Have Questions About This Template?
Book a 30-minute call with one of our experts. You’re in safe, experienced hands.
Job candidate privacy notice
What’s a job candidate privacy notice, and when should you use it?
This is a privacy notice aimed at those who apply for jobs or other roles and it is compliant with GDPR.
Not all parts of the notice will be applicable to all businesses.
This notice informs candidates about how you collect, handle, store and potentially also share, their personal data, as well as the rights that they have in relation to your activities, under Ireland’s data protection law.
Privacy notices can be referred to as lots of different things, including a ‘fair processing notice’.
The GDPR has a specific list of the information that must be given to individuals relating to the processing of their personal data.
You should have a longer Employee, Contractor and Workers Privacy Notice in place for those who actually work for you (including those candidates who are successful).
This may include some of the same information as is included in this notice, but you will hold and process much more personal data about employees, contractors and workers than you do about job candidates.
Your Job Candidate Privacy Notice should be separate to your external privacy notices (i.e. for customers, suppliers and anyone else you deal with).
If you want a privacy notice for your website, then you should use our Website Privacy Notice template.
If you need a general privacy notice then you can use our General Privacy Notice template for these purposes.
What else might you need?
Before you draft your privacy notice, you should undertake a data mapping (or data audit) exercise in order to establish all the types of data which you collect, hold, why you use them, the legal basis for using them and details of when that personal data is shared with other people or organisations.
For more information on data mapping/auditing, take a look at our guide data handling rules and what the GDPR means for small businesses (coming soon)
Our 14-point GDPR checklist can also be very useful.
Prospective employers are ‘data controllers’ of the personal data they hold about job candidates who apply to them (whether directly or through an agency).
This privacy notice (or the information contained in it) should be given to each job candidate at the point where their personal data is being collected (and if you update it then it should also be made available to them then).
Often, this will be very early in the relationship process, such as when they apply for a job.
This is so that those individuals can understand how their personal data will be used, before giving it to you.
If you decide to offer a candidate a job then you will need to provide them with your Employee, Contractor and Workers Privacy Notice.
If you have obtained personal data about an individual from a third party (i.e. not directly from the individual themselves, which could happen for example where you have engaged a recruitment consultant to find a candidate) then, subject to certain exceptions under the GDPR, you should still provide your own privacy notice to the individual (unless you have arrangements in place for the third party to do this on your behalf) at the earliest of the following:
- Within a reasonable period of receiving the data (and no later than one month);
- If you use the data to communicate with the individual, then no later than the first communication;
- If you are going to disclose the personal information to someone else, then before disclosure occurs.
Whether it is practical for the third party (e.g. recruitment consultant) to do this on your behalf will be for you to agree with them.
However, it is likely that the recruitment consultancy will have their own privacy notice which they provide to those who sign up with them and they may therefore be unwilling to also provide yours.
If you (rather than a recruitment consultant) are providing your Candidate Privacy Notice this should be given to the candidate within a month, or if sooner the first time you contact them or prior to disclosure of their personal data to a third party.
It’s not essential to give a hard copy of your privacy notice to individuals, but you must make them aware of it and give them an easy way to access it (i.e. they can email you to be sent a copy, or they can access it from your website).
You should consider the way you collect the personal data from the individual and how you communicate with them in order to come up with a sensible way of providing them with a privacy notice.
You also need to think about the layout of your privacy notice, especially if it is online.
The GDPR requires privacy notices to be transparent, easily understandable and concise.
Can’t find what you are looking for?
This service is your service.
If there is content you cannot find on our Hub simply email us your request and we’ll get you sorted.
If there is content you cannot find on our Hub simply email us your request and we’ll get you sorted.