TL;DR

UK GDPR (the retained EU General Data Protection Regulation as amended by the Data Protection Act 2018) governs how recruitment agencies and employers collect, store, process, and share candidate personal data. The UK Information Commissioner's Office (ICO) can issue fines up to £17.5 million or 4% of annual global turnover for serious breaches. Consent is rarely the appropriate legal basis for processing recruitment data - legitimate interests or contractual necessity are typically more defensible.

What This Means in Practice

Every stage of the recruitment process involves processing personal data, and each processing activity requires a lawful basis. UK GDPR Article 6 sets out six possible lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. In recruitment, legitimate interests (Article 6(1)(f)) and contractual necessity (Article 6(1)(b)) are the two most commonly applicable bases, and the choice between them has practical consequences for how long data can be retained and what candidates can require the agency to do with it.

Consent sounds like the safest option but is frequently inappropriate in recruitment. Valid consent under UK GDPR must be freely given, specific, informed, and unambiguous. A candidate applying for a job through a staffing agency cannot meaningfully refuse consent to having their CV processed - their only practical option is to withdraw from the process. The ICO's guidance on employment and recruitment states that where processing is necessary for taking steps to enter a contract (i.e., assessing candidates for a role), contractual necessity is the appropriate basis. Consent is appropriate only where the candidate is genuinely free to say no without consequence - for example, adding them to a newsletter or talent pool where they were not applying for a specific role.

Legitimate interests requires a three-part test: there must be a legitimate interest, the processing must be necessary for that interest, and the interest must not be overridden by the individual's interests or fundamental rights. Maintaining a candidate database, conducting screening activity for roles the candidate applied to, and sharing CV details with client companies for the roles for which the candidate was submitted all typically pass the legitimate interests test. The agency must document the assessment.

Special category data requires additional safeguards under Article 9. Criminal conviction data (DBS checks), health information, and information about disabilities falls into special category or criminal offence data. Processing this data requires both a Schedule 1 condition under the Data Protection Act 2018 and a documented policy. For DBS-related data specifically, the ICO has published a code of practice that requires retention to be limited to a maximum of six months after the recruitment decision, with only the reference number and date retained thereafter.

Data subjects have enforceable rights: the right to access their data (subject access request, typically 1 calendar month to respond), the right to rectification, the right to erasure (the "right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object. In recruitment, the right to erasure is frequently invoked by candidates who were rejected and do not want their data retained. Agencies must have a process for handling these requests within the statutory timeframe.

Why Recruitment Agencies Need to Know This

The ICO has specifically investigated and fined recruitment firms for unlawful data processing, including sending unsolicited marketing to candidates without consent and retaining candidate data without a legal basis. The fines for serious breaches are substantial, but regulatory action also carries reputational consequences for agencies that rely on candidate trust to build their databases.

For staffing agencies, the high-risk areas are candidate database retention, CV sharing with multiple clients without explicit notification, and automated decision-making in screening processes. Retaining speculative CVs indefinitely without a legal basis or a periodic review process breaches UK GDPR's storage limitation principle (Article 5(1)(e)), which requires data to be kept no longer than is necessary for the purpose for which it was collected. A candidate who applied for a single role three years ago and has not been contacted since has a strong erasure request, and the agency must act on it.

Sharing candidate CVs with multiple client companies simultaneously - without the candidate's knowledge - creates issues under the transparency principle (Article 5(1)(a)). The agency's privacy notice must clearly describe what data is collected, why it is processed, who it is shared with, and for how long it is retained. A generic notice that says "we may share your data with third parties" is insufficient. The ICO's guidance requires specific, intelligible information at the point of data collection.

For agencies using AI-assisted screening or automated ranking tools, Article 22 of UK GDPR provides candidates with the right not to be subject to solely automated decisions that produce legal or similarly significant effects. Fully automated rejection decisions require either explicit consent, contractual necessity, or legal authorisation - and in all cases, the candidate must be informed and must have the right to request human review.

In Practice

A generalist staffing agency conducts an annual data audit. The compliance officer runs a report from the agency's ATS - which integrates with Candidately for AI-assisted matching - and finds 8,400 candidate records that have had no activity in more than 24 months. The agency's data retention policy states that inactive records should be reviewed at 24 months and either deleted or have retention renewed with documented justification.

The compliance officer sends a batch of reactivation emails to the 8,400 candidates, informing them that their data will be deleted in 30 days unless they confirm they wish to remain in the agency's database. 1,200 candidates respond and confirm continued consent to retain their data. 7,200 do not respond and their records are deleted in accordance with the policy. 400 opt-out proactively and request immediate erasure, which is processed within 72 hours.

The agency documents the process, records the deletion actions, and updates its privacy notice to reflect the 24-month retention period explicitly. When the ICO conducts a data protection audit of the agency the following year, the documented review process is cited as an example of good practice.

Quick Reference