GDPR and candidate consent


You are considered to be complying with GDPR if your organisation is hiring and you are collecting data ‘for specified, explicit and legitimate purposes’. This means that as long as your organisation has been transparent, and has informed the candidate of the intended use of the information they are supplying, you do not need to request explicit consent to process their data.

Candidates understand that when they submit their personal data as part of a job application then their data will be processed (reviewed) as part of the hiring process.

The only caveat to this is if you are requesting sensitive information, for example, information about a disability, cultural, genetic or biometric information, information gathered for the EEO survey or a background check. In most cases you must request and record explicit consent to process this information. If a criminal background check is required by law (eg, for working at a nuclear power facility), no consent is required.

If a candidate contacts you at any stage to delete their data from your files you should carefully verify whether you must comply. You must also inform candidates if you wish to use their data for anything other than the initial purpose outlined.

While you may not need to collect explicit consent in all cases, you should always share your recruitment Privacy Notice with candidates.

The sharing process can vary depending on how the candidate has arrived in your Workable account: