Q: I am trying to get my database of existing candidates into compliance for the GDPR. What are the legal grounds for processing personal information?
A: There are six grounds for processing personal data:
(a) Data subject has given consent;
(b) Processing is needed to fulfill or establish a contract with the data subject;
(c) The controller has a legal obligation to process;
(d) When processing protects the vital interests of the data subject;
(e) Processing would be in the public interest;
(f) The controller, or third party, has a legitimate interest in processing the data. This interest cannot override the rights of the data subject, and cannot be applied to special categories of sensitive personal data.
Article 6(1), GDPR
In reality, some of these may be less relevant to a recruitment agency than others. It is reasonable to consider times when a consent form, a contractual commitment, or a legitimate interest may be used by a recruiter. Processing to protect the life of the data subject, or for a public interest, are less likely to play a part in recruiters’ compliance programmes.