Skip to content
LegalVision UK

What is a Candidate Privacy Notice?

Avatar photo

By Sej Lamba
Expert Legal Contributor and Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

When you are recruiting staff, you will be collecting various personal data from job applicants and candidates. However, there are strict rules to follow when doing so. The General Data Protection Regulation (GDPR) compels businesses to be transparent about how they use personal data. The most common way to address this requirement is to issue candidates with a ‘Candidate Privacy Notice’. This article will explain what a Candidate Privacy Notice is and the key information it should cover.

Processing Candidate Personal Data

When processing personal data about candidates, you need to be fully transparent about it. This means informing them about how you will use their personal data. ‘Transparency’ is one of the key principles under the GDPR. The most common and best way to provide this information is by giving all job applicants a Candidate Privacy Notice telling them how you will use their personal data.

You will likely collect a lot of personal data from candidates during the application process. For example, data on application forms and CVs include:

  • name and contact details;
  • employment history and qualifications; and
  • information they provide through the interview process or application-related tests.

Unfortunately, many businesses are unaware of the requirement to give candidates privacy information. However, these rules apply even if the employer does not proceed with the candidate’s application.

What Should a Candidate Privacy Notice Include?

A Candidate Privacy Notice should tell job candidates (prospective employees, contractors and volunteers alike) how and why the hiring employer or organisation will use their personal data.

The GDPR is very strict on these requirements. Accordingly, you must tailor the information you provide to your business and how you use personal data. Candidate Privacy Notices should be tailored and bespoke to define the personal data you collect from candidates and why.

In practice, Candidate Privacy Notices can be shorter form than more lengthy notices aimed at customers and your current staff. This is because a business typically collects less data from candidates.

Front page of publication
Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Information A Candidate Notice Should Cover

A candidate notice should include information about the employer’s identity. Additionally, it should specify that it is a ‘data controller’ responsible for deciding what to do with the candidate’s personal data. 

You should also inform the candidate about the types of personal data you will collect from them. In addition, you must specify how and why you will use this information. Businesses must have a valid legal reason to process a candidate’s personal data. Under UK data protection law, there are several legal bases for processing personal data. For example, a valid reason may be:

  • to comply with a legal obligation;
  • to perform a contract; or
  • having consent from the relevant parties. 

You need to justify why the business will use the candidate data.

Furthermore, your privacy notice must specify whether you will share candidate data with third parties, for example, group companies. Likewise, you must also disclose whether you will share or send candidate data outside of the UK. If so, complex international data protection law rules apply, and you must provide detailed information on this.

The privacy notice must also detail the following:

  • the candidate’s rights under the GDPR, such as the right to make a subject access request;
  • how long you will keep data and when you will delete it;
  • any data security measures to safeguard candidates’ personal data;
  • whether you collect information about criminal convictions and ‘special category’ or sensitive data;
  • automated decision-making, if relevant; and
  • how your business collects the candidate’s personal data, such as from a third party or the candidate directly.

Although this may sound quite onerous, this document is essential for UK GDPR compliance. It will also give candidates a good impression if you are transparent about using their data. This will show your business has strong data protection practices.

Key Takeaways

A Candidate Privacy Notice is an essential document for GDPR compliance. The notice must be carefully drafted and tailored to your organisation and how it uses candidate data. It must include sufficient information for candidates to understand how your business uses their personal data.

If you need help creating or updating a Candidate Privacy Notice, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

Eight Tips for Employer Good Practice in England

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

Can My Business Cold Call Individuals?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards