Two and a half years ago the General Data Protection Regulation 2016/679 (‘GDPR’) forced businesses to drastically rethink how to manage the data of their consumers, clients and employees. The GDPR makes a clear distinction between controllers, joint controllers and processors.

As we know the controller is the party who determines the purposes for which and the manner in which personal data is processed. In other words, it decides why and how it wishes to process people’s data. And if two parties process the personal data for the same means and purpose, they could be qualified as joint controllers. But if you process data on the controller’s behalf, then you will be labelled as a processor.

This may sound relatively straightforward to those of you who practice law or operate in the data protection field. However, many organisations regrettably still apply a one-size-fits-all approach when onboarding their recruitment partners. More often than not the recruitment business is expected to sign a data processing agreement under which they accept all liability for the data processing done on behalf of their client. The recruiter is regarded as the data processor. There is barely any room for push back.

Why is this a problem? Isn’t it good news if the recruiter, who is often referred to as ‘the supplier’, is held to the strictest standards? Doesn’t this increase compliance in the supply chain?

In this blog, David Korthals (CIPP/E, CIPM) explains how the concepts of controller and processor relate to the provision of recruitment services. He will furthermore recommend how the client and the recruiter can work together to tighten up compliance in the supply chain.

The recruiter and the client: two independent data controllers?

In a classic recruiter-client relationship, both the recruiter and the client [1] should be regarded as the data controller. This means that they both have the ability to independently determine the purposes for which personal data is collected, stored, used, altered and disclosed. 

Take the example of a person that books a holiday via a travel agent. If the travel agent forwards that person’s details to their chosen airline and hotel, the airline and hotel are holding identical data but separately and for distinct purposes.[2]

The same scenario applies to recruiters and clients. Both may process the same type of personal data for slightly different purposes. The client has a need for hiring temporary or permanent personnel and therefore asks the recruiter to initiate the search for the dream candidate. The recruiter would often use ‘legitimate interest’ as their legal basis for sourcing candidates and subsequently filing their data. 

After having prepped the candidate for the role, the recruiter may select the candidate and forward their details to the client (provided the candidate has consented to this) [3] and the recruiter will charge a fee if the candidate is subsequently hired by the client. The associated fees may be charged on a fixed, retained or time and materials basis. 

The client however is ultimately interested in engaging (directly or indirectly) with the successful candidate, either on a permanent, fixed term or a contingent labour basis.
 But in the scenario that the candidate does not get the role, the recruiter may try and introduce the candidate to another client. In other words, it will hold the candidate’s data on file for future referrals. Even if the candidate asks for their data to be deleted, the recruiter may need to retain some data to comply with Regulation 29 of the Conduct of Employment Agencies and Employment Businesses Regulations 2003. 

These examples clearly demonstrate that the recruiter usually has their own reasons for collecting, filing and deleting the data of the candidate. That said, there are business models under which it is safe to say that no (independent) controller relationship exists.

When can the recruiter and the client be regarded as joint controllers?

We discussed the classic recruitment model under which recruiters and clients process data for their own purposes and means. However more and more recruiters provide integrated IT solutions to their clients. An example of this is a service which we tend to refer to as Document Management Solutions (‘DMS’). It is more and more common for recruiters and clients to use new IT solutions that allow for the shared use of data. So that both the client and the recruiter have visibility of the candidate database, interview stages and relevant agreed metrics. The recruiter and the client can agree which functionalities are needed to have full visibility of the recruitment process. 

In this scenario both parties should adhere to Article 26 of the GDPR which states that they must have a transparent arrangement that sets out their agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be made available to individuals and the joint controllers may choose to specify a central point of contact for individuals.[4]

Recruiter wrongly classified as a data processor- why does this erode compliance in the supply chain?

In the previous section we spoke about recruiters acting as joint controllers. Some recruitment companies, especially the bigger staffing businesses may take it a step further and offer their clients a fully managed service model. This usually means that they are responsible for managing the interview, contract and timesheets process (or elements of this) on their client’s behalf. It is clear that if the definition of processor is satisfied (under which the recruiter processes personal data on behalf of the client), the recruiter will have to adhere to the very strict requirements of Article 28 of the GDPR.

But as stated earlier in this article, a common and recurring misconception for many end users is that recruiters would automatically qualify as data processors.

It is not always clear if it is caused by the client’s procurement department taking a one-size-fits all approach to their supplier vetting process (imposing the strictest standards to all suppliers) or whether it genuinely relates to a misinterpretation of the law. There will often be an imbalance of powers between the parties especially if the client is a multinational corporation. Smaller recruitment firms  usually fail to convince the client that they will not be acting as a data processor and end up grudgingly signing a one-sided data processing agreement.

Understandably suppliers are usually willing to accept their client’s terms in order to win business. But from a data protection perspective, this neither benefits (1) the affected individuals (2) the recruiter or (3) their end client.

Whilst it may seem more favourable for the end user to treat the recruitment business as a data processor, the client could be facing various repercussions for taking this one-sided, ill-informed approach.

 The client may fail to comply with its obligations as an independent controller by not adhering to the relevant rules that apply to controllers. An example of this would be not having adequate records of its processing activities in place by virtue of article 13, 14 and 30 of the GDPR. In practice this could mean that (1) individuals are not provided with correct data processing notices and moreover this (2) may leave end customers ill-equipped if they need to respond to a subject access request made by the individual. This could also mean that the client may have ‘the wrong end of the stick’ in the event of an incident or data breach. If the end client’s legal or privacy department purely looks at the signed paperwork they may be under the impression that the recruitment business is the data processor and therefore needs to carry the full burden for managing the data breach. The danger there is that they may be completely ignoring their own statutory obligations as a data controller. With 72 hours on the clock neither party benefits from arguing over who needs to adequately manage and communicate the data breach to the relevant stakeholders.

The bigger corporations may believe that imposing strict contractual liabilities on the supplier relieves them from their contractual liability. But this clearly does not mean that they are geared up to deal with an incident responsibly. Regulatory action may be taken against them despite having pushed those liabilities and indemnities further down the supply chain.

Even more importantly, other than the risk of facing regulatory scrutiny,  the reputation of the supply chain may be threatened if the parties involved do not carry out an adequate risk assessment. 

So how can the supply chain avoid this from happening? The answer is surprisingly straightforward. 

Working together

More pragmatically, what steps should be taken by recruiters and clients prior to doing business?

  • Recruiters and clients need to work together in order to manage their respective obligations under privacy laws. Some questions we may ask ourselves include: What do their processing operations look like? Will they qualify as independent or joint controllers or will the recruiter be regarded as a processor?
  • The parties need to enter into an agreement that reflects the actual relationship between the two parties.
  • Other than just signing a set of terms and completing a data processing questionnaire, both parties should have meaningful conversations with each other on how they process personal data.
  • Both parties need to consider if a Data Privacy Impact Assessment is required to assess the risks associated with the data processing by virtue of Article 35 GDPR. The following questions need to be considered. What type of data is processed and why, whom will it be shared with and how is it managed? What (shared) IT platforms are used and what safety and security measures are in place? What are the possible risks involved?
  • Companies must identify who is responsible for data protection and IT security in their organisation. Privacy teams need to communicate with each other effectively and build relationships.
  • Both parties should team up and establish how to deal with subject access requests and data breaches, especially if there is a joint controller relationship,. The client and the recruiter furthermore need to make available a joint data processing notice to the candidates.
  • A common mistake is when the end customer solely relies on the data processing notice issued by the recruiter when communicating with the candidate. When both parties act as independent data controllers, both the recruiter and the client need to have their own data processing notices and policies in place.

But the most important advice would be to listen to each other as we all have one shared interest. We are looking for bright, talented candidates who want to build a relationship with us in the short, mid and long term!


[1] In this article the term ‘client’, ‘end user’ and ‘end customer’ are used interchangeably.

[2] Eduardo Ustaran, European Data Protection Law and Practice, IAPP 2018, p.76.

[3] Consent for disclosing details to the client is required by Regulation 19 of The Conduct of Employment Agencies and Employment Businesses Regulations 2003.

[4] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/what-does-it-mean-if-you-are-joint-controllers/