GDPR and recruitment

We guide you through how you can navigate both your GDPR obligations with processing personal data for potential and current candidates. The first step is to understand the difference between personal and sensitive data from a recruitment perspective.

Personal and sensitive data
Personal data is any information that identifies a living individual and in relation to a job application this would include some or all of the following personal data:
  • The person’s name
  • Address
  • E-mail
  • Date of birth
  • Referee names and addresses
  • Their work history
  • Their educational history
  • IP address if they apply for the job online

Sensitive personal data which is referred to as special category data under GDPR is any personal data that relates to an individual’s: race or ethnicity, political, religious or philosophical beliefs, sexual life or sexual orientation, health, genetic or biometric data, criminal record or trade union membership.

Some or all of the following sensitive personal data may be collected either through the job application or through the course of the interview process:
  • Race or ethnicity – this may arise when seeking information on their right to work in Ireland
  • Health data if they undergo a pre-medical assessment
  • Criminal record if they are required to undergo the Garda vetting process
  • Trade union membership – this may arise during the interview process

Legal basis for processing potential employee data
There are six legal basis that businesses can rely upon when processing personal data. These are:
  • Consent
  • The performance of a contract
  • Compliance with a legal obligation
  • Vital interests
  • Public interests
  • Legitimate interests

It is important to select and use the most appropriate legal basis for this data processing activity and we have outlined how consent, performance of a contract and compliance with a legal obligation could be applied when assigning a legal basis for the processing of potential employee personal data.

GDPR requires that consent of the data subject must be:
  • Freely given
  • Specific
  • Informed
  • Unambiguous, whereby the data subject has indicated by a statement or clear affirmative action, that they agree to the processing of their data

What this means is that when a job applicant applies for a role, the act of sending the CV or job application is a clear affirmative action that they agree to their personal data being processed for this specific purpose. However, under GDPR they must be informed in advance of how your business will process their personal data when they submit their application.

This can be done either by including a data privacy notice in the job advertisement. This is easier to achieve if you advertise the role online as you can include it on the job advert page, via a pop-up notice or via a web link. The key element though is that it is clearly displayed and not hidden away or difficult to find so that the applicant clearly understands how their personal data will be processed.

Performance of a contract
When a person is applying for a role, you could rely on this legal basis as they are indicating their intention to enter into a contract of employment if they succeed in being appointed for the role.

Compliance with a legal obligation
This may apply in some instances whereby a potential employee would be required to demonstrate they can legally work in Ireland via an appropriate employment permit or for some roles within the financial services sector potential employees must pass a fitness and probity test with the Central Bank of Ireland before they can be approved to work within that organisation.

What must be included in a data protection notice for the job advertisement?
The data protection notice needs to be written in clear, plain language that is easy to understand and it should include the following information where applicable:
  • Business identity
  • Contact details for the business and the Data Protection Officer / person who is responsible for data protection compliance
  • Reasons for collecting the data
  • Uses to which the data will be put
  • To whom the data will be disclosed – this needs to be included if you use third parties to process potential candidate, for example an external recruiter
  • Whether the data will be transferred outside of the EU – will their personal data be stored on a HR software system that is stored on a cloud-based solution that is outside the EU? If yes you will need to document this and ensure they are GDPR compliant
  • Legal basis for the processing of the data
  • Period for which the data will be stored, or the criteria used to determine retention periods
  • Where the processing is based on legitimate interests, the legitimate interests concerned
  • Where the processing is necessitated by a statutory or contractual requirement, the consequences for the individual of not providing the data – for example certain roles have regulatory requirements, the potential candidate needs to know if they do not supply this personal data their application cannot be processed
  • Whether the data subject will be subject to automated decision making – see below for more information on automated profiling
  • The rights of the individuals under the GDPR

Automated profiling
Automated profiling relates to any form of automated processing of personal data which is used without human intervention to evaluate an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

In the case of assessing suitable applicants, some businesses rely on software systems to screen out CVs. For example, the software may scan CVs for keywords either to remove or include potential candidates. If your business avails of this type of software, it must be detailed in the data privacy notice.

A potential candidate has the right to request that a person evaluates their CV if automated profiling is used so it is important for businesses to be aware of this right.

Data retention periods of successful, unsuccessful and on-spec job applications
Under GDPR, personal data should only be kept for as long as necessary. This is a broad view of the data minimisation principle and many businesses struggle to set their data retention periods. The key element to this is to factor in legal requirements, limitation periods and business reasons for holding the personal data for a specific period of time. You can access our webinar on retention periods here if you would like a better understanding of this area.

In the case of unsuccessful applicants, the SFA recommendation is to hold this personal data for one year in case of a potential equality claim with the Workplace Relations Commission.
In the case of successful applicants, the SFA recommends seven years after the employee has left the business. This is to factor in any potential civil claims with the courts.

For on-spec job applications this would be on a case by case basis. Some businesses are choosing from the outset not to retain on-spec CVs and they have detailed this in their data protection notice. Others are retaining them if the potential candidate could be a good fit for the company in the future. What is crucial is that businesses need to document their retention periods and the reasons why they are holding that personal data.

In addition, some businesses often create a panel of suitable candidates for future roles. If you are operating this, you should ask potential candidates if they would like to be retained on a panel for X period of time and you will need to record their consent that they have agreed to this.

Background checks
The Data Protection Commission (DPC) website have the following advice in relation to conducting background checks on potential employees:

The key to compliance with data protection is to inform the potential employee of any potential checks that may be undertaken and seek their specific consent for certain types of checks, e.g. qualification checks, character reference checks.

Any information that is legitimately in the public domain can generally be accessed within the context of data protection requirements without giving rise to concerns. The person should be provided with any such information, however, in order that they can have an opportunity to provide comments on it.

An employer is entitled to ask an employee to declare if they have any previous relevant criminal convictions which might impact the desirability of them performing a particular task. However, an employer should only be concerned about convictions that relate to the particular job on offer. For example, a job involving driving may justify the employer asking about previous driving convictions. This requirement may be updated shortly via a Spent Convictions Bill which was recently introduced by the Government which will allow potential employees (not where they are dealing with children or vulnerable adults or other sensitive positions) in certain situations the option not to provide such information.

Organisations/employers seeking to access information held by a credit referencing organisation about prospective or current employees could present data protection concerns. Any forced requirement placed upon employees to seek credit history information from the Irish Credit Bureau, for example, for employment screening purposes could be considered a breach of the Data Protection Acts.

Certain sectors, for example where employees have contact with children or vulnerable adults, are permitted to make use of Garda Vetting checks which are carried out with the consent of the person.

Use of third parties / recruitment agencies
It is essential for businesses that use either recruitment agencies or other third parties for the recruitment process to have a legally binding contract in place with them as they will be the data processor on behalf of the data controller.

The Data Protection Commission have published a guidance document for data controller to data processor contracts that lists the essential requirements needed for the contract along with some recommended requirements. You can download it at

Data access requests
Under GDPR an individual has the right to access their personal data within one month of making the request and it is now free of charge. It is important that businesses are aware that the individual can access any personal data that identifies them in relation to the recruitment process. This may include the following:
  • CVs
  • Interview assessment sheets or other documents in relation to the job role
  • Written/verbal references
  • Interview or meeting notes
  • Handwritten notes
  • Emails/letters where the employee is identified/referenced
  • CCTV/videos/images

It is important to bear in mind that a throwaway comment in an e-mail or notebook could later be accessed by that individual so be cautious in all your documentation throughout the recruitment process. A good tip is to imagine if all of the notes or documentation was made publicly available, would you be comfortable or uncomfortable with what is written in them?