Q: I am trying to get my database of existing candidates into compliance for the GDPR. What are the legal grounds for processing personal information?
A: There are six grounds for processing personal data:
(a) Data subject has given consent;
(b) Processing is needed to fulfill or establish a contract with the data subject;
(c) The controller has a legal obligation to process;
(d) When processing protects the vital interests of the data subject;
(e) Processing would be in the public interest;
(f) The controller, or third party, has a legitimate interest in processing the data. This interest cannot override the rights of the data subject, and cannot be applied to special categories of sensitive personal data.
References:
Article 6(1), GDPR
Additional Information:
In reality, some of these may be less relevant to a recruitment agency than others. It is reasonable to consider times when a consent form, a contractual commitment, or a legitimate interest may be used by a recruiter. Processing to protect the life of the data subject, or for a public interest, are less likely to play a part in recruiters’ compliance programmes.