What Is Data Controller?
Data Controller is a term used in the recruitment and staffing industry.
TL;DR
Under the GDPR, the data controller is the entity that determines why and how personal data is processed. In recruitment, the employer deciding which candidates to assess and what data to collect is the controller — and with that role comes the full weight of GDPR accountability.
What Defines a Data Controller
The controller is the decision-maker, not just the recipient of data. Article 4(7) of the GDPR defines the controller as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Two elements define it: determining the purpose (why) and determining the means (how).
In practice, the employer deciding to run a background check, collect CV data, store application records, or run psychometric assessments is the controller for all of that processing. They decided the purpose (assess candidates for a job) and the means (which data points to collect, which systems to use, how long to retain records).
The controller designation matters because the GDPR places its primary obligations on controllers. Controllers must identify a lawful basis for every processing activity, fulfil data subject rights requests (access, erasure, portability), maintain Records of Processing Activities, appoint a Data Protection Officer if required, carry out Data Protection Impact Assessments for high-risk processing, and notify supervisory authorities of data breaches within 72 hours.
Controller vs. Processor
The controller/processor distinction determines who is ultimately accountable. If an employer uses an applicant tracking system, the ATS vendor processes candidate data on the employer's behalf — the vendor is a processor. The employer is still the controller. The GDPR requires a written Data Processing Agreement (DPA) between them, specifying what the processor can and cannot do with the data.
Joint controllership is a more complex situation. When two organisations independently determine the purposes of processing the same data, they may be joint controllers. For example, if a staffing agency and a client company both have independent interests in processing a candidate's data — the agency for its own talent pool, the client for its hiring decision — both may be joint controllers, with obligations to define their respective responsibilities in writing.
The European Data Protection Board has issued guidance confirming that the test is substantive, not contractual. Calling a vendor a processor in a contract does not make them one if they actually have discretion over how data is used.
Why It Matters for Recruitment
Recruitment involves extensive personal data processing, and the controller designation sits with the employer. Every step of the hiring process — posting a job, receiving applications, running assessments, conducting interviews, storing notes, retaining rejected candidate data — involves personal data. The controller is accountable for all of it.
This means employers must: identify a lawful basis for processing (typically legitimate interests or consent, with consent being appropriate only where the candidate genuinely has a free choice), provide candidates with a privacy notice at the point of collection, limit retention to what is necessary (rejected candidate data typically should not be retained beyond six to twelve months without consent), and respond to subject access requests within 30 days.
When employers use third-party tools — background check vendors, assessment platforms, video interview software — they must ensure those vendors are acting as processors under a compliant DPA, not processing data for their own purposes.
In Practice
A company posts a job through LinkedIn, receives applications into its ATS, runs video interviews through a third-party platform, and commissions a background check through a CRA. The company is the controller for all of this processing. LinkedIn, the ATS vendor, the video interview platform, and the background check company are all processors (or, in LinkedIn's case, potentially a joint controller for its own recruitment analytics). Each vendor relationship requires a signed DPA. Candidates who apply have the right to request access to all data the company holds on them — including interview notes, assessment scores, and background check results.
Key Facts
| Concept | Definition | Practical Implication |
|---|---|---|
| Data controller | Entity determining the purposes and means of data processing | Bears primary GDPR accountability — employers are controllers in recruitment |
| Lawful basis | Legal justification for processing personal data | Must identify one for every processing activity before collecting data |
| Data subject rights | Rights of individuals over their personal data | Controllers must respond to access, erasure, and portability requests within 30 days |
| Data Processing Agreement | Written contract governing a processor's use of data | Required for every vendor that processes candidate data |
| Joint controllership | Two entities independently determining processing purposes | Requires a written arrangement defining respective responsibilities |
| Privacy notice | Disclosure to candidates at point of data collection | Must cover: what is collected, why, how long retained, who has access |
| 72-hour breach notification | Controllers must notify supervisory authority of data breaches | Starts from the point of awareness, not discovery |