Back to Blog
GDPR recruitmentGDPR recruitment agenciesGDPR in recruitmentdata protection recruitingGDPR candidate data

GDPR for Recruitment Agencies: The Practical Guide That Skips the Legalese

GDPR compliance for recruiting agencies doesn't have to be painful. Practical guide covering consent, data retention, candidate rights, and what your ATS should handle automatically.

Janis Kolomenskis

12 min readUpdated
Share
Recruitment agency compliance dashboard showing GDPR candidate consent tracking and data retention policies

Most GDPR guidance for recruiters was written by lawyers, for lawyers. It's technically accurate and practically useless. This guide is different: it's built for the recruiter who processes 300 CVs a month and needs to know exactly what to do — not a theoretical framework for what compliance looks like in principle.

GDPR for recruitment agencies means every candidate record needs a documented lawful basis, a retention limit, and a deletion workflow — starting from the moment you store a CV. According to SHRM research on talent acquisition compliance, data handling failures in recruitment are among the top three legal risks for agencies operating across EU member states. This guide covers legitimate interest vs consent, how long you can keep CVs, and what your ATS must handle automatically to keep you on the right side of data protection law.

Six years after GDPR came into force, enforcement against recruitment agencies has picked up. The UK ICO fined a recruitment firm £98,000 in 2023 for retaining candidate data far beyond any legitimate business purpose. France's CNIL has issued warnings to agencies for sourcing LinkedIn profiles without valid legal basis. Germany's BfDI continues to scrutinise data sharing between staffing agencies and client companies under the joint controller question.

The agencies getting caught aren't being careless — they just never built proper data hygiene into their workflows. That's fixable. Here's how.

Legitimate Interest vs Consent: When to Use Each

This is the question that trips up more recruiters than any other. You've sourced a candidate on LinkedIn. You've received a speculative CV. A former client has referred someone. Do you need consent to store their data? The answer depends on the context.

When legitimate interest works

Legitimate interest (Article 6(1)(f) of GDPR) lets you process candidate data without explicit consent — provided you can pass a three-part test: there's a legitimate interest at stake, processing is necessary to achieve it, and that interest isn't overridden by the candidate's rights and expectations.

For recruitment agencies, the ICO's guidance (published October 2023) accepts legitimate interest for processing data from candidates who have actively engaged with you or who have a reasonable expectation of being contacted about relevant roles. Specifically:

  • Candidates who submitted their CV directly to you for a specific role
  • Candidates sourced from professional networks (LinkedIn, Xing, etc.) when they're contactable and their profile is clearly career-oriented
  • Candidates referred by clients or contacts, where the referrer has a reasonable basis for passing on their details
  • Candidates who have previously placed through your agency and consented to talent pool retention at the time

The key phrase from ICO guidance: the candidate must be able to "reasonably expect" that a recruitment agency might contact them. A director-level executive with a public LinkedIn profile actively listing their career history? Reasonable expectation is there. A person whose personal email you found via a company directory for an unsolicited approach? Much harder to justify under legitimate interest.

When you need consent instead

Consent (Article 6(1)(a)) is required — or strongly advisable — in several scenarios:

Talent pool retention beyond the original role. Someone applied for a specific position, you didn't place them. Now you want to keep their CV for future opportunities. Legitimate interest is weak here — their expectation was specific to that role. You need an active opt-in: "May we retain your details for suitable future opportunities?"

Sensitive personal data. If you collect disability information, right-to-work documentation, DBS check results, or information about professional memberships, consent is required alongside a separate explicit lawful basis under Article 9.

Marketing communications to candidates. Newsletters, market updates, salary surveys — anything that's not directly related to placing them in a role needs a separate consent, independent of their application consent.

Children's data. Rare in executive search, but if you work in sectors where apprenticeships or graduate programmes apply, different rules apply to anyone under 18.

The practical upshot: build a default "talent pool opt-in" into every application and registration process. Make it separate from the terms of service, make the language plain, and make opting out as easy as opting in. That single change solves 70% of consent-related compliance issues.

"Legitimate interest is the right tool for most recruitment processing — but only when the candidate has a reasonable expectation of being contacted. That reasonable expectation has to be documented, not assumed."

Data Retention: How Long Can You Actually Keep CVs?

GDPR doesn't specify a number. That's deliberate — the regulation requires you to determine an appropriate period based on your actual purpose. What the ICO, CNIL, and BfDI all agree on: "indefinitely" is never appropriate, and "until we delete things" is not a retention policy.

What regulators expect

The ICO's Employment Practices Code and subsequent guidance suggests recruitment agencies think in terms of two categories:

Active candidates (placed or in active process): Data can be retained for as long as there's a legitimate ongoing relationship — typically 12-24 months from last contact for candidates in your active pipeline. Once placed, the data supporting that placement can be retained for the duration of any guarantee period plus a reasonable margin (usually 6-12 months) in case of disputes.

Inactive talent pool candidates: 12 months is the most commonly cited reasonable period in UK ICO guidance, with a re-consent mechanism at the 12-month point. Some agencies operate on 24 months with a documented legitimate interest assessment backing that up. Beyond 24 months without re-contact or re-consent, data retention becomes very hard to justify.

France's CNIL is stricter. Their formal recommendation (published under Délibération 2020-092) specifies 2 years from last contact as the outer limit for candidate data, with re-consent required before that period expires if you want to retain further. German data protection authorities — BfDI at the federal level, but also the Länder supervisory authorities — follow similar logic, compounded by the BDSG's stricter requirements around employment-related data.

What your retention policy should actually say

A practical retention schedule for a recruitment agency might look like this:

Data CategoryRetention PeriodLegal Basis
Active application (unsuccessful)6 monthsLegitimate interest (discrimination claim window)
Talent pool opt-in candidate12 months, then re-consentConsent
Successfully placed candidatePlacement date + 12 monthsLegitimate interest / contract
Right-to-work checksEmployment end + 2 yearsLegal obligation
Interview notes6 months from interviewLegitimate interest
Financial records (invoices, fees)7 yearsLegal obligation (tax law)

The 6-month window for unsuccessful applications isn't arbitrary — it aligns with the UK Equality Act limitation period for discrimination claims. Keeping data for at least this long protects the agency; keeping it much longer without cause creates exposure.

"Beyond 24 months without re-contact or re-consent, candidate data retention becomes very hard to justify under any European regulatory framework. Most agencies are sitting on years of data they have no legal basis to hold."

The Right to Erasure: A Practical Workflow

Candidates have the right to request deletion of their data. When one does, you have one calendar month to respond — and "respond" means acting on it, not just acknowledging it.

Here's what often goes wrong: agencies receive an erasure request by email, forward it to whoever manages the CRM, and assume it's handled. Weeks later, the candidate is still appearing in searches because the request got lost, the data is in three different systems, or no one documented what was deleted.

A reliable erasure workflow looks like this:

  1. Acknowledge within 72 hours. Send a templated confirmation that you've received the request and are processing it. The clock starts from receipt, not from when you act.
  2. Identify all data locations. This is where most agencies underestimate scope. The candidate's record might exist in your ATS, your email system, shared drives, backup archives, and any systems you share with client companies (see data processing agreements below).
  3. Check for exemptions first. You're not required to delete data you need for legal compliance (e.g., right-to-work records during an active employment), to defend a legal claim, or where there's a legitimate ongoing contractual obligation. Document your reasoning if you retain anything.
  4. Delete and document. Delete or anonymise the data in all systems. Log what was deleted, from where, by whom, and when. Keep this log — it's your evidence of compliance.
  5. Notify data processors. If you share candidate data with client companies or use third-party tools (background check providers, assessment platforms), you're required to notify them of the erasure request. Include this in your data processing agreements.
  6. Respond to the candidate. Confirm what was deleted and note any data you retained and why (with the legal basis cited).

An automated ATS should handle steps 1, 2, 4, and 6 with minimal manual intervention. If you're doing this in spreadsheets, you're creating compliance risk with every request you process.

Data Processing Agreements with Clients

When you share candidate data with a client company — their name, CV, interview notes, assessment results — you're transferring personal data to a third party. GDPR requires a Data Processing Agreement (DPA) to govern this, and it must be in place before any data is shared.

The question of whether your client is a data processor or a joint controller matters enormously here, and it's one the German data protection authorities have scrutinised closely in the staffing sector.

In most recruitment agency scenarios:

You are the data controller for the sourcing, initial processing, and talent pool management. You decide the purposes and means of processing candidate data for the search.

Your client becomes a joint controller once they start making decisions about candidates — reviewing CVs, conducting interviews, deciding who progresses. They're not just processing data on your behalf; they're making their own decisions about candidates using that data.

Joint controller status requires an arrangement under Article 26 of GDPR — not just a standard DPA. This arrangement must specify who handles candidate rights requests, who takes responsibility for notifying candidates about how their data is used, and how liability is allocated. Most agencies are operating without this. That's a compliance gap worth closing.

Your standard client terms should include:

  • A clause prohibiting clients from using candidate data for any purpose other than the current vacancy
  • A prohibition on sharing candidate data with third parties (headhunting firms, group companies) without your consent
  • An obligation to delete candidate data within 30 days if a placement isn't made
  • Contact details for handling candidate rights requests that come through the client

Cross-Border Data Transfers: UK vs EU Post-Brexit

Here's the part that UK-based agencies operating in Europe, or EU agencies with UK clients, often get wrong.

Post-Brexit, the UK is a "third country" under EU GDPR. The EU Commission issued an adequacy decision for the UK in June 2021 — meaning UK data protection is considered equivalent to EU standards, and EU-to-UK data transfers can proceed without additional safeguards. That decision is currently valid until June 2025, when it's due for review. At the time of writing, renewal is expected but not confirmed.

UK-to-EU transfers go the other way: under UK GDPR, EU countries (and EEA countries) are "adequate" — no additional safeguards needed. UK agencies sending candidate data to EU clients can do so without extra mechanisms.

Where it gets complicated: transfers outside the EU/UK — to a US-based ATS vendor, a Middle Eastern client, an APAC subsidiary of a multinational. These require either an adequacy decision for that country, Standard Contractual Clauses (SCCs) incorporated into your vendor agreements, or in limited cases, explicit consent from the candidate.

Practical checks for your agency:

  • Where does your ATS vendor store data? (EU region, US, or multi-region?)
  • Do your vendor contracts include SCCs or are they covered by a current adequacy decision?
  • Does your privacy notice accurately describe where candidate data might be processed?

If your ATS is hosted on US infrastructure without an EU data residency option, you may be making international transfers every time you upload a CV. Most major ATS vendors offer EU hosting — if yours doesn't, that's worth raising with them explicitly.

Automated Decision-Making Under Article 22

This section matters more in 2026 than it did when GDPR was drafted. AI-assisted screening is now standard. Resume parsing, AI candidate matching, automated knockout questions that filter out applicants — all of these sit within Article 22's scope if they influence hiring decisions without human review.

Article 22 gives candidates the right not to be subject to decisions based "solely on automated processing" when those decisions produce legal or "similarly significant" effects. Getting rejected from a job application clearly qualifies.

What this means in practice:

AI ranking is fine; AI rejection without review is not. Using your ATS's AI matching to rank candidates from most to least relevant is legitimate — a recruiter then reviews the ranked list. Letting the system automatically reject everyone below a certain score without human eyes on the output is problematic.

Knockout questions need a human checkpoint. Automated knockout questions (work authorisation, salary expectations, required certifications) can filter the pile, but candidates who are filtered out should be reviewed by a human before being definitively rejected — or the automated nature of the rejection must be clearly disclosed and candidates given the right to request review.

Transparency obligation. Your privacy notice must describe any automated processing used in your screening workflow, what data it uses, what its purpose is, and how candidates can request human review. Vague statements like "we may use automated processing tools" won't satisfy an ICO or CNIL investigation.

The German BfDI has been particularly active on this question. Their position: even AI tools that "support" rather than "replace" human decision-making may require notification to candidates if the AI processing meaningfully influences outcomes. When in doubt, err on the side of disclosure.

What Your ATS Should Handle Automatically

GDPR compliance isn't just a policy problem — it's a workflow problem. Manual compliance processes fail because recruiters are busy and data hygiene gets deprioritised. A properly configured ATS should take most of this burden off human shoulders. For a side-by-side breakdown of how platforms handle compliance, see our guide to the best ATS for recruiters and the candidate management system buyer's guide. If you're calculating whether a compliance-ready ATS upgrade is worth it, the ATS ROI calculator covers time and cost savings including compliance overhead reduction.

Here's what you should expect your recruiting platform to handle natively:

Consent tracking. Every candidate record should show when consent was captured, what it covered, and how (web form, email opt-in, verbal consent logged by recruiter). If a candidate withdraws consent, that should be recordable and should trigger an automated retention review.

Retention policy enforcement. The ATS should let you configure retention periods by candidate status. When a record hits its retention limit, it should flag for review or auto-anonymise rather than just sitting indefinitely. This isn't optional — it's the only scalable way to meet GDPR's "storage limitation" principle across a database of thousands of candidates.

Erasure workflow support. Logging an erasure request, tracking its status, documenting what was deleted and when — your ATS should make this auditable. If someone raises a complaint to a regulator, you need to be able to show a clear record of how you handled any previous erasure requests.

Data subject access request (DSAR) support. Candidates can request a copy of all data you hold on them. Your ATS should be able to generate this report efficiently. Manually compiling a DSAR response from multiple systems can take hours; a well-designed platform reduces it to minutes.

Audit logs. Who accessed a candidate record, when, and what changes they made. Essential for investigating data breaches and responding to regulatory enquiries.

Yena builds these workflows into the core product — consent tracking, configurable retention policies, erasure request logging, and DSAR report generation are part of the standard platform rather than compliance add-ons. The executive search module specifically includes data processing agreement templates for client relationships and built-in notifications when candidate data approaches its retention limit.

GDPR Compliance Checklist for Recruitment Agencies

  • Written retention policy with documented periods by data category
  • Consent mechanism on all application forms and talent pool registrations
  • Privacy notice that accurately describes automated processing and international transfers
  • Data Processing Agreement or Article 26 arrangement in client contracts
  • Erasure request procedure with assigned responsibility and response SLA
  • ATS configured with retention flags or auto-anonymisation
  • Record of Processing Activities (RoPA) document — required if you process data systematically
  • Named Data Protection Lead or DPO if you process at scale
  • Vendor DPAs for every third-party tool that touches candidate data
  • Annual compliance review (regulatory guidance updates regularly)

Country-Specific Notes

UK (ICO)

UK GDPR is substantively equivalent to EU GDPR but independently enforced by the Information Commissioner's Office. The ICO's Employment practices guidance is genuinely practical — it covers job applications, employment records, and monitoring in plain language. For AI in recruitment specifically, the ICO published dedicated guidance in 2023 addressing exactly the Article 22 questions above.

One UK-specific point: the UK's Data Protection and Digital Information Bill (still progressing through Parliament as of early 2026) may introduce some divergence from EU GDPR over time, particularly around legitimate interests assessments and the research exemption. Keep an eye on ICO communications if you operate across the UK-EU boundary.

Germany (BfDI and Länder authorities)

Germany has some of the strictest data protection enforcement in Europe, compounded by the BDSG (Bundesdatenschutzgesetz), which adds requirements to EU GDPR particularly around employee and applicant data. Section 26 BDSG specifically governs data processing in employment contexts, including recruitment — and it's somewhat more restrictive than the GDPR baseline on consent in the employment relationship (consent is often deemed involuntary due to power imbalance, meaning legitimate interest or legal obligation are the preferred bases).

If you're a staffing agency placing candidates in German companies, you're likely operating under both BDSG and EU GDPR. Works Councils (Betriebsräte) in German client companies may have co-determination rights over which recruitment tools and data processing practices are used — worth raising explicitly in the client onboarding conversation.

France (CNIL)

The CNIL's formal recommendation for HR data (Délibération 2020-092) sets out expected retention periods and lawful bases in detail. France also has additional restrictions on collecting certain categories of candidate data — nationality, family situation, photographs — at the application stage. CNIL has actively investigated LinkedIn scraping by French recruitment firms and issued formal warnings. If your sourcing strategy relies heavily on LinkedIn data for French-based candidates, review the CNIL's guidance on sourcing from professional networks before scaling that activity.

Common Mistakes That Lead to Complaints

Most GDPR complaints against recruitment agencies don't come from regulators conducting proactive audits. They come from candidates who felt their data was mishandled. These are the scenarios that generate complaints:

The "surprise call" problem. A candidate uploaded their CV to a job board three years ago. They get a call from your agency about a role. They have no memory of giving you their data and no idea how you found them. This triggers a "who gave you my number?" complaint — and if you can't produce a clear record of how you obtained their data and on what legal basis, you're in trouble.

Sharing CVs without consent. You've received a CV for a specific role. You then share it with a different client for a different role without the candidate's knowledge. Even if both roles seem suitable, sharing to a third party for a different purpose than originally intended requires either re-consent or a fresh legitimate interest assessment. This is one of the most common errors in agency practice.

Data that doesn't get deleted. A candidate asks you to remove them from your database. You delete their record in your main CRM. But their CV still exists in an email thread, a shared drive folder, and the backup of your ATS from last quarter. Erasure means erasure from all systems — including the ones that don't have a simple "delete" button.

No privacy notice at the point of data collection. If a candidate submits their details through your website or a third-party job board integration, there must be a privacy notice in place — and it must actually describe what you do with their data, not just link to a generic 40-page document. Regulators have taken a dim view of privacy notices that are technically present but effectively unreadable.

Frequently Asked Questions

Do recruitment agencies need to register with ICO?

Yes. Any recruitment agency processing personal data in the UK must register with the ICO and pay the data protection fee. The fee ranges from £40 to £2,900 depending on your turnover and number of employees. Failure to register can result in fines up to £4,350.

How long can a recruitment agency keep a CV?

There's no single legal limit, but you must justify your retention period. Most agencies retain candidate data for 6-24 months, depending on the role type and sector. Executive search firms often argue for longer periods (up to 3 years) based on the nature of senior placements. Whatever you choose, document it in your privacy policy and apply it consistently.

What is the legal basis for recruiting under GDPR?

Most recruitment agencies rely on "legitimate interest" (Article 6(1)(f)) rather than consent. Legitimate interest works when candidates have a reasonable expectation that their data will be processed — for example, when they've uploaded their CV to a job board or applied directly. Consent is harder to manage at scale because it can be withdrawn at any time.

Can recruiters source candidates from LinkedIn under GDPR?

Yes, but with conditions. LinkedIn profiles are publicly available, so sourcing from them generally falls under legitimate interest. However, you must still send a privacy notice when you first store a candidate's data in your ATS, and you must give them the right to object. The ICO has confirmed this approach is valid as long as the processing is proportionate.

What happens if a candidate requests data deletion?

You must comply within 30 days under Article 17 (right to erasure). This means removing all personal data from your ATS, email, spreadsheets, and any third-party tools. You can refuse only if you have a legal obligation to retain the data (e.g., for tax purposes on placed candidates). Document every deletion request and your response.


GDPR compliance in recruitment is operational, not just legal. The agencies that handle it well aren't the ones with the most expensive lawyers — they're the ones whose daily workflows have data protection built into them. The right ATS makes the difference between compliance that requires constant vigilance and compliance that runs in the background.

If you're evaluating platforms with GDPR built in from the ground up, see how Yena handles executive search compliance — including consent tracking, retention automation, and DSAR support. Or book a 20-minute demo to see the compliance workflows in practice.

Further reading: our post on recruitment automation software covers Article 22 considerations for AI screening tools in more depth, including how to configure automated workflows that stay on the right side of GDPR.

Janis Kolomenskis

March 27, 2026

Share
Yena

Help recruiters make more placements.

AI-native ATS + recruiting CRM built for European agencies. Source, match, enrich, and remember - in one tool that actually feels like 2026.