Recruitment Agency Data Protection Policy

Understanding Recruitment Agency Data Protection Policy

Wilson Cole

The most crucial data collected is handled and processed by recruiting firms from when candidates submit their CVs until they are hired: personal data.


Employment agencies must follow regulations governing data protection. Personal data are processed when:

  • Candidate background checks, including credit and criminal checks, are conducted. Candidates are then added to a database in preparation for future customer needs for customers and resources.
  • Obtain supplies for products or services; hire and compensate staff from your recruitment agency;
  • Control physical access to the office of your recruitment firm (for example, by granting access using access cards and biometric data), or keep an eye on and archive CCTV footage for security reasons.


Every time your recruiting firm uses a person's personal information such as email addresses and phone numbers, whether to hire new clients or staff, it is subject to data protection laws. Your recruitment agency is required by data protection law to take the appropriate procedures to safeguard the protection of that personal data.


People's empowerment and protection are the main goals of data protection laws. So when your recruitment service helps people find jobs, it also gives them power.

Recruitment Agency Data Protection Policy 101

Different data protection rules may apply to your agency depending on where the data subjects are from, where they might be at the time you process their personal data, or where your recruitment agency is headquartered.

You must adhere to South Africa's Protection of Personal Information Act if you have a South African base of operations (POPIA). If you process personal data of data subjects in the European Union (EU), General Data Protection Regulation or GDPR compliance is a must.

Recruitment agencies are considered data controllers under the GDPR. This means they must ensure that the personal information they gather from job applicants through traditional or recruitment software  is legitimate and GDPR compliant.

Recruitment agencies must inform job applicants of their rights under the GDPR, including the right to access and the right to have personal data deleted. In addition, agencies must take precautions to prevent unauthorized access, disclosure, and destruction of job applicants' personal information.

What are the primary problems with data protection?

Below are some privacy issues recruitment agencies need to look out for when processing their data:

1. Data quality
It's critical to avoid processing more personal information than is required. How? When creating the application form, gather the necessary data pertinent to the selection criteria. For instance, asking someone why they left a former position when hiring them is unnecessary. Likewise, avoid asking someone if they have ever been convicted of a crime since they might feel obligated to divulge information that is not required for hiring. When analyzing these documents, organizations must analyze just the necessary data.

2. Informational right
Prospective employees must be aware of their rights and the purposes for which their information is handled both before the hiring process begins (i.e., before they apply) and after being hired.

3. Accessibility
Applicants should have the right to view all the information and results from the various stages of the selection process. Naturally, there are some exceptions, such as comparative data that includes other candidates and reports that incorporate the particular viewpoints of the Selection Committee members. However, even in these circumstances, applicants should be given the overall results.

4. Retention period
For specific objectives, organizations frequently need to maintain personal information on file. However, it is illegal to preserve such data for an extended period. Additionally, after the recruitment process is complete, information that was merely a requirement for the recruitment should not be retained. Finally, because criminal records are snapshots in a person's life that may no longer accurately reflect reality, there is no reason to maintain them.

What impact does the GDPR have on hiring?

Here are a few of the essential GDPR provisions that have an impact on hiring teams' and recruiters' day-to-day operations:

  • To process candidate data, you must have a justifiable interest. 

You must only collect data for "specified, explicit, and legitimate objectives," according to GDPR. This implies, for instance, that you are permitted to source applicant information so long as you only gather data relevant to open positions and have a 30-day contract plan.

  • To process sensitive data, candidate consent is required. 

When processing data on a person's disability, information about a person's culture, genetics, biometrics, or information acquired for an EEO survey or background check, complying with GDPR means you obtain consent. Therefore, in these situations, you must ask for permission straightforwardly and make it evident to applicants how to withdraw their support if they so choose.

  • Regarding how candidate data is processed, you must be open. 

Companies must have transparent privacy policies, and recruiters must provide candidates access to those policies. Additionally, you must specify where you store candidate data (for example, in your applicant tracking system) and that you will only use it for the hiring process.

  • You must take accountability for compliance (accountability.) 

Your business must be able to show that it complies with the GDPR. For instance, under GDPR, your firm is accountable for the partners it works with (e.g. an ATS provider or sourcing services.) Your business is responsible if your contractors don't follow the law.


Additionally, you must abide by the GDPR when candidates exercise their rights:


  • There is a "right to be forgotten" for candidates. 

Candidate requests to stop processing their personal information and destroy should always be honored. Within one month of receiving the candidate's request, the data protection officer must find every area where you save their information (such as spreadsheets or the cloud) and destroy it.

  • Candidates have the right to access their information and request that it be corrected. 

Candidates have the right to inquire about the data they may have on them. Additionally, they have the right to request that you correct any errors. Within one month, data processors must accept both requests and give applicants a cost-free electronic copy of their personal information.

For more information, book a FREE demo with a Backdoor Hire Specialist.

Wilson Cole

Wilson Cole

Founder and CEO of Adams, Evens & Ross NC, LLC, the nation's largest credit and collection agency designed exclusively for the staffing and recruiting industry. In 2008, he was inducted into Inc. magazine's, "Inc. 500" as CEO of Adams, Evens & Ross NC, LLC, the 307th fastest-growing privately-held company in America. This exclusive group of other Inc. 500 CEOs includes; Bill Gates of Microsoft and Larry Ellison of Oracle. In 2007, Recruiting & Staffing Solutions Magazine named him "The Billion Dollar Man", based on successful collections of more than 1 Billion dollars in past due debt. With a career spanning 30 years as CEO of Adams, Evens & Ross NC, LLC, he's in the business of getting clients paid.