The third part of our recruitment legal review 'how to' guide focusses on privacy policies. These key documents are part of your compliance with the GDPR. They are the documents that tell data subjects how your business processes personal data.

We would suggest that you have different privacy policies for different categories of data subject. One for candidates and contractors; one for clients, business contacts and service providers; possibly a separate notice for website visitors; and one for your own employees.

The GDPR sets out what needs to be in these documents but they should be 'living' documents, updated to reflect the changes in your business practices.

They should explain what data you are processing about people, to a granular level. For example:

  • name, email address, age, telephone number, CV and employment history, salary level, etc
  • where that data has come from
  • what you use it for
  • with whom you might share it

 You also need to detail the legal bases you are using to process data, and any special category conditions you are relying on to process special category information.

Some recruiters will have to process sensitive personal data about DBS checks and criminal records. You might need to take into account any health or disability issues for your screening and accessibility. Both of these would constitute special category data.

Include information about any automated processing you might use for screening CVs.

If you are a global business, or place candidates globally, have you covered off transferring data between the group or outside the EEA?

You also need to let data subjects know what their rights are and how they can complain.

We can provide you with a checklist of what needs to be in your privacy statements if you want to do an audit to check your business' compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.