Back to Blog

GDPR and CV Screening: What UK Recruitment Agencies Must Know in 2025

Matthew
6 min read
3 December 2025

Legal Disclaimer: This is educational content, not legal advice. For specific GDPR compliance questions, consult a qualified data protection solicitor.

GDPR compliance isn't optional for UK recruitment agencies. When you collect, store, and process candidate CVs, you're handling personal data, which means GDPR applies. Here's what you need to know to stay compliant in 2025.

What GDPR Requires When Storing Candidate CVs

GDPR establishes six core principles for handling personal data. Let's translate them into practical requirements for recruitment agencies:

Lawful Basis for Processing

You need a legal reason to collect and store CVs. For recruitment, this is typically either:

  • Legitimate Interest: You're processing CVs to fulfil a contract with your client (filling a role). This is the most common basis for initial CV screening.
  • Consent: The candidate has explicitly agreed for you to keep their CV for future opportunities. This is only needed if you want to retain CVs beyond the immediate role.

Transparency

Candidates must know what you're doing with their data. Your privacy policy should clearly state:

  • What data you collect (CV, contact details, employment history)
  • How you use it (to assess suitability for roles)
  • Who you share it with (clients, potentially AI screening tools)
  • How long you keep it (more on this below)
  • Their rights (access, deletion, correction)

How Long You Can Keep CVs

This is where many agencies get it wrong. You cannot keep CVs indefinitely "just in case" something comes up.

Legitimate Interest: 6 Months Maximum

If you're relying on legitimate interest (screening for a specific role), you should delete unsuccessful candidates' CVs within 6 months after the recruitment process ends. Some agencies use 3 months to be extra cautious.

Why? Because after 6 months, it's hard to argue you still have a legitimate business need to store data for a role that was filled months ago.

Consent: Longer Retention Possible

If a candidate gives explicit consent for you to keep their CV for future opportunities, you can retain it longer (typically 12-24 months). But:

  • Consent must be freely given, specific, and informed
  • It must be as easy to withdraw consent as to give it
  • You should periodically check they still want to be in your database (annual consent refresh is good practice)

Handling Right to Deletion Requests

Under GDPR, candidates have the right to request deletion of their data. When someone makes a request:

Response Timeline

You have 30 days to comply (extendable to 60 days for complex requests, but CV deletion is rarely complex).

What to Delete

Everything: their CV, contact details, notes from interviews, email correspondence. If you've shared their CV with clients, you should inform those clients of the deletion request as well.

Exceptions

You can refuse deletion if you need the data to comply with legal obligations (e.g., tax records if you placed them and earned a fee). But this is rare. Most CV screening data can and should be deleted on request.

Data Processing Agreements with Screening Tools

If you use AI screening tools (or any third-party software to process CVs), you're sharing candidate data with a data processor. GDPR requires you to have a Data Processing Agreement (DPA) in place.

What a DPA Should Include

  • Scope of processing (what the tool does with candidate data)
  • Security measures the processor uses
  • Data retention and deletion procedures
  • Processor's obligations to help you respond to candidate rights requests
  • Where data is stored (must be UK/EU or have adequate safeguards)

Any legitimate CV screening vendor will provide a DPA as standard. If they won't, don't use them.

Penalties for Non-Compliance

Let's be realistic about enforcement. The ICO (UK's data protection authority) typically focuses on serious breaches affecting large numbers of people or showing gross negligence.

Potential Fines

Maximum fines are €20 million or 4% of global turnover, whichever is higher. In practice, small recruitment agencies would never see fines at this level.

More realistic penalties for small agencies include:

  • £5,000-50,000 fines for clear violations
  • Enforcement notices requiring specific actions
  • Reputational damage if breaches become public

What Typically Triggers ICO Action

  • Data breaches affecting many candidates
  • Repeatedly ignoring deletion requests
  • No privacy policy or transparently misleading ones
  • Egregiously poor security (CVs stored in unsecured cloud folders accessible to anyone)

Practical Compliance Checklist

Here's a simple checklist to ensure your CV screening process is GDPR compliant:

Privacy policy clearly explains CV processing
Automated deletion of CVs after 6 months (or consent renewal process)
Process for handling deletion requests within 30 days
DPAs in place with any third-party tools (ATS, screening software, etc.)
CVs stored securely (encrypted, access-controlled)
Staff trained on data protection basics
Data breach response plan in place

The Bottom Line

GDPR compliance for CV screening isn't complicated if you follow basic principles: be transparent, don't keep data longer than needed, respect candidates' rights, and use secure tools.

Most UK recruitment agencies are already doing 80% of this without thinking about it. The remaining 20% is usually just formalising your processes (writing a privacy policy, setting deletion schedules, getting DPAs from vendors).

If you're unsure about your specific situation, spending £500-1000 on a consultation with a data protection solicitor is money well spent. They can review your processes and give you peace of mind.

Rankr is GDPR compliant by design with automatic data deletion and UK data storage. Learn more about our security and compliance features.