Complete guide: applying GDPR in recruitment & direct search

About the guide: GDPR in recruitment

This guide on the processing of candidates’ personal data during recruitment processes is a collection of answers to the most frequently asked questions among recruiters regarding GDPR-related issues in. recruitment.

The GDPR guide in recruitment was created based on the experience of recruitment practitioners and lawyers specialized in the field of personal data protection. The issues addressed in the GDPR guide to recruitment were also topics of discussion during webinars conducted jointly with lawyers and experts in GDPR.

GDPR in recruitment – key terms

Processing of personal data – processing of personal data refers to any actions performed on this data, such as recording, copying, editing, or sending the data, regardless of where the data is located (e.g., in a notebook, Excel, recruitment system, on the LinkedIn platform or a mobile phone).

Legal basis for the processing of personal data:

  • consent
  • legal interest
  • legal obligation

Personal data can be processed provided that one of the three grounds is present:

Consent of the person whose data is processed. This is the most straightforward situation in which the candidate has directly or implicitly given consent for their data to be processed.

Legal interest is a situation where, due to a legitimate interest, the entity may process personal data without consent.

Legal obligation – a situation in which the law, such as the Labor Code, authorizes the processing of personal data.

To dispel any doubts – it is enough to have one of the above grounds to process personal data following the law however, it is always advisable to consult with a lawyer or data protection expert to ensure that data processing is compliant with the law. 

GDPR in recruitment: Frequently Asked Questions

Can a candidate's personal data be processed without their consent?

Yes, a candidate’s personal data can be processed without their consent, provided there is a legal interest or a legal obligation.

It’s also important to note that a candidate’s consent can be implicitly expressed through their actions, which confirm their interest in participating in the recruitment process. This primarily includes actions like sending a CV, scheduling an interview, or conducting a recruitment conversation via LinkedIn messages. Such actions can be interpreted as consent to participate in the recruitment process, which allows the company to process the candidate’s personal data, such as adding the candidate to the applicant tracking system or database.

Are there any other requirements, besides the three legal bases, that an employer must fulfill to process a candidate's personal data?

Indeed, there is.

Beyond having a legal basis for data processing, regulations impose an additional requirement: the duty to inform the candidate about their data processing. This is commonly referred to as the ‘information obligation’.

In Poland, the information obligation requires the employer to provide the candidate with several pieces of information, as outlined in Articles 13 and 14 of the Polish GDPR. This primarily includes the details of the entity processing the personal data and the principles governing data processing.

A recommended practice is to prepare a ‘Data Processing Information’ document, encompassing all the elements specified in Articles 13 and 14 of the GDPR. This document is then provided to candidates, thereby fulfilling the information obligation.

When is it necessary to fulfill the obligation to inform?

The obligation to inform should be met immediately after the initiation of the candidate’s personal data processing. What does this look like in practice? Here are a few scenarios:

  1. If you’re conversing with a candidate on the LinkedIn, but you’re not yet storing their data outside the platform, the obligation to inform does not apply. Since their data is processed solely on the LinkedIn platform, you as an employer do not possess their data. In this case, only the regulations of the LinkedIn are applicable, which outline who (LinkedIn platform) and under what conditions (as specified in the terms and conditions) processes the data.

  2. If you’re communicating with candidates on the LinkedIn platform and storing their data outside the platform (for example, in an ATS system that allows you to manage sourcing/direct search such as the Element ATS), you’re required to fulfill the obligation to inform. In Poland, this involves providing them with the information indicated in Articles 13 and 14 of the GDPR. Additionally, there must be a legal basis for processing personal data (such as the candidate’s consent or a legitimate interest).

  3. If a candidate has submitted their CV in response to a job ad, it’s advisable to include a statement in the application form where the candidate acknowledges being informed of the obligation to inform, and either include or provide a link to the obligation within the form.

Is it permissible to provide the obligation to inform via a hyperlink, or must the candidate receive the full content of the obligation immediately?

Yes, it’s not necessary to include the full content of the obligation to inform on the application form or within the message to the candidate. It’s sufficient to provide the candidate with a link to a document or webpage that contains all the legally required information, or a link to a document (for example, a PDF) that can be displayed, downloaded, and read at their convenience.

Is it acceptable to send a link to the obligation to inform in a LinkedIn message?

Yes, absolutely. In the following question, we’ll discuss what such a message could potentially look like.

Balancing GDPR compliance and candidate engagement in everyday recruitment communication

The law mandates immediate compliance with the information obligation as soon as a candidate’s personal data is processed. However, this can be a challenging task for recruiters who are in the process of building a relationship with the candidate. Every communication, even every word, should foster this relationship, and introducing legal complexities early on can hinder the trust-building process.

Unfortunately, the law doesn’t always align with the practical needs of recruiters, and there’s no one-size-fits-all solution. However, among the less-than-ideal options, the following approach seems most effective:

  1. Initiate contact with the candidate on LinkedIn and engage in a conversation there.
  2. Add the candidate to your candidate list in your applicant tracking system, Excel, or any other tool used for sourcing or direct search activities. This action triggers the information obligation as it begins the processing of personal data outside LinkedIn.
  3. In response to one of the candidate’s messages, send a message like this: “I would like to keep in touch with you, and for this purpose, I’ll be saving your contact details. As per data protection regulations, I’m required to inform you about who will be storing your data and under what conditions. Therefore, I’m sending you a link to our data processing policy: [link] 🙂 Best regards, and let’s stay in touch :)”

This example demonstrates one way to integrate the information obligation into the conversation with the candidate. It’s helpful to have this or similar phrasing readily available for easy copy-pasting. The link should direct the candidate to the document or website containing the information obligation.

An alternative scenario worth considering is when the candidate has already agreed to send their CV. In such cases, it’s best to ask the candidate to submit their CV through an application form (e.g., a form generated by the Element ATS) instead of sending it via LinkedIn message or email. This way, they can immediately give their GDPR consent and access the information obligation.

For more information on how to prepare consent on the application form, please refer to the later part of this guide. Here’s an example message to the candidate in the discussed scenario: “If possible, please submit your CV using the application link: [link]. This way, you will immediately appear in my recruitment system, and we will have your GDPR consents, saving you the need to add or manually send those consents anywhere 🙂”

Is the source of a candidate's data relevant? (LinkedIn vs Facebook and Other Platforms)

While it may initially appear that the source of a candidate’s data could be significant, in reality, the rules for processing personal data remain consistent, regardless of the platform from which the data originated.

Whether the data is sourced from LinkedIn, Facebook, or any other platform, the following requirements must be met when we store this data in our own resources, such as a recruitment system or a notebook:

  1. A legal basis for processing must be established. This can be one of the following: consent, legitimate interest, or legal obligation.
  2. The information obligation must be fulfilled.

It’s important to note that the specific platform used for recruitment, such as LinkedIn, does not alter these requirements. The same principles apply whether the data is sourced from LinkedIn, Facebook, TikTok, or even Tinder. The law does not differentiate or prescribe different procedures based on the platform used.

How long can a candidate's personal data be processed?

The GDPR does not provide a definitive time frame for the processing of a candidate’s personal data. Instead, it stipulates that personal data should not be processed for longer than is necessary for the purposes for which the data is being processed.

The term “necessary for the purposes of data processing” is open to interpretation and should be considered on a case-by-case basis. A common practice suggests a period of 14 days following the conclusion of the recruitment process (for administrative purposes) as an acceptable duration.

As of September 10, 2022, a court ruling has been issued that contradicts the decision of the President of the Personal Data Protection Law Office (UODO). This ruling suggests that an employer may retain a candidate’s CV for up to 3 years following the conclusion of the recruitment process. More details can be found in my article discussing this ruling.

In my view, which should be considered as personal opinion rather than legal advice, the necessary duration for data processing extends as long as there is a realistic possibility of hiring the candidate. In the event of a legal dispute, it would be incumbent upon us to demonstrate that all candidates whose data we are processing are genuinely being considered for the position they applied for.

It’s important to differentiate between a candidate’s consent to participate in a specific recruitment process and consent for future processes. For a specific recruitment process, the candidate’s personal data can be processed until the conclusion of that process and for a brief period (e.g., the aforementioned 14 days) thereafter. However, if the recruitment process is ongoing because we are continuously seeking candidates for a specific position, the situation becomes more complex. If a candidate is not the first choice and is kept in the process as a backup, the process remains open, and a final decision regarding the candidate is not made. In such a scenario, it’s unclear how a court would interpret the processing of the candidate’s data for an extended period, such as 12 months.

When it comes to consent for future recruitment processes, the GDPR does not provide specific guidelines. In my experience implementing Element ATS in various companies, I’ve observed that most companies apply 12- or 24-month terms for consent to future recruitment processes. However, some companies interpret consent for future recruitment processes as indefinite until the candidate revokes it. Unfortunately, there is no universally accepted solution in this regard.

Can a single general consent for all recruitment processes be included in the application form for a specific job position, along with the data processing information?

No, this is not permissible in Poland. When a candidate applies for a specific job position through a particular job ad, it is not appropriate to require consent for future recruitment processes. The best practice is to provide the candidate with two separate consent options:

  1. Mandatory Consent: This is for the specific recruitment process the candidate is applying for, and it should include a link to the data processing information.
  2. Optional Consent: This is for future recruitment processes. In this case, it is not necessary to repeat the information already approved in the first consent box, including the link to the data processing information.

Is consent for future recruitment processes mandatory?

No, it is not, unless we are dealing with a so-called spontaneous application. In this scenario, the candidate is not applying for a specific position but is submitting their CV for potential future recruitment opportunities. This type of consent can be incorporated, for example, into an application form linked to a ‘Submit CV’ button, which could be located on the careers page. This allows any candidate to submit their CV, regardless of whether there are current recruitment processes underway.

In the context of LinkedIn activities, we may engage with a potential candidate whom we’d like to include in our database for future recruitment processes. In such cases, we can either provide a specific application form that includes consent for future recruitment processes, or we can request the candidate to send their CV through a different method (e.g., email, LinkedIn message). If we have informed the candidate that we will retain their CV for future recruitment purposes, their submission of the CV can be interpreted as implied consent to participate in future processes. In this situation, we no longer need to obtain formal consent, but we are still required to fulfill the data processing information obligation. We have previously discussed how to do this.

Does submitting a CV imply consent for data processing?

Yes, it does. Any action by the candidate that can be interpreted as an expression of their interest in participating in the recruitment process can also be considered as their consent to the processing of their personal data for that specific recruitment process. In these instances, there’s no need to obtain formal consent, such as a clause added to the CV, sent in a message, or selected on the application form.

Does implied consent apply to future recruitment processes?

The answer varies.

If a candidate submits their resume in the context of a specific recruitment process, then no, implied consent does not extend to future recruitment processes. In this case, we can only infer consent for that particular recruitment process.

Similarly, if a candidate submits their CV via an application form for a specific position, and this form does not include any consent clauses for the candidate to mark, then we infer consent solely for participation in the recruitment process for that specific job position within that specific job advertisement.

However, if we discuss with a candidate about keeping their CV in our ATS for various ongoing or future projects and the candidate submits their CV, or if the candidate submits a CV using a general application form not tied to any specific recruitment process, then we interpret such actions as consent to participate in future recruitment processes. It’s always recommended to prepare a template response message with the privacy notice and a request for consent for future recruitments.

Can personal data be processed without fulfilling the information obligation?

According to the law, the information obligation cannot be bypassed, so the answer is no.

What's the difference between having fulfilled the information obligation without obtaining consent and having obtained explicit consent?

The difference lies in whether there’s a legal basis for processing the candidate’s personal data.

Remember, consent is just one of the three legal grounds for processing a candidate’s data. The absence of consent doesn’t negate the possibility of having a legitimate interest or obligation to process the data. Therefore, if there’s a legitimate interest, then the situation is the same for both employers – both have fulfilled the information obligation and have a legal basis for processing personal data. However, if the employer lacks a legal basis, they must obtain it, for example, by securing the candidate’s consent.

Should we renew consent for extended data processing period?

If you wish to extend the period of processing a candidate’s personal data, it’s necessary to obtain their consent once again. Simply fulfilling the information obligation doesn’t extend the data processing period set by the employer. However, it’s advisable to send a message to the candidate, such as:

‘Good morning, due to the extended recruitment process and new projects on the horizon, we’d like to extend the period of storing your CV in our candidate database by another 12 months. If you agree, please click the provided link, which will automatically extend this period in our system. Thank you in advance!’

The link mentioned would lead to an application form where the candidate can review the consent content and the information obligation once again.

Is it necessary to always fulfill the information obligation when storing candidate data outside LinkedIn, even if the candidate's actions indicate interest in the recruitment process?

Yes, it’s always necessary to fulfill the information obligation. However, explicit consent isn’t always required. Consent can be implied from the candidate’s actions, and in some cases, consent may not be necessary at all if there’s a legitimate interest or legal obligation to process the data.

Is it permissible to share candidate data within the same organization and under entrustment agreements?

Yes, you can share candidate data within the same organization, provided all employees who are authorized to process this data are aware of their responsibilities. However, if you wish to share personal data with individuals outside of your organization, you must inform the candidate about who else will be processing their data and under what conditions. This is part of the information obligation. Additionally, you must obtain the candidate’s consent to disclose their data to other entities, unless the data processing is being outsourced.

Consider the example of covert recruitment: During a conversation with a candidate, you might inform them that you’re a recruiter working for various clients and that you’d like them to participate in the recruitment process. At this stage, you don’t disclose the specific employer involved in the recruitment. You might conduct the selection process yourself or send anonymized data to the employer. If you want to provide a complete CV with the candidate’s personal data, you must obtain consent to provide the data to the specific employer, and that employer should fulfill the information obligation under Article 14 of the Polish GDPR.

Are there any notable court cases related to the processing of job candidates' personal data?

To date, there haven’t been any widely recognized court cases specifically concerning the processing of job candidates’ personal data. However, there was an incident handled by the President of the Office for Personal Data Protection (PUODO) in Poland. This case involved a recruitment process conducted by a Polish customs and tax office, which had posted the data of participating candidates on its website.

This case was noteworthy because while the act of publishing the data was legal, there was no stipulation regarding the duration for which the data should be displayed on the website. The PUODO, who was alerted to the situation through a complaint from one of the candidates, determined that the data had been publicly accessible for an excessive period of time, which was unjustifiable given the purpose and legal basis of the data processing. The PUODO subsequently ordered the removal of the data. This case underscores the importance of monitoring the duration of data processing, ensuring it doesn’t exceed the purpose and legal basis of the processing.


Fast, agile and user-friendly ATS created by recruiters for recruiters
Picture of Maciej Michalewski

Maciej Michalewski

CEO @ Element. Recruitment Automation Software


Recent posts: