GDPR FAQs

You will only need to do this if you have chosen consent as your basis for processing; it will depend on your approach to the GDPR. You may choose to rely on legitimate interest for holding data on your database (as long as you have considered the balancing test properly, see FAQ number 2), whilst another recruiter may decide that they will only hold data for which they have explicit consent to undertake specified activities. 

Given that the ICO has stated that "if consent is difficult look for an alternative legal basis" it would make sense to consider using legitimate interest over consent. If you rely on consent, anyone who refuses to consent or who doesn’t reply, must be removed from your records. Individuals are also free to withdraw their consent at any time, which again means that they would have to be removed. You know your organisation best and should be able to identify your purposes for processing personal information. Only consider using consent where no other lawful basis applies. We strongly suggest that members review some of the Myths and Facts produced by the ICO to get a better understanding of why consent is not the "silver bullet".

If you have set a specific retention period in your retention policy and that time period is up, we would recommend you to ask if the individual in question still wants to be on the database. This in order to not retain the data for ‘longer than is necessary’. However, this is mainly if you have not been using the data. If you for example, are actively using a temporary worker that has been on your database for the set retention period, it can be assumed that the worker would like to remain on the database.

It’s already a legal requirement when making an introduction of an identifiable CV to a client to obtain consent from the candidate under The Conduct of Employment Agencies and Employment Businesses Regulations (Conduct Regulations). However, in the act of finding a suitable role for which to introduce the candidate you could be relying on your legitimate interest, as that is the service you provide. See below information on legitimate interest. Once a contract is anticipated or is entered into then the contract ground is appropriate.

If you have a statutory obligation to retain data for a certain period, you are relying on legal obligation and again under the Conduct Regulations, there is a duty to retain records for at least a year after their creation and at a least one year after the date on which you last provided work-finding services.

You should always consider whether you are being sufficiently transparent and whether the data subject would expect the particular use of their data. 

The Privacy and Electronic Communications Regulations (PECR) relates to how people send electronic communications to their customers. There are some very important points in here for recruiters. The GDPR focuses more on how the data is collected, stored and used on an ongoing basis.

Under the PECR you need consent to market to individuals (including Ltd company workers), unless you have marketed them about similar services to those you’ve performed for them previously. It is expected that PECR will also be updated and that GDPR consent will be required. However, the ICO states that you can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – but only if you don’t need consent under PECR. Therefore the question of what is marketing in the context of your communications with your candidates and contractors will be very important.

Review our guidance on our privacy notice when drafting available in the GDPR toolkit.  

Processing is lawful if it is necessary for the purposes of the legitimate interest pursued by the controller (you) or a third party except where protecting the interests and rights of the data subject are more important, particularly if the data subject is under 18.

To make this decision you need to do a “balancing test”.

Legitimate interests is the most flexible lawful basis for processing and probably the most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. It is our opinion that legitimate interest is suitable for most of your processing as a recruitment company.

The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity or to grow your business. Therefore, you would imagine that an individual who has applied directly for a role or has advertised their role on a job board would reasonably expect processing of their data.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

There are three elements to the legitimate interest’s basis. It helps to think of this as a three-part test. You need to consider:

• Purpose test: are you pursuing a legitimate interest?
• Necessity test: is the processing necessary for that purpose?
• Balancing test: do the individual’s interests override the legitimate interest?

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

You need to document your decisions on legitimate interests so that you can demonstrate compliance under the GDPR accountability principle. You must also include information about your use of legitimate interest and your purposes for processing in your privacy notice. See more information about your privacy notice in the toolkit.

If you have decided to use legitimate interests as your lawful basis please review the ICO guidance thoroughly.

If a LinkedIn profile states that the person in question is happy to be contacted, it is likely that you will be able to rely on legitimate interests as your ground for processing. You can read the ICO guidance on legitimate interest here.

ICO Example: An individual creates a profile on a social networking website designed specifically for professional networking. There is a specific option to select a function to let recruiters know that the individual is open to job opportunities.

If the individual chooses to select that option, they would clearly expect those who view their profile might use their contact details for recruitment purposes and legitimate interests may be available (subject to compliance with other legal requirements, and PECR in particular). However, if they choose not to select that option, there is no such expectation, and their interests in maintaining control over their data overrides any legitimate interests of a recruitment agency or recruiting organisation.

Although reasonable expectations is an important factor, it does not automatically determine the outcome. Simply having warned the individual in advance that their data will be processed in a certain way does not necessarily mean that your legitimate interests always prevail, irrespective of harm. And in some cases you may still be able to justify unexpected processing if you have a compelling reason for it.

Therefore in our opinion when individuals upload data to LinkedIn they are aware through LinkedIn current terms that their data can be downloaded by third parties (unless they restrict the privacy settings). 

Similar to the situation with downloaded job board data, you need to show compliance with the principles of data protection and a ground for fair processing once the personal data hits your system. The individual may be aware that recruiters will be downloading data to process for its legitimate business purposes. However, to comply with the principles the individual should be aware of who holds their data and why.

There is a potential issue with obtaining details from LinkedIn and relying on legitimate interest as the candidate may not have actively stated they are looking to be contacted for a job role. At the same time, the following is stated in LinkedIn’s privacy policy: “Our Services allow you to explore careers, evaluate educational opportunities, and seek out, and be found for, career opportunities. Your profile can be found by those looking to hire (for a job or a specific task) or be hired by you.” This statement could be interpreted as the members of LinkedIn are aware of the potentiality of recruiters contacting them and that it therefore would be lawful to rely on legitimate interest.

Since there are conflicting opinions in regard to the usage of LinkedIn, there is a risk in downloading member data unless they have opted in to be found by recruiters. The processing could fall within your legitimate interest but if it doesn’t and the act of contacting them is marketing, you would require consent.

The job boards have to make sure that their service of storing CVs and providing them to recruiters is GDPR compliant. It is your responsibility as a recruiter to make sure that you only work with job boards that are GDPR compliant (third-party due diligence) by, for example, reviewing the job boards’ privacy terms for candidates. It is up to the job board what legal ground they are relying on for data processing, but most job boards are likely to be relying on consent. The candidate would in that situation give their explicit permission for their CV to be on the job board. It is further likely that the candidates will have options about how broadly their data is used by the job board and by the job board’s clients (e.g. signed up recruiters). A candidate may give explicit consent for their CV to be downloaded by anyone or expect to be asked before download. This consent does not extend to recruitment companies; however, it reduces risk and it is likely legitimate interest would be a suitable lawful basis for you to rely on in combination with the consent-basis relied on by the job board.

ICO have given guidance on situations where a CV is found on a job board, which makes it clear that legitimate interest would be a suitable lawful basis. See example here.

ICO Example:

An individual uploads their CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.

It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.

The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients; indeed, this is likely to be the individual’s intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.

Please note, that whatever legal basis you rely on, under Article 14 GDPR, you need to tell the individual that you are holding the data. This can be done by providing the candidate with your privacy notice.

Client data is personal data. Even an individual’s business email address can be considered personal data as GDPR defines 'personal data' as any information which may be attributed to an identified, or identifiable, individual and relates to that individual. This also means that data relating to an IP address, personal identification number, or account identification number is personal data in exactly the same way as information relating to a name, identity, or physical address. Client data will be a much lower risk processing than candidate data however, you should still be careful of the information you are recording on specific individuals.

If these are existing clients, Recital 47 indicates that legitimate interests is likely to apply where you have a ‘relevant and appropriate relationship’, for example, because they are your client or employee. If you don’t have a pre-existing relationship, it is harder to demonstrate that the processing can be reasonably expected. If you obtained the data from a third party, you need to be clear what the individual was told about when that data might be passed on for use by others, and whether this covers you and your purpose for processing, as this will affect reasonable expectations. You will likely cover this by always providing a clear privacy notice.

According to the ICO the below is allowed for B2B marketing. This however, needs to be balanced with the rules in the GDPR:

Live calls:

• Screen against the Corporate Telephone Preference Service (CTPS).
• Can opt out.

Recorded calls:

• Consumer must have given caller specific consent to make recorded marketing calls.

Emails or texts:

• Can email or text corporate bodies.
• Good practice to offer opt-out.
• Individual employees can opt out.

Faxes:

• Screen against the Fax Preference Service (FPS).
• Can opt out.

Mail:

• Can mail corporate bodies.
• Individual employees can opt out.

To conclude:

• Candidate/Ltd company/Self-employed: treat as personal data but you can market relevant services, but provide an opt-out.
• Personal business data (e.g. an individual’s email address): personal data but you can market relevant services, but provide an opt-out.
• Generic business data (e.g. an email address like info@ or accounts@): you can market, good practice to offer opt-out.

A privacy notice informs data subjects about how an organisation collects, uses, stores, transfers and secures personal data. The GDPR defines personal data as “any information relating to a data subject” i.e. an individual.

Under Article 13 of the GDPR a party is required to provide an individual with certain information when their personal data (PD) is collected. The information that needs to be provided to data subjects is set out in our privacy notice template.

The ICO has issued guidance on privacy notices: transparency and control which has been updated to refer to the GDPR.

You are likely to be a controller when carrying out most of your activities. Controllers decide the how and why of the processing, whereas processors process data on someone else’s behalf. If your clients send data processing agreements, you should ask what personal data they think you are processing on their behalf and the nature of the processing and assess whether you agree that you are a processor. If you deem yourself to be a controller, we recommend that you do not sign a processor agreement. You could compromise by signing but adding a statement declaring that you will only process data if and when notified by the client.

If you are an MSP, you may be processing client data and hence a data processing agreement is required. 

You must appoint a data protection officer (DPO) if you:

• are a public authority (except for courts acting in their judicial capacity);
• carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single DPO to act for a group of companies or for a group of public authorities, taking into account their structure and size.

Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. 

Whether you need to appoint a DPO depends on your business and you may need independent advice. However, those that process special categories of data or criminal convictions e.g. those recruiting for social work, education or banking as their core activity and on a large scale, will do. Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity.

Given the importance of personal data to recruitment operations you can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

You may therefore decide to appoint a sole point of contact at a senior level or a small team with responsibility for data protection. If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the criteria, the ICO suggest it would still be a good idea to record this decision to help demonstrate compliance with the accountability principle.

You must make your own decision on whether you have to have a DPO based on your own business operations and taking your own legal advice if necessary.

See the guidance on appointing a DPO here.

In simple terms you have to comply with the principles of fair in Article 5, summarised below:

• Be transparent in relation to the data subject.
• Tell the data subject what you are collecting the data for – be specific about what your purposes for processing data are.
• Only collect what you need for the stated, legitimate purposes.
• Keep the personal data up to date and accurate – inaccurate data must be deleted or rectified.
• Don’t keep data in a form that allows identification of the data subject for longer than necessary for the legitimate purposes notified to the data subject.
• Keep the data secure.

Keep these principles in mind as you work with personal data to keep your business compliant. You are held accountable to the data subjects and must document and show how you comply with these principles.

Furthermore, in regard to the internal process:

• Understand your data: what you collect and hold, where you store it, why you need it, what you do with it and how long you keep it for. 
• Make sure that data protection policies and procedures are up to date – including privacy policies, data collection forms and internal data protection and retention policies.
• Check the basis on which you control and process personal data e.g. consent, legitimate interest, contractual obligation, legal obligation, public interest or vital interest.
• Ensure marketing-team practices are compliant with the GDPR, the DPA and marketing regulations - via appropriate use of databases, opt-ins, or ‘recommend a candidate’ and headhunting schemes.
• Ensure all arrangements with third parties who process data on your behalf are in writing and contain the legally required data protection clauses.
• Consider who may be your co-controllers – this could include MSP providers.
• Review your ICO notification to ensure it is accurate and up to date. Failure to notify new processing activities within 28 days is a criminal offence.
• Have robust subject access request procedures – failure to comply with these requests (e.g. by disgruntled job applicants) is the main reason for ICO complaints.
• Have a data security and security breach policy in place and communicate it to your employees.
• Educate your staff in data protection procedures; how you are processing data, for what reasons and on what grounds. For example, when it comes to retention, the GDPR can be seen as conflicting in regard to the Conduct Regulation.

Employers who rely upon an employee or prospective employee’s consent to data processing in their employment contracts must take note: Consent is not an appropriate ground for employee data. Those clauses will fall foul of the requirement that consent be freely given, due to the imbalance of negotiating power. Furthermore, consent clauses in an employment contract are not distinguishable from other matters. Under the GDPR employers can rely on processing being necessary for the performance of the employment contract. You must still think carefully about all the uses you make of their data from running the payroll to posting pictures of staff on your website when considering the wording of consent.

For new hires, you should replace the consent language in these documents by new language referencing one or more of the alternative legal bases or alternatively it might be a better idea to just refer to your privacy notice. For existing employees, companies will need to roll out employee privacy notices which refer to these alternative legal bases and inform the existing employees.

ICO Guidance:

Recital 47 indicates that legitimate interests is more likely to apply where you have a ‘relevant and appropriate relationship’, for example, because they are your client or employee.