One of the basic requirements of the GDPR, is that any processing needs to be based on a legal ground. When sourced recruiting is used the question is mainly what legal ground may be used for the processing.
The most common legal ground used by recruiting companies today is a balancing of interests, commonly referred to as “legitimate interest”. And that interest can be, for example being able to proactively find relevant candidates and to be able to recruit the right person for the job.
Besides having a legal ground for processing, the other applicable requirements of the GDPR need to be fulfilled. Such requirements concern transparency, data minimization, and storage limitation.
Our assessment is that if you collect personal data from a sourced candidate
you need to, within a month from collecting their data, contact the candidate to inform them about the processing that you do and their rights, e.g. through an email with your privacy policy attached or linked. If no contact or information is made the personal data should be deleted.
The candidate must be informed about:
What personal data is being processed by you
From where the data was acquired and to whom you might share it
Who is responsible for the processing (“controller”), including contact details
For how long the data will be stored
Whether the data is stored within or outside the EU/EEA, including applicable safeguards
The purposes and legal grounds for the processing activities
The rights of the candidate (access, rectification, deletion etc.) and how it can enforce them