HR Privacy Policy

HR Privacy Policy: a hand-on guide on drafting your recruiting privacy notice for candidates

Each time your company needs a new hire, you instruct the company’s recruiter or HR specialist to prepare the vacancy and start the search for a perfect candidate. However, hiring EU-based talents takes extra effort. Each employee-to-be is worried about the line between their private life and their work results, and the GDPR (General Data Protection Regulation) is a powerful instrument and is used to limit the employer’s ability to turn the employees’ private life (strictly speaking, employees’ personal data aka information that identifies or helps identify the person) against them. 


The GDPR imposes a number of obligations on the data controller (employers and recruiting agencies working in their independent capacity). Among them, the employer or recruiting agency must:

  • decide on the purposes of collection and processing of personal data; 
  • choose a suitable legal basis for each purpose; 
  • define the procedure for obtaining the candidate’s consent;
  • carry out necessary assessments; 
  • secure the transfer and processing of personal data in a controlled and safe manner; 
  • promise confidentiality; and
  • inform the candidate on the processing of their personal data. 


The last requirement is where the candidate can assess the level of respect and attention to the detail that the hiring entity has. The rule of first impression works here as well and applies not only to the recruiter’s personal traits and office’s decor, but the communication process itself. The candidate is expected to be honest with the employer. The employer (and his recruiting representative) should start with transparency and let them know how careful they are with their data, too.


All information that a candidate has right to know about processing of his data is to be compiled in the written statement. HR Privacy Policy (or Recruiting Privacy Policy) is a document that the recruiting specialist uses to inform the candidate of the processing of their personal data: it contains the information about:

  • the employer’s (recruiter’s) identity and contact details; 
  • contacts points of the hiring entity’s data processing officer and (or) EU representative (if the hiring entity is registered outside the EU); 
  • purposes and legal bases of the processing, including the legitimate interests used by the hiring entity; 
  • sources of personal data (if collected not directly from the candidate); 
  • recipients of the personal data (for example, other recruiters or affiliate companies of the hiring entity); 
  • international transfer of personal data (including security measures); 
  • retention periods; 
  • candidate’s rights with respect to their personal data; 
  • existence and mechanism of automated decision-making. 


The policy can be executed in different forms depending on the media used. It can be printed on paper (and handed in to the candidate during the on-premises interview) or published on the corporate website. The link to the HR Privacy Policy must be included in the description of vacancies or otherwise provided to the candidate not later than during the first contact. If requested, the recruiter must be able to provide the information orally; therefore, the recruiter must know the contents of the privacy policy and be able to reproduce it. To avoid confusion, the HR may divide the information into few layers and provide the information in chunks as the interview process progresses. 

HR Privacy Policy must be written in a “concise, transparent, intelligible and easily accessible form” adapted to the candidate, “using clear and plain language”. The information must be provided free of charge, of course. The candidate must not be charged for the paper the policy is printed on (unless the candidate’s requirements are manifestly unfounded or excessive, in particular of their repetitive character) or for their request to receive the information in a digital form or orally. The employer may draft the HR privacy notice using stadardised icons or other objects that facilitate the process of reading and understanding. 


The HR specialist must give the candidate an opportunity to carefully read the policy and ask questions, and only after the candidate is aware of the data processing practices, the recruiter can ask for their consent (for recording the interview, for example, or transfer of their personal data to the other entity or specialist, where necessary). 


The HR specialist must know how to deal with the candidate’s data subject requests, too: explain to the candidate the reasons why the personal data cannot be deleted immediately after the interview, or how the candidate may rectify or object to the processing of their data. 


However, you must refer to the national data protection and employment law to ensure that the policy comprises all necessary information. In case of doubt, it is better to address a data protection lawyer or your Data Protection Officer to ensure that the policy is encompassing all stages of the interview and is understandable for the potential candidate. 

    Your question to IT lawyers