Skip to content
LegalVision UK

What is a Candidate Privacy Notice?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

When you are recruiting staff, you will be collecting various personal data from job applicants and candidates. However, there are strict rules to follow when doing so. The General Data Protection Regulation (GDPR) compels businesses to be transparent about how they use personal data. The most common way to address this requirement is to issue candidates with a ‘Candidate Privacy Notice’. This article will explain what a Candidate Privacy Notice is and the key information it should cover.

Processing Candidate Personal Data

When processing personal data about candidates, you need to be fully transparent about it. This means informing them about how you will use their personal data. ‘Transparency’ is one of the key principles under the GDPR. The most common and best way to provide this information is by giving all job applicants a Candidate Privacy Notice telling them how you will use their personal data.

You will likely collect a lot of personal data from candidates during the application process. For example, data on application forms and CVs include:

  • name and contact details;
  • employment history and qualifications; and
  • information they provide through the interview process or application-related tests.

Unfortunately, many businesses are unaware of the requirement to give candidates privacy information. However, these rules apply even if the employer does not proceed with the candidate’s application.

What Should a Candidate Privacy Notice Include?

A Candidate Privacy Notice should tell job candidates (prospective employees, contractors and volunteers alike) how and why the hiring employer or organisation will use their personal data.

The GDPR is very strict on these requirements. Accordingly, you must tailor the information you provide to your business and how you use personal data. Candidate Privacy Notices should be tailored and bespoke to define the personal data you collect from candidates and why.

In practice, Candidate Privacy Notices can be shorter form than more lengthy notices aimed at customers and your current staff. This is because a business typically collects less data from candidates.

Front page of publication
Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Information A Candidate Notice Should Cover

A candidate notice should include information about the employer’s identity. Additionally, it should specify that it is a ‘data controller’ responsible for deciding what to do with the candidate’s personal data. 

You should also inform the candidate about the types of personal data you will collect from them. In addition, you must specify how and why you will use this information. Businesses must have a valid legal reason to process a candidate’s personal data. Under UK data protection law, there are several legal bases for processing personal data. For example, a valid reason may be:

  • to comply with a legal obligation;
  • to perform a contract; or
  • having consent from the relevant parties. 

You need to justify why the business will use the candidate data.

Furthermore, your privacy notice must specify whether you will share candidate data with third parties, for example, group companies. Likewise, you must also disclose whether you will share or send candidate data outside of the UK. If so, complex international data protection law rules apply, and you must provide detailed information on this.

The privacy notice must also detail the following:

  • the candidate’s rights under the GDPR, such as the right to make a subject access request;
  • how long you will keep data and when you will delete it;
  • any data security measures to safeguard candidates’ personal data;
  • whether you collect information about criminal convictions and ‘special category’ or sensitive data;
  • automated decision-making, if relevant; and
  • how your business collects the candidate’s personal data, such as from a third party or the candidate directly.

Although this may sound quite onerous, this document is essential for UK GDPR compliance. It will also give candidates a good impression if you are transparent about using their data. This will show your business has strong data protection practices.

Key Takeaways

A Candidate Privacy Notice is an essential document for GDPR compliance. The notice must be carefully drafted and tailored to your organisation and how it uses candidate data. It must include sufficient information for candidates to understand how your business uses their personal data.

If you need help creating or updating a Candidate Privacy Notice, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

Eight Tips for Employer Good Practice in England

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Can My Business Cold Call Individuals?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards