TL;DR

The General Data Protection Regulation (GDPR), in force across the EU since May 2018 and retained in UK law as UK GDPR under the Data Protection Act 2018, governs how organisations collect, store, and process personal data, including candidate data gathered during recruitment. Staffing agencies operating in the EU or UK must have a lawful basis for processing candidate data, provide a clear privacy notice at the point of data collection, retain data only as long as necessary, and honour candidate rights including subject access, rectification, and erasure. Fines under EU GDPR reach up to €20 million or 4% of global annual turnover, whichever is higher.

Key Takeaways

• Six lawful bases exist under Article 6 GDPR; in recruitment, the two most commonly used are "legitimate interests" (for proactive candidate sourcing) and "performance of a contract / pre-contractual steps" (for candidates who apply); "consent" is generally unsuitable as the primary basis because it must be freely withdrawable and the power imbalance in recruitment makes this difficult
• Candidates have the right to erasure ("right to be forgotten") under Article 17; if an unsuccessful candidate requests deletion, the agency must erase their data unless another legal ground (e.g., legal claims retention) justifies keeping it. Typically 6–12 months is the standard retention window for unsuccessful candidates
• Cross-border data transfers from the EU/UK to the US require an appropriate safeguard, typically the EU–US Data Privacy Framework (for EU data) or UK Data Bridge (for UK data), or standard contractual clauses (SCCs). US-based ATS or CRM vendors used by UK/EU recruiters are subject to transfer compliance checks
• UK GDPR and EU GDPR are now separate instruments post-Brexit; the UK Information Commissioner's Office (ICO) enforces UK GDPR with maximum fines of £17.5 million or 4% of global annual turnover, while the EU data protection authorities enforce EU GDPR

FAQ

Q: What lawful basis should a staffing agency use for processing candidate CV data?

A: For candidates who actively apply, "pre-contractual steps at the request of the data subject" (Article 6(1)(b)) is the appropriate basis. The candidate has taken a step toward a potential contract. For proactive sourcing (cold outreach to candidates who have not applied), the agency typically relies on "legitimate interests" (Article 6(1)(f)) and must complete a Legitimate Interests Assessment (LIA) documenting why the processing is proportionate and not overridden by the candidate's interests. Consent is not recommended as the primary basis in either case because it must be freely given and withdrawable without detriment.

Q: How long can a staffing agency keep candidate data under GDPR?

A: GDPR does not specify a fixed retention period. It requires that data be kept "no longer than is necessary for the purposes for which the personal data are processed" (Article 5(1)(e)). Industry practice for unsuccessful candidates ranges from 6 to 12 months. Some agencies ask candidates to consent to a longer retention period (e.g., 2 years) for talent pool purposes, but this consent must be genuinely free and documented. Placed candidates' data may be retained longer to satisfy contractual, payroll, and legal dispute obligations, typically 6 years.

Q: Does GDPR apply to a US-based staffing agency recruiting candidates in the EU or UK?

A: Yes. GDPR has extra-territorial reach under Article 3(2): it applies to any controller or processor outside the EU/UK that offers goods or services to, or monitors the behaviour of, data subjects in the EU or UK. A US staffing agency that actively recruits EU or UK candidates, operates a website targeted at those regions, or engages in CV databases of EU/UK individuals must comply with EU GDPR and/or UK GDPR. The agency would need to appoint a representative in the EU and/or UK if it has no establishment there.

What GDPR Requires of Staffing Agencies

Staffing agencies process candidate personal data at every stage of their work: collecting CVs and application data, storing contact information in a CRM, running background checks, sharing profiles with clients, and retaining records of placed workers for payroll and legal purposes. Each of these activities is regulated under GDPR, and each requires the agency to satisfy three threshold obligations: identify a lawful basis for the processing, provide a privacy notice to the data subject at the point of collection, and process only the minimum data necessary for the stated purpose.

The lawful basis question is the most practically contested. For candidates who apply directly to the agency, the basis is typically "pre-contractual steps at the request of the data subject" under Article 6(1)(b). For candidates the agency sources proactively — reaching out cold to someone on LinkedIn or a talent database — the basis is usually "legitimate interests" under Article 6(1)(f). Agencies using legitimate interests must complete a Legitimate Interests Assessment (LIA) documenting why the processing is necessary and proportionate. Consent is generally not appropriate as the primary basis for recruitment data processing because the power imbalance between recruiter and candidate means consent cannot be freely given in the legally meaningful sense.

The privacy notice obligation under Articles 13 and 14 requires the agency to tell candidates, at the point their data is first collected, who the data controller is, what data is being processed, why, on what legal basis, how long it will be retained, and what rights the candidate has. For speculative outreach, this means the first contact message must include or link to a privacy notice. Many agencies fail this requirement by sending cold outreach without any privacy disclosure, treating GDPR as an onboarding obligation rather than a first-contact one.

How GDPR Works in a Recruitment Context

A technology staffing agency sources a software engineer's profile from a commercial CV database. The engineer has not applied to the agency — they uploaded their CV to the database years ago for general visibility. The agency sends an outreach message about a role. Under GDPR Article 14, the agency must provide a privacy notice to the engineer when making that first contact, because the engineer's data was not collected directly from them by the agency. The notice must state where the agency obtained the data (the CV database), what the agency intends to do with it, and how long it will be kept.

If the engineer responds and the agency sends their CV to a client, that sharing must be covered by the original privacy notice or consented to separately. If the engineer asks the agency to delete their data at any point, whether before or after referral, the agency must erase it unless another legal ground exists (such as a pending legal claim or a statutory retention obligation). Standard practice for unsuccessful candidates is to retain data for 6 to 12 months, after which it should be deleted or the candidate should be asked to provide fresh consent for continued retention in a talent pool.

GDPR in the EU vs UK GDPR

Since Brexit, EU GDPR and UK GDPR operate as distinct legal instruments, though their substantive content remains nearly identical. EU GDPR (Regulation 2016/679) is enforced by national data protection authorities in each EU member state, coordinated by the European Data Protection Board (EDPB) for cross-border cases. UK GDPR — incorporated into domestic law through the Data Protection Act 2018 — is enforced by the Information Commissioner's Office (ICO) in the UK. Maximum fines under UK GDPR are £17.5 million or 4% of global annual turnover, whichever is higher.

The practical divergence matters most for data transfers. Sending personal data from the EU to the UK requires reliance on the EU's UK Adequacy Decision (granted in 2021, subject to periodic review). Sending data from the UK to the US requires either the UK Data Bridge (an extension of the EU-US Data Privacy Framework) or UK-specific Standard Contractual Clauses (SCCs). Staffing agencies using US-hosted ATS platforms, CRMs, or background check vendors must confirm which transfer mechanism their vendor relies on and document it in their data processing agreements. An agency operating across EU, UK, and US without mapped transfer safeguards is exposed in all three jurisdictions.

Penalties and Enforcement

GDPR enforcement uses a two-tier penalty structure. Less serious violations — failure to implement appropriate security measures, insufficient records of processing, notification failures — attract fines of up to €10 million or 2% of global annual turnover, whichever is higher. More serious violations — processing without a lawful basis, transferring data internationally without safeguards, or violating data subject rights — attract fines of up to €20 million or 4% of global annual turnover. The ICO's equivalent UK GDPR tiers are £8.7 million or 2%, and £17.5 million or 4%.

Enforcement in the recruitment sector has concentrated on three areas: consent violations (agencies that rely on consent as their lawful basis but cannot demonstrate it was freely given or properly recorded), subject access request failures (agencies that fail to respond to candidate data requests within one month), and unlawful sharing with clients (sending candidate profiles to clients without disclosing this in the privacy notice). The ICO has issued guidance specifically addressed to recruitment agencies and employment businesses, and the French data protection authority (CNIL) has taken enforcement action against French recruitment platforms for retention of candidate data beyond stated periods.