GDPR for Recruitment Agencies: Candidate CVs, Talent Pools and Retention Schedules

Recruitment agencies process personal data at industrial scale. Every CV submission, every speculative application, every candidate database search involves personal data — and UK GDPR applies to all of it. Lawful Bases Legitimate interests: Processing a CV for a specific vacancy the candidate applied for Contract: Payroll and employment management for temp/contract workers Legal obligation: Right to work checks, IR35 assessments, HMRC payroll Consent: Retaining CVs for future roles (talent pools) — must be explicit opt-in Talent Pools Retaining a candidate CV after the vacancy closes requires explicit consent. This must be: A separate opt-in from the vacancy application A positive action (not pre-ticked) Easy to withdraw at any time Sharing CVs with Clients Privacy notice must state CVs will be shared with clients Inform candidates before submitting to a specific client Clients typically become independent controllers when they receive CVs Retention Schedule Unsuccessful applicants: 6