Europe’s General Data Protection Regulation has been in effect for nearly two weeks, and even after having months to prepare, the nuances of the law continue to confound many. When it comes to candidate CVs — central to the business of staffing and CW programs — how is the GDPR applied? Must staffing firms get explicit consent from a worker before submitting their CV to a client? And if they don’t, are they entitled to a fee for a successful introduction? The answer to this question is not as straightforward as you might expect.

The lawful bases. Under the GDPR, a person or company may only process someone’s personal data if they have a lawful basis for doing so. Consent is just one of the six lawful bases listed in the GDPR and it will not always be the most appropriate.

A staffing firm will have a legitimate business interest in sending CVs to a client as doing so is a necessary activity in order to fill a placement. Recruiters may also be able to rely on the fact that the processing is necessary to perform the contract with the job-seeker in order to find them employment. If the staffing firm can rely on either of these lawful bases, then strictly speaking, they do not need explicit consent.

However, to rely on either of these lawful bases, the processing must not only be necessary for the purposes of the business interest or the contract, but that purpose must not be overridden by the rights and freedom of the data subject to have their personal data protected.

In the case of a candidate seeking employment, there is a strong argument for saying that the rights of the candidate to choose which companies should receive their CV overrides the legitimate business interest of the staffing firm, or indeed the client.

If the staffing firm relies on the contract with the candidate to find them work as the legal basis for sending out their CV, then it would be logical to say that under the terms of that contract, either explicit or implied, the staffing firm would only be permitted to send the candidate’s CV to those clients the candidate has specifically agreed to.

If the candidate has explicitly said “send my CV to any employer you [staffing firm] think appropriate” then it is not necessary for the staffing firm to get additional consent before sending out the CV to a specific prospective employer. However, in the absence of a blanket consent from the candidate, preferably in writing, then it is likely a staffing firm will need to get the explicit consent of the candidate before sending their CV to a prospective employer.

In any event, if the staffing firm is disclosing sensitive or special categories of data, such as background checks on health, criminal record or credit rating, then they will need explicit consent.

The introduction fee. So, let’s get back to the initial question: If in most cases a staffing firm will need to get explicit consent from a candidate before sending their CV to a client, does that mean that without such consent, the staffing firm is not entitled to a fee from the client for that introduction?

On the face of it, GDPR doesn’t change the contractual relationship between the staffing firm and their client. If the agency made an introduction that led to an engagement, then under the “effective cause” rule established by case law, the agency is entitled to a fee.

English law does not generally imply a duty of good faith into a contract, so a lack of consent may not amount to a breach of contract with the client company. In a scenario where, despite the lack of consent the candidate ends up getting the job due to the staffing firm’s introduction, it seems unlikely that a court would refuse to uphold the contract on the grounds of bad faith.

In jurisdictions where a duty of good faith is written into civil contract law, such as France, the outcome might be different. But in the UK, a client that refuses to pay an introduction fee because the candidate hadn’t consented to their CV being sent should take care as the law may not be on their side.

For further information about the GDPR, SIA has published two reports, available to members: Implementing GDPR: A Guide and GDPR: Frequently Asked Questions.