GDPR: How Recruiters Should Comply With Data Regulations

November 9, 2022

6 min read

Recruiters deal with a vast amount of information provided by people every day. Their work is governed by many laws, including those related to personal data. This article will cover general rules that acquisition specialists from StaffingPartner use to protect our clients and job applicants, particularly from the European Union.

What GDPR stands for?

The General Data Protection Regulation (GDPR) is a law that regulates how data can be collected, used, and shared. 

This rule is related to any company or legal entity that processes or intends to process the data of individuals in the European Union and the European Economic Area (all EU countries plus Iceland, Liechtenstein, and Norway), regardless of whether the company is based inside or outside the EU.

The law gives people some control over their personal information, which briefly can be outlined in three primary rights:

  • to have the information about what data is being collected about them;
  • to have that data erased;
  • to object to its use.

In 2018 it substituted the 1995′ Data Protection Directive, which wasn’t helpful when the Internet became widely used because it didn’t consider new ways of data proceeding.

What data is personal?

Personal data is any details that identify a person. This can be names, addresses, IP addresses, and cookie data. When discussing recruitment, personal data is usually applicants’ resumes, the contact information of clients and applicants, and social media profiles.

How strict is the GDPR?

National authorities can apply penalties of up to €20 million, or up to four percent of the organization’s earnings from the previous year, whichever is more significant. These are not empty threats – in July 2019, Google was fined €50 million by the French data protection authority CNIL for failing to meet GDPR transparency requirements.

GDPR spreads on any business with EU customers, no matter where the organization is established, inside or outside the EU and EEA. Your business could be at risk if you work with recruiters who do not stick to data protection rules.

Data processing in recruitment

Data processing is any operation that’s performed on personal data. It could be recording, storing, organizing, altering, destroying, or transferring. The recruitment lifecycle covers data processing activities, such as sourcing or screening. To comply with GDPR, our recruiters must obtain explicit consent from clients and job applicants before collecting, storing, or sharing their data. This implies that they must have a legal reason for processing data. 

“We have a strict rule: to ask a candidate’s permission before sharing their CV with an employer,” said Kateryna Berkutova, Recruitment Team Lead at StaffingPartner. When the person gives clear consent, it is a legal reason. But the recruiter must notify the person of their right to cancel that permission at any time.

When clients leave a message to us through the website, they see an inscription: “By clicking “Send” you agree to the personal data processing,” which means that we start protecting their data from the beginning.

There are four main stages of data processing in recruitment:

  • Collection: personal data is collected from clients or job seekers, usually through a “contact us” form, application form, or a resume.
  • Storage: the information is stored in a secure database.
  • Use: the data is used to match job seekers with open positions.
  • Sharing: the job seeker’s data may be shared with their consent, usually to send them information about job openings or to set up an interview.

StaffingPartner has more than 230,000 candidates in the database. We have their approval to store and use information from their CVs to find an exciting job for them and the most suitable candidates for you. Let us know if you have open positions.

How does GDPR compliance look in practice?

Our recruiters are regularly trained in data protection and are aware of the consequences of non-compliance. We must consider different data protection laws, not just GDPR. So, let’s discuss the main episodes where recruiters and recruiting agencies interact with personal data and how they comply with GDPR:

“Contact us” form

You can see a “contact us” form on our website, where we warn you that you give us the right to store and use information. According to GDPR, we have no right to store personal data until the client submits it. The data goes directly to our CRM system, where it is stored. Only the recruiters who need to process the data have access to it. We do not share the data with anyone else. 

Job advert

The advertisement’s author has to clarify in the text such details as:

  • a statement that the individual is giving their consent for their data to be collected and used for recruitment purposes if they apply;
  • the name, phone number, or other contact details of the hiring organization (in the case of recruiting agencies, there may be the agency’s name and contact info instead).


The main rule of GDPR is that personal data must be collected only for specific and legitimate purposes. This means that recruiters can’t ask job seekers for more information than they need to determine if job seekers are qualified for the position. For example, a recruiter should not ask for an applicant’s date of birth unless it’s necessary to check that the person is of legal working age.

Retention periods

Under the law, personal data must be kept for no longer than is necessary for the purposes it was collected. Recruiters have nearly 30 days to contact job seekers after receiving their applications to let them know if they’ve been selected for the next step. If there is no intention to get the job seeker, the legitimacy of collecting the data no longer exists, and the job seeker can ask for their data to be deleted.

“A candidate has the right to know what is going on with their data. So we notify them that we’ve received their application, we tell them what the next steps are, and ask their permission to share the CV with employers if we find them suitable for the position,” said Kateryna.


When data is no longer necessary, it must be destroyed to ensure it can’t be recovered or reused. This could mean shredding paper records or permanently deleting digital files. For example, if job seekers’ data is stored on a laptop that will be sold, the data must be wiped from the device before it is handed over to the new owner.

The bottom line

When working with recruiters as a client, you should always check that they are GDPR compliant. Complying with the law is not only a legal obligation but also the right thing to do to protect people’s privacy. StaffingPartner takes data protection seriously, so drop us a message if you need help with recruiting under GDPR.

Read also: Is HackerRank a Great Solution for Assessing Candidates?

Latest articles

5 Global IT Hiring Trends in 2023: Part №1
5 Global IT Hiring Trends in 2023: Part №1

The global IT hiring market is expected to continue to grow in 2023, with demand for skilled IT professionals outpacing supply. According to a recent report by Gartner, global IT…

read more
Outsourcing the HR Function for IT Industry & Tech Companies
Outsourcing the HR Function for IT Industry & Tech Companies

It is relatively expensive and time-consuming to manage administrative tasks together with many other projects, especially if yours is a company that unites your in-house and offshore teams. Moreover, not…

read more
How to Write a Job Description to Attract Top Tech Talent
How to Write a Job Description to Attract Top Tech Talent

In the highly competitive tech job market, simply posting a generic job description won’t cut it when it comes to attracting top IT talent. Write a job description that effectively…

read more

You may also like

Cut Your Cost per Hire With a Referral Program - StaffingPartner
Cut Your Cost per Hire With a Referral Program

Did you know that referral programs can help reduce recruitment costs? A recent study found they can save businesses up to $5,000 per hire. That's a lot of money! If…

read more
Staffingpartner Is One of the Most Reviewed HR Companies in Ukraine
Staffingpartner Is One of the Most Reviewed HR Companies in Ukraine

The StaffingPartner team is delighted and proud to announce that we’ve been named one of Ukraine's most reviewed HR companies. The Manifest recently unveiled its list of the companies that…

read more
The difference between sourcer and recruiter - StaffingPartner
Talent Sourcer vs. Recruiter: What’s the Difference?

The war for talent is increasingly competitive, and companies are under pressure to find the best candidates. With that in mind, it's no surprise that the recruiter's role has evolved.…

read more
How to Prepare for an Interview: 13 Tips to Help You Succeed
How to Prepare for an Interview as a Candidate

When you've got an interview, it's already a success. Only 20% of job seekers get to this stage, so simply being called in for one is a positive sign. Especially…

read more
How to Become a Recruiter Without Experience - StaffingPartner
How to Become a Recruiter Without Experience?

Recruitment is turning into a $150 billion sector, and job recruiters are now earning an average of $49,236 per year in the US, according to Indeed. So, it's no surprise…

read more
Top soft skills required for recruiters - StaffingPartner
Soft Skills Every Successful Recruiter Should Have

While hard skills are essential for getting a job done, soft skills can make or break a career. 97% of British companies' bosses called the personal qualities of their staff…

read more

Have open vacancies?

Fill the form below and we will get back to you with 1 business day.

    By clicking "send" you agree to the personal data processing