A candidate's CV is personal data under UK GDPR, so data protection law applies the moment a CV lands in your inbox. To handle it properly you need a lawful basis to process it, a clear privacy notice that tells the candidate what you are doing, a retention period you can justify, appropriate security, and a way to honour candidate rights such as access and erasure. You should also collect only the data you actually need and keep it accurate. Getting these basics right addresses much of what UK GDPR asks of a recruiter.
This guide explains what UK GDPR requires when you handle candidate CVs and turns it into a simple workflow you can follow from receipt to deletion. It is written for UK recruitment agencies and draws on Information Commissioner's Office (ICO) guidance.
This is general guidance, not legal advice. Data protection depends on your specific facts, and the rules can change. Check the current ICO guidance and take professional legal advice before you rely on anything here, and confirm your own obligations. If you operate outside the UK, check your local data protection law instead.
Key takeaways
- A candidate's CV is personal data under UK GDPR, so data protection law applies the moment you receive it.
- You need a lawful basis (often legitimate interests or consent), a clear privacy notice, and a retention period you can justify.
- Collect only the data you need, keep it accurate, store it securely, and honour rights like access and erasure.
- Common failures include keeping CVs indefinitely, no privacy notice, over-collecting, relying only on consent, and ignoring deletion requests.
- This is general guidance, not legal advice. Check the current ICO guidance and take professional advice for your agency.
Why it matters
CVs are among the most detailed personal data an agency handles. A single CV can hold a name, contact details, employment history, education, and sometimes more. The ICO's recruitment and selection guidance is designed to help recruiters understand their data protection obligations under UK GDPR and the Data Protection Act 2018 when handling candidate information, covering activities such as identifying, selecting, verifying, and vetting candidates. So handling CVs well is part of the job, not an optional extra.
Getting it right protects candidates and supports your agency. Candidates trust you with their information, and clients expect you to handle it responsibly. Clear processes around lawful basis, privacy notices, retention, and security help you work with the seven data protection principles and show you are accountable. They also make subject access and erasure requests easier to deal with when they arrive.
What UK GDPR requires when you handle candidate CVs
A CV is personal data
The ICO defines personal data as any information relating to an identified or identifiable person. A CV contains a name and other identifying details, so it counts as personal data and data protection law applies whenever you process it.
Follow the seven principles
UK GDPR Article 5 sets out seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security (integrity and confidentiality); and accountability. The ICO summarises the first as using personal data in a way that complies with the law and that people expect and have been told about.
Have a lawful basis
You must identify a lawful basis for processing a CV. The ICO advises that organisations often have a choice between legitimate interests and consent. Legitimate interests is the most flexible but requires a three-part balancing test. If you rely on consent, the candidate must be given full control, including the ability to withdraw it.
Be transparent with a privacy notice
Candidates have the right to be informed. Give them privacy information that is concise, transparent, intelligible, and easily accessible, in clear and plain language. The ICO says this should cover your purposes for processing, your retention periods, and who you will share the data with.
Tell candidates in time
When you collect a CV directly from the candidate, provide the privacy information at the time of collection. When you obtain it from another source such as a job board, provide it within a reasonable period and no later than one month.
Minimise and keep data accurate
Under data minimisation, collect and use only the data you need for the role. Under the accuracy principle, keep candidate details correct and up to date, and correct or remove information that is wrong.
Do not keep CVs longer than necessary
Under storage limitation you must not keep candidate data longer than necessary. The ICO says UK GDPR does not set specific time limits, so you must justify your own retention periods based on your purposes. A retention policy listing what you hold, why, and for how long helps demonstrate compliance.
Keep CVs secure and honour rights
The security principle requires appropriate technical and organisational measures using a risk-based approach. Candidates also have rights, including a right of access to a copy of their data and a right to erasure, with organisations generally having one month to respond. The right to erasure does not apply where you are legally required to keep the data.
A compliance workflow, step by step
Step 1: Decide your lawful basis before you process
When a CV arrives, be clear why you are processing it and on what lawful basis. The ICO advises that organisations often have a choice between legitimate interests and consent. If you use legitimate interests, run the three-part balancing test and keep a record. If you use consent, make sure the candidate can withdraw it.
Step 2: Give the candidate privacy information
Tell the candidate what you are doing with their CV. If they sent it directly, provide your privacy notice at the time of collection. If you sourced it from a job board or third party, provide the privacy information within a reasonable period and no later than one month. Cover your purposes, retention, and who you share data with.
Step 3: Collect and keep only what you need
Apply data minimisation. Check the CV holds only data relevant to the role, and keep details accurate. When you submit a candidate to a client, send only the information the client needs to make a decision rather than everything you hold.
Step 4: Store the CV securely
Apply appropriate technical and organisational measures to protect the CV. Take a risk-based approach covering cybersecurity, physical security, and organisational controls. Limit who can access candidate files and avoid sharing CVs over insecure channels.
Step 5: Handle access and erasure requests
Be ready to respond if a candidate asks for a copy of their data or asks you to delete it. You generally have one month to respond. The right to erasure does not apply where you are legally required to keep the data, so check whether an exemption applies before refusing.
Step 6: Review and delete on schedule
Apply your retention policy. Keep CVs only as long as you can justify, then delete or anonymise them. If you do not have a policy, the ICO says you should review the data regularly and delete or anonymise anything you no longer need.
Do this every time
- Identify and record a lawful basis before you process a candidate's CV.
- Give every candidate clear privacy information at the right time, covering your purposes, retention, and sharing.
- Send clients only the candidate data they need, not your full file.
- Write a retention policy that lists what you hold, why, and for how long.
- Store CVs securely with access limited to people who need them.
- Respond to access and erasure requests, generally within one month.
- Keep candidate details accurate and correct or remove anything wrong.
- Check the current ICO guidance and take legal advice for your own situation.
Common mistakes to avoid
Keeping CVs indefinitely
Holding candidate CVs longer than you can justify works against the storage limitation principle. UK GDPR sets no fixed limit, so you must justify your own retention periods. Set a policy and delete or anonymise data you no longer need.
No privacy notice
Failing to tell candidates what you do with their data works against the right to be informed. Give clear, plain privacy information at collection, or within a month if you sourced the CV elsewhere.
Over-collecting data
Gathering or forwarding more than the role requires works against data minimisation. Collect and share only the candidate data you actually need for that position.
Relying only on consent
Treating consent as the only option can be limiting, because consent can be withdrawn and gives the candidate full control. The ICO notes organisations often have a choice between legitimate interests and consent. Pick the basis that genuinely fits and document it.
Sharing CVs insecurely
Sending CVs over unprotected channels or leaving files open to everyone works against the security principle. Use appropriate technical and organisational measures and limit access.
Ignoring erasure requests
Brushing off deletion requests works against the right to erasure. You generally have a month to respond, and the right does not apply where you are legally required to keep the data.
Frequently asked questions
Is a CV personal data under GDPR?
Yes. The ICO defines personal data as any information relating to an identified or identifiable person, who can be identified directly or indirectly by identifiers such as a name. A CV contains a candidate's name and other identifying details, so it is personal data and UK GDPR applies whenever you process it. That means the data protection principles cover how you collect, store, share, and delete it.
What is the lawful basis for processing a candidate's CV?
You must identify a lawful basis before you process. The ICO advises that organisations often have a choice between legitimate interests and consent. Legitimate interests is the most flexible but requires a three-part balancing test that weighs your interests against the candidate's rights and freedoms. If you use consent instead, the candidate must have full control, including the ability to withdraw it. Record the basis you rely on.
How long can a recruiter keep a candidate's CV?
The ICO says UK GDPR does not set specific time limits. Under the storage limitation principle you must not keep candidate data longer than necessary, and you must justify your own retention periods based on your purposes. A retention policy that lists what you hold, why, and for how long helps demonstrate compliance. If you have no policy, the ICO advises reviewing the data regularly and deleting or anonymising anything you no longer need.
Do I need a candidate's consent to send their CV to a client?
Not necessarily. Consent is one lawful basis, but the ICO advises that organisations often have a choice between legitimate interests and consent for processing. You need a valid lawful basis and you must be transparent through your privacy notice about who you share data with. Whatever basis you use, apply data minimisation and send the client only the candidate information they need. This is general guidance, so check the ICO and take advice for your situation.
Can a candidate ask me to delete their CV?
Yes. Under the right to erasure a candidate can ask you to delete their data, verbally or in writing, and organisations generally have one month to respond. The right does not apply where you are legally required to keep the data. Candidates also have a right of access, meaning they can ask for a copy of the data you hold about them, along with supplementary information.
What about sensitive details on a CV?
Some CVs include sensitive personal details. UK GDPR gives extra protection to certain categories of data, so handle anything sensitive with care and only when you have a proper basis to do so. Apply the same principles of minimisation, security, and transparency, and avoid keeping sensitive information you do not need. Because this area is more involved, check the current ICO guidance and take legal advice before relying on it.
The bottom line
Handling candidate CVs well comes down to a few clear duties. Treat every CV as personal data. Identify a lawful basis. Tell candidates what you are doing through a clear privacy notice. Collect only what you need, keep it accurate, store it securely, and do not keep it longer than you can justify. Be ready to honour rights such as access and erasure. Doing these consistently addresses much of what UK GDPR asks of a recruiter.
This is general guidance, not legal advice. Your obligations depend on your specific facts, and the rules can change. Check the current ICO guidance and take professional legal advice before you act, and confirm your own obligations. If you work outside the UK, follow your local data protection law instead.
A formatting tool will not make your agency compliant, but it can help with the data minimisation step. RefineCV lets you reformat a candidate CV, remove details you do not need to send, and replace the candidate's direct contact with your agency's before you export a clean PDF or DOCX for the client. See transparent pricing or compare it with other CV formatting tools. Try it free on 10 CVs, no card.
Send clients only what they need
RefineCV makes it easy to reformat a CV and remove anything the client does not need before export. Try it free with 10 CVs, no credit card.
Related reading: what to remove from a CV before sending to a client and how to anonymise a CV for blind recruitment.
Sources
- ICO, What is personal data? (2025): A candidate's CV is personal data under UK GDPR because the ICO defines personal data as any information relating to an identified or identifiable person, who can be identified by identifiers such as a name.
- ICO, A guide to the data protection principles (2025): UK GDPR Article 5 sets out seven data protection principles, and the ICO summarises lawfulness, fairness and transparency as using data in a way that complies with the law and that people expect and have been told about.
- ICO, Employment practices and data protection: recruitment and selection (2025): The ICO's recruitment and selection guidance helps recruiters understand their data protection obligations under UK GDPR and the Data Protection Act 2018 when handling candidate information.
- ICO, A guide to lawful basis (2025): The ICO advises that organisations often have a choice between legitimate interests (which requires a three-part balancing test) and consent (which the individual can withdraw).
- ICO, What privacy information should we provide? (The right to be informed) (2025): Privacy information must be concise, transparent, intelligible, easily accessible and in clear plain language, covering purposes, retention and sharing, provided at collection or within one month if obtained from another source.
- ICO, Principle (e): Storage limitation (2025): Under storage limitation, UK GDPR does not set specific time limits, so recruiters must justify their own retention periods, and a retention policy helps demonstrate compliance.
- ICO, Right to erasure and right of access (2025): Candidates have a right of access to a copy of their data and a right to erasure, with organisations generally having one month to respond, and erasure not applying where the organisation is legally required to keep the data.
- ICO, A guide to data security (2025): The security principle requires appropriate technical and organisational measures using a risk-based approach covering cybersecurity, physical and organisational measures.