Consent is Not the Only Means of Processing Personal Data Under the EU GDPR

As we draw near to May 2018, it is important to understand the legal bases for processing personal data under the EU General Data Protection Regulation (GDPR).

Under the Data Protection Act 1998 (DPA), there are six lawful reasons to process personal data and these are also retained under the GDPR. These six lawful reasons have always existed. However, it is very important for recruiters to understand that you do not need to always rely on consent as a legal basis for processing and there are times when it will not be appropriate to rely on consent. There are other lawful reasons that you can rely on to process personal data.

The six lawful reasons to process personal data under the GDPR (and currently under the DPA) are explored in our newly updated GDPR guide. In this blog, we focus on the three that are most relevant for recruiters. 

1) Necessary for the performance of a contract

Recruiters will be able to process personal data if processing is necessary for the performance of a contract or is necessary for the data subject to enter into a contract. In practice, this could be when a recruitment business processes personal data in order to provide their services to a candidate and enter into a contract with them.

2) Necessary for the compliance of a legal obligation

The GDPR will allow recruiters to process personal data when processing is necessary for them to comply with a legal obligation. For example, recruiters have a legal obligation to comply with the Conduct of Employment Agencies and Employment Businesses Regulations 2003 to retain records for at least a year after their creation and at a least one year after the date on which they last provided work-finding services. Other records also have to be kept for different periods of time because of legal obligations, eg payroll records (please see our records table for further information).

3) Necessary for the purposes of a legitimate interest

Currently, the DPA recognises that an organisation may process data for its own legitimate interest or for the legitimate interest of a third party to whom it may disclose the personal data to. A legitimate interest essentially means a legitimate reason to process data. The GDPR highlights that consideration must be given as to whether someone can reasonably expect their personal data to be processed for a particular purpose. Recruiters have a legitimate interest to process personal data in order to provide work finding services on the candidate’s behalf.

So, aside from consent, recruiters may consider the above lawful reasons for processing personal data, as in many cases, one of the above may be more relevant than consent. For further information about the legal bases for processing personal data, members can now download our newly updated GDPR guide and visit the ICO’s guidance on a lawful basis for processing.