Can an employer hold an unsuccessful candidate's CV on file in case a further job vacancy arises?

From 25 May 2018, the retention of personal data gathered in the recruitment process is governed by the General Data Protection Regulation (2016/679 EU) (GDPR). An employer can keep the details of unsuccessful candidates on file, provided that it complies with its duties under the GDPR.

The employer must provide candidates with a privacy notice, setting out how it will use their personal data and for how long it will be kept. If the employer intends to hold unsuccessful candidates' CVs for the purpose of future vacancies, it must inform candidates of this in the privacy notice. It must specify its legal basis for holding the data; this could be that it has a legitimate interest in doing so, in which case it must inform the candidates that they have the right to object to the processing. Alternatively, the employer could ask candidates for their consent to hold their data. Consent could be a valid legal basis in these circumstances, as a refusal of consent would not lead to any adverse consequences.

It falls to the employer to set retention periods in respect of recruitment records according to its business needs. One of the data protection principles is that personal data should not be kept longer than is necessary for the particular purpose for which it is being retained. If the stated purpose of retaining the data is to enable the employer to consider the candidate in the event that a further job vacancy arises, the employer should have a process in place to ensure that this happens and that the candidate's details are not kept for longer than appropriate for this purpose.