GDPR vs. Recruitment

By Yulia Kuzmane 16.07.2018 9 minutes to read

It has been almost 2 months since the General Data Protection Regulation came into force, but there is still some uncertainty in the interpretation of some of the new rules. The recruiting function is based on collecting and processing personal data, so today we would like to figure out what GDPR means for recruitment and the processes around it.

  • Can recruiters use personal data collected from different public sources?
  • What kind of data can be handled and stored?
  • What kind of legal ground do recruiters should use to rely upon?
  • What to say when you’re approaching candidates?
  • Can recruiters retain personal data after candidates have refused an employment opportunity?

These are the questions recruiters should answer relying on the new regulation.  


First of all, it’s important to clarify that GDPR applies to all the companies that process data of European Union residents, no matter whether your company is based in the EU or not.

Then, let’s briefly review the main GDPR subjects from the recruitment perspective:

  • Data subject –  is primarily a candidate, whose personal data is being processed
  • Data controller – is the recruiter/sourcer or the person of the related role, who determines the purposes and means of the processing of personal data
  • Data processor – is the service provider which processes personal data on behalf of the recruiting function

And the other important terms:

  • Personal data – any information related to the candidate: name, an identification number, location data, an online identifier related to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity
  • Processing – any operation performed on personal data, whether or not by automated means: collection, storage, adaptation or alteration, retrieval, use, dissemination or otherwise making available, erasure or destruction, etc.

Practical implications of key GDPR principles in recruitment

It is important to consider how the recruiter can deal with the GDPR principles in order to make his hiring GDPR ready. The review will help to understand the fundamentals of the new law and map the core steps toward the adoption of the GDPR principles in recruitment.

1. Lawfulness, fairness, and transparency

The first and the most fundamental GDPR principle, which states that personal data must be processed lawfully, fairly, and in a transparent manner.


What should be done for the processing to become lawful? It is essential to identify a valid legal ground, so-called lawful basis.

GDPR outlines 6 legal bases. The first one is consentan indication of the candidate’s wishes by which he or she signifies agreement to the processing of his/her personal data (in the form of the statement or clear affirmative action). This legal basis will not be suitable for sourcing candidates online as you will have to collect too many consents before you actually hire someone. But it would be very useful if you want to retain the resumes of those who failed to proceed to the next stages of the recruitment process. It would be okay to ask: “Can we still hold your data for (some specific period) because we would like to consider you for another position in the future?”

Another legal basis is the contract. It is used when the data processing is necessary to fulfill the contract or if you need to take specific steps to enter into the contract. In recruitment, this legal basis can be used when the candidate is considered for the position and you require certain data to complete the contract. For instance, you need to indicate your personal identity number.

The next is a legal obligation when processing is necessary for you to comply with the law. But it’s very important to emphasize that your contractual obligations do not supersede the fundamental rights of the individuals. You can’t use a contract with another company about the processing of personal data of your clients and pass that as a valid legal basis. The legal obligation is usually used as a basis if there are more specific laws that require you to process employees’ data. For example, the former employee asks you to delete his data.  Even though the individuals have the fundamental right to be forgotten, according to accountancy law you must store the data for the duration of, like, 75 years.

The fourth legal basis is a vital interest when the processing is necessary to protect the data subject’s vital interest. Whereas successful recruitment can be a lifesaver, this legal basis is hardly be used in recruitment, it’s typically linked with life and death situations.

Next is a public task – the processing is necessary for you to perform the task in the public interest or for your official functions and this task has a clear basis in the law. Unless you are performing the public functions, there is very little practical use for this basis in recruitment.

The last one is the legitimate interest. It is when the processing is necessary for your legitimate interest or legitimate interest of a third party unless the individuals’ rights and freedoms override those legitimate interests. Despite this legal basis is usually challenged and it’s subject to a lot of speculations, it is the most suitable legal ground for recruiters.

The essential part of the concept is to carry out the balancing test to balance between your interests and the rights and freedoms of the candidates. Obviously, the legitimate interest for the recruiter is to find the best suitable candidate but as with any legal basis for processing, a legitimate interest can only be used to the extent to which this activity is necessary. The balancing test will help you to assess necessity.

To perform it you should, firstly, identify your legitimate interest. Then, you have to assess the necessity by asking such questions as:

  • Can the purpose be achieved by other means?
  • Can we avoid processing or reduce the number of categories of personal data processed?

Remember that the processing should be consistent with GDPR and your legitimate interest.

Then consider the rights and freedoms of the candidate. Answer the questions:

  • Are the interests of the individual corresponding with the purpose of the processing?
  • Is the processing in the interest of the person whose data it relates to?
  • Can the processing be harmful to a data subject?
  • Can we ensure that individuals can exercise their rights? (e.g. right to access, right to rectification right to erasure, right to object, right to portability)

Pay attention to the source you use to collect data as the interest of the individuals may depend on the source they’re leaving their data in. You shouldn’t use private closed groups intended for family and friends. It will be impossible to balance your interest against the data subject in this case.

You should also make sure that you can immediately delete data or stop processing if the person is objecting. Another point to consider is whether you can ensure that individuals can exercise their rights. Do you have the ability to ensure the right to access, right to rectification, right to erasure, right to object, and right to portability?

The results of the balancing test must be documented and be available on-demand to the supervisory authority or data subject.

If you have another processing activity to perform or you decide to use the information for another purpose than that you’ve indicated as your legitimate interest, you’ll need to make another balancing test.

When using the legitimate interest as a legal basis, it’s always a matter of how you will be able to advocate your decision and justify your processing.


The second component of the first GDPR principle is fairness. In general, fairness means that you should only handle personal data in a way that people would reasonably expect and never use it in a way that has an unjustified or harmful adverse effect on them.

Fairness test should be part of the balancing test. You should consider how the processing affects the interests of data subjects and what are the ways of obtaining the data. Can the individual reasonably expect his or her data to be used in this way?


Then we move to transparency. Transparent processing is all about being clear and honest about who you are, how and why you’re using personal data. It’s important to review your privacy notices. They must be easily accessible and easy to understand, written in a clear, precise, and plain language, so even a child could understand. Include the information about the purposes of the processing, retention periods, distribution of the data, and, of course, your lawful basis.

How to approach candidates online?

The related and very important topic is how to approach candidates when you found their data online.

Here are the items you should include in your message for the candidate:

Your message doesn’t have to be too long and precise, you can make it friendly and easy to understand. It will be okay to write “We’ll keep your CV during the recruitment process” instead of “We will store your data for eleven days”. Including a reference to your privacy policy will help to make the message shorter, as in the privacy policy you will have described how you ensure data subject’s rights and the rest of the required information about the right to complain.

2. Purpose limitation

The second GDPR principle is purpose limitation. The main focus of this principle is the fact that you obviously cannot process data unless you have a valid lawful purpose. Once a purpose is defined you cannot process data in a way that is incompatible with that original purpose you defined. For instance, if your legitimate interest is strongly linked with recruitment you cannot use personal data for other purposes. In this case you will just fail to meet the obligations related to the legal basis.

As an example, at the beginning of the recruitment process, you collect data about the educational background, experience, technical stack, and so on. These types of data are necessary for your purposes, however, if you decide to go and do direct marketing you don’t need to store information about education, you need to simply erase it.

3. Data minimization

To comply with this principle you should always keep in mind that the data you process must be compatible with your purpose and all unnecessary data must be minimized. Ask yourself: “Do I really need this particular data to reach my purpose?” “Can I justify the data being processed?”

The supervisory authority may request you to justify why you handle, for example, the identification number, and you’ll need to come up with a valid answer.

Another important element of the minimization principle is getting rid of all the data that are no longer needed. If you’ve considered 10 candidates for a particular position and hired one, you must delete the data about 9 other candidates. You cannot store data just in case.

Introduce minimization routines to find unnecessary data and anonymize it or simply erase it. For instance, if you have personal data in your emails after the hiring process is complete, delete the data unless you have consent.

4. Accuracy

This GDPR principle is less relevant for recruitment. It states that the company must ensure the personal data is not incorrect or misleading and if it is, reasonable steps to correct it or erase must be taken as soon as possible.

5. Storage limitation

According to the storage limitation principle, you will need to assign the retention period for all the data categories you store. Answer these questions: “What principles or criteria do I use to define retention?”, “How I’m going to explain why I kept data for so long?”.

If we return to the example with 10 candidates, upon assigning the retention period, you’re probably interested in retaining the data about the best candidates in case of the chosen one fails during the probation period. In this case, it will be a good idea to secure your ability with consent.

6. Integrity and confidentiality

This principle requires the controller to apply proper technical and organizational measures to protect the personal data they process. But it’s not that easy as it seems. The GDPR doesn’t define the security measures that you should have in place, it requires you to have a level of security that is appropriate to the risk presented by your processing. But it may be very difficult to define what is appropriate.

To do it you need to assess your DISA (Defence Information Security Agency) security risk. Review the personal data you hold and the way you use it in order to assess how valuable, sensitive, or confidential it is, as well as the damage or adverse effect that may be caused if the data is to be compromised.

What is more, the main organizational technical measures GDPR is talking about are related to security awareness. You should identify a person with day-to-day responsibility for information security within your organization. Make sure that the person has appropriate resources and authority to do the job effectively. Consider having an effective information security policy to make sure you outline the security standards and appear as one of the companies which values and encourage information security.

Pay attention to access control – password protections, password strength, and other access management controls. And, of course, ensure online security – your website and other online services you use. What happens if you delegate outsource part of your processing functions to a third party, for example, such data processors like AmazingHiring?

First of all, you need to ensure your processors are following GDPR requirements. Choose a data processor that provides sufficient guarantees about its security measures. You can ask them directly: “What security measures do you apply?”, “How do you ensure the data is safe?”.

In accordance with article 28 of GDPR, you’ll need to enter in a written contract that has to require the processor to undertake the same security measures that you would have to take if you were doing the processing yourself. Ensure that your contract includes all information necessary to demonstrate compliance. Article 28 can help you to come up with the draft of the contract.

7. Accountability

The last principle is accountability. It states that companies must be able to demonstrate compliance by:

  • adopting comprehensive policy documents,
  • processes for handling data subjects’ requests,
  • reporting security breaches to keep records on the data processing activity.
  • ensuring appropriate information security by default and design
  • having a strong awareness culture within the organization

You need to have documents and the ability to prove that you’re following GDPR, that it’s ingrained in your organization, that you have a very strong awareness and you are GDPR compliant.


Summing up the necessary steps towards GDPR ready hiring, you should:

  • Identify a proper lawful basis for data processing and justify it
  • Prepare comprehensive documentation confirming your GDPR compliance
  • Ensure that candidates can exercise their rights
  • Handle personal data in a way that people would reasonably expect and never use it in a way that has an unjustified or harmful adverse effect on them
  • Be clear and honest about who you are, how and why you’re using personal data
  • Modify the way you approach candidates according to the GDPR requirements
  • Process data in accordance with a valid lawful purpose
  • Process only necessary data
  • Collect data only from suitable sources
  • Assign the retention period for all the data categories you store and set the necessary processes
  • Ensure the data security awareness
  • Make sure that your processors are following GDPR requirement
  • Be able to demonstrate the GDPR compliance

Remember that the new Regulation came into force in order to ensure individuals exercise their rights effectively, but not to make companies struggle in an attempt to collect consents or enter into contracts. Using a consistent approach you will manage to make your recruitment processes GDPR compliant without extra efforts.

The material is based on the webinar Recruitment vs. GDPR prepared by AmazingHiring Data Protection Officer.

Yulia Kuzmane Head of Sales & Customer Success @ AmazingHiring Yulia is in charge of AmazingHiring's successful growth in the European region, partnering with many IT companies and recruitment agencies that are willing to re-engineer their sourcing and recruitment processes. Before joining AmazingHiring, Yulia was an HR Business Partner at several IT companies, responsible for international recruitment and relocation processes. She holds a Master’s degree in Nationalism Studies from Central European University and is a visiting lecturer at Ventspils University teaching the “International Human Resources Management” course to MBA students.

80% of Tech candidates are passive.

Level up your outbound sourcing strategy.
Request demo Learn how

In this playbook, we speak about sourcing techniques and hacks for different social networks where you can find developers, software engineers, UX designers, DevOps, etc. Our experts share their step-by-step guide on how to build boolean searches and how to filter candidates. The playbook will be useful to recruiters who: want to make the most […]

Disclaimer: The article is created based on materials provided by Yves Greijn, Lead Engineering Sourcer (ex-QuantumBlack, now Miro), Neha Naik, CEO of, and Monika Nemcova (AIHR, ex-Content Marketer from How do you measure your recruiting success? We have prepared an ultimate list of recruiting & sourcing metrics to be checked regularly. All metrics formulas can […]

If cold and warm emails to candidates cause you as much pain as they do to us, and you are looking forward to improving your daily performance as an HR or recruiter, this article is for you.