All Collections
How does sourced recruiting comply with the GDPR?
How does sourced recruiting comply with the GDPR?
Sebastian Basauri avatar
Written by Sebastian Basauri
Updated over a week ago

One of the basic requirements of the GDPR, is that any processing needs to be based on a legal ground. When sourced recruiting is used the question is mainly what legal ground may be used for the processing.

The most common legal ground used by recruiting companies today is a balancing of interests, commonly referred to as “legitimate interest”. And that interest can be, for example being able to proactively find relevant candidates and to be able to recruit the right person for the job.

Besides having a legal ground for processing, the other applicable requirements of the GDPR need to be fulfilled. Such requirements concern transparency, data minimization, and storage limitation.

Our assessment is that if you collect personal data from a sourced candidate

you need to, within a month from collecting their data, contact the candidate to inform them about the processing that you do and their rights, e.g. through an email with your privacy policy attached or linked. If no contact or information is made the personal data should be deleted.

The candidate must be informed about:

  • What personal data is being processed by you

  • From where the data was acquired and to whom you might share it

  • Who is responsible for the processing (“controller”), including contact details

  • For how long the data will be stored

  • Whether the data is stored within or outside the EU/EEA, including applicable safeguards

  • The purposes and legal grounds for the processing activities

  • The rights of the candidate (access, rectification, deletion etc.) and how it can enforce them

Did this answer your question?