The General Data Protection Regulation (GDPR) is a new EU law that aims to protect EU residents’ personal data and rights to privacy. Recruiters and hiring teams especially should make sure that they are transparent when processing candidate data during hiring. We as recruiters should also ensure candidates can exercise their rights under GDPR.

  • Candidates or “data subjects”:EU residents you are considering for open roles.
  • Employers or “data controllers”:Software providers that handle candidate information on behalf of employers.
  • Legitimate interest: We only store data if we have a need to have a specified, explicit and legitimate purpose to collect candidate data.
  • Consent (for sensitive data): As recruiters we must have a legitimate interest to process candidate data. We will ask for consent if we require sensitive data like disability information or cultural and genetic information.
  • Transparency:We will disclose information required by the GDPR (e.g. how candidates can ask you to rectify or delete their data.)
  • The “right to be forgotten”:We will comply with a candidate’s wish to delete their own data from all systems where you store it within one month.
  • The right to access and rectify data:We will comply with a candidate’s wish to access their own data from all systems where you store it within one month.
  • Accountability:We have processes to properly inform candidates and you are responsible for partnering only with organisations that comply with GDPR.

We will meet with senior directors to plan your company’s data audit annually. As part of the audit we will review:

  • What are our candidate sources and how do we collect their personal data?
  • What kind of data do we collect and how much of it do we actually use?
  • How do we use personal data in our operations?
  • Where do we store data and who has access to it?
  • How does data flow within our company across processes/ functions/ departments?
  • What are our processes for sharing, transferring, modifying and deleting data?

Our privacy policy includes:

  • The name and contact details of your organisation and DPO where applicable.
  • An explanation of your legitimate interest and a statement that any data requested willbe used for recruitment purposes only.
  • The types of information about a candidate that reside in your company’s files.
  • Who you will share the data with.
  • Where you found the candidates’ data.
  • Where the processing is based and where you store data.
  • How long your organisation intends to store the candidate’s data.
  • The candidates’ rights.
  • Instructions on how candidates can take action on the processing of their personal data.
  • How you protect candidate data.

We will consider whether we have legitimate interest before storing passive candidatedata. We will ensure we:

Source candidates for a specific, legitimate reason, not just to build your talent pool.Collect only the amount and types of data that are absolutely necessary for your recruiting purposes. Intend to contact candidates whose data you store in less than a month. Obtain data lawfully from a legit source.

  • Source candidates for a specific, legitimate reason, not just to build your talent pool.
  • Collect only the amount and types of data that are absolutely necessary for your recruiting purposes.
  • Intend to contact candidates whose data you store in less than a month.
  • Obtain data lawfully from a legit source.

Set a fixed period (less than a month) in which your team should contact candidates to inform them that you are processing their data.

Create a sourcing template to contact candidates including:

  • A link to your privacy policy for recruitment. The name and contact details of your organisation.
  • A statement that any data requested will be used for recruitment purposes only.

GDPR recruitment:


We will ensure our job application process complies with GDPR Ask only for personal data that are necessary (“necessary and relevant to the performance of the job which is being applied for.”)

Be transparent:

  • State that you intend to use their data for recruitment purposes only.
  • Specify for how long you may need to keep this data.

Note if you plan to gather more information about candidates as part of your screening process.

Link to your privacy policies and clarify that:

  • Candidates can find instructions on how to access their data in your privacy policy.
  • Candidates have the right to ask you to rectify or delete their data.
  • Comply with GDPR when rejecting candidates

Delete all data you have about the candidates you will not be considering for further roles. Inform candidates whose data you want to keep that you will keep processing their data (if you told them you would process their data only until you filled the position.) In your email:

  • Explain why you want to keep the candidate’s data.
  • Mention how long you plan to keep their details.
  • Link again to your privacy policy.
  • Let candidates know they can withdraw their consent (if applicable) at any time.
  • Be transparent whenever you receive data from candidates.
  • Have copies or links of your company’s privacy policy available. Email candidates after you receive their data.
  • Review existing talent pipelines

Go through every candidate in the places you store candidate data (spreadsheets, ATS, internal database):

  • If you determine that a candidate is unlikely to be qualified for future roles or is no longer relevant, then delete their data.
  • If you’d like to keep a candidate in reach out to them to inform them you are processing their data.
  • Ensure your software vendors (e.g. ATS) are compliant
  • Are your data processors in the EU? If yes, they must comply with the GDPR by default.
  • Are your data processors outside of the EU? If they handle personal data of EU residents on your behalf, they must comply with GDPR.
  • Ask them to sign data processing agreements that will oblige them to process candidate data according to GDPR requirements.
  • Some U.S. companies are part of the Privacy Shield, which provides companies with a framework to comply with EU data protection requirements including GDPR.

Arrange a meeting with your software providers and ask:

  • What they’ve done, or plan to do, to comply with the GDPR.
  • How they ensure their own data processors are compliant.
  • What tools they offer to help your company remain compliant.
  • Whether they have clear privacy policies and ask to review them.

Check in with vendors after the law goes into effect.

  • Update your processes to grant candidate requests
  • Establish processes to let candidates access their personal data upon request.
  • Create processes to delete or rectify data.
  • Create a process to let candidates withdraw consent if applicable.
  • Communicate all these processes clearly on your website and/or your terms and conditions.


  • Single point of candidate data entry with access levels for sensitive data
  • Automatic tracking of when and how candidate data was obtained
  • A secure way to delete, share or rectify candidate data
  • Auto-delete sourced candidates who have not been contacted within 30 days
  • Auto-delete candidates in archived jobs based on your chosen timeframe


  • Editable job postings to communicate processing and privacy policies to applicants
  • Customizable application forms to ensure hiring teams adhere to data minimisation
  • Email templates to communicate policies to sourced candidates
  • Bulk email options for consistent, compliant communication with every candidate
  • Trackable team and candidate communication.

Privacy Policy WREHCP07

Westlakes Recruit operates a privacy policy. As a recruitment agency/ business we are bound by both the Employment Agencies Act (2003) and the Data Protection Act (1998). With regard to data protection, we must comply with the regulations therein which are designed to protect any information you provide for us.

At all times we will comply with the provisions of the Act and any regulations or orders that are made under this Act.

Data collection

When visiting websites certain information about you and your computer can sometimes be collected. This section explains what information Westlakes Recruit collects and how it is used:

Registration details

When you register with us, we collect your contact and other details and these are stored on our database and used to keep in contact with you to supply you with various products, services and information you may request from time to time. We may also use this information to keep you informed of new products and services as we introduce them. Subject to the section on disclosure below, all the information you provide through the site will only be used for the company’s stated business and will not be passed on or sold to any other third parties without your prior consultation and approval.

If there are any changes to our privacy policy, either for business reasons or as a result of changes in legislation, these will be posted on this page. If we view the changes to be significant we may well choose to contact you directly to advise you of such changes.

Profile and CV information

Once your details are in our database, they can then be searched, viewed by our recruitment consultants.

Integrity of information

Please note that we reserve the right to remove any CV or other information that we consider to be misleading, illegal or offensive from our database.

Where we store your personal data

The data that we collect from you will only be stored on our website, and subsequently transferred to our internal database. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Profile and CV information

We may disclose your personal information to any member of Westlakes Recruit, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 1985.

We may disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
  • If Westlakes Recruit Limited are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Westlakes Recruit Limited , our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Your rights

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data.

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Access to information

The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Please request this from

  • We do Nuclear. We only do Nuclear. We do all of Nuclear.