of the potentiality of recruiters contacting them and that it therefore would be lawful to rely on legitimate interest.

 

Since there are conflicting opinions in regard to the usage of LinkedIn, there is a risk in downloading member data unless they have opted in to be found by recruiters. The processing could fall within your legitimate interest but if it doesn’t and the act of contacting them is marketing, you would require consent.

4. What are the rules on downloading CVs from job boards?

The job boards have to make sure that their service of storing CVs and providing them to recruiters is GDPR compliant. It is your responsibility as a recruiter to make sure that you only work with job boards that are GDPR compliant (third-party due diligence) by, for example, reviewing the job boards’ privacy terms for candidates. It is up to the job board what legal ground they are relying on for data processing, but most job boards are likely to be relying on consent. The candidate would in that situation give their explicit permission for their CV to be on the job board. It is further likely that the candidates will have options about how broadly their data is used by the job board and by the job board’s clients (e.g. signed up recruiters). A candidate may give explicit consent for their CV to be downloaded by anyone or expect to be asked before download. This consent does not extend to recruitment companies; however, it reduces risk and it is likely legitimate interest would be a suitable lawful basis for you to rely on in combination with the consent-basis relied on by the job board.

 

ICO have given guidance on situations where a CV is found on a job board, which makes it clear that legitimate interest would be a suitable lawful basis. See example here.

 

ICO Example:

 

An individual uploads their CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.

It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.

 

The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients; indeed, this is likely to be the individual’s intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.

 

Please note, that whatever legal basis you rely on, under Article 14 GDPR, you need to tell the individual that you are holding the data. This can be done by providing the candidate with your privacy notice.

5. How can we contact/market to prospect clients whilst still being compliant?

Client data is personal data. Even an individual’s business email address can be considered personal data as GDPR defines 'personal data' as any information which may be attributed to an identified, or identifiable, individual and relates to that individual. This also means that data relating to an IP address, personal identification number, or account identification number is personal data in exactly the same way as information relating to a name, identity, or physical address. Client data will be a much lower risk processing than candidate data however, you should still be careful of the information you are recording on specific individuals.

 

If these are existing clients, Recital 47 indicates that legitimate interests is likely to apply where you have a ‘relevant and appropriate relationship’, for example, because they are your client or employee. If you don’t have a pre-existing relationship, it is harder to demonstrate that the processing can be reasonably expected. If you obtained the data from a third party, you need to be clear what the individual was told about when that data might be passed on for use by others, and whether this covers you and your purpose for processing, as this will affect reasonable expectations. You will likely cover this by always providing a clear privacy notice.

 

According to the ICO the below is allowed for B2B marketing. This however, needs to be balanced with the rules in the GDPR:

 

Live calls:

  • Screen against the Corporate Telephone Preference Service (CTPS).
  • Can opt out.

 

Recorded calls:

  • Consumer must have given caller specific consent to make recorded marketing calls.

 

Emails or texts:

  • Can email or text corporate bodies.
  • Good practice to offer opt-out.
  • Individual employees can opt out.

 

Faxes:

  • Screen against the Fax Preference Service (FPS).
  • Can opt out.

 

Mail:

  • Can mail corporate bodies.
  • Individual employees can opt out.

 

To conclude:

  • Candidate/Ltd company/Self-employed: treat as personal data but you can market relevant services, but provide an opt-out.
  • Personal business data (e.g. an individual’s email address): personal data but you can market relevant services, but provide an opt-out.
  • Generic business data (e.g. an email address like info@ or accounts@): you can market, good practice to offer opt-out.
For a list of GDPR FAQs click here

Can't find what your looking for?

Should you require further advice please contact the 

legalhelpdesk@apsco.org.