Skip to main content

Managing Curricula Vitae (CVs) in Compliance with Data Protection Rules

Managing Curricula Vitae (CVs) in Compliance with Data Protection Rules

CVs inherently contain personal data including sensitive personal data, and strict adherence to data protection requirements is required when collecting and processing them. The personal data must be processed in compliance with the principles of data protection for example, it must be processed securely, accurately and only in accordance with the purpose for which it was collected.  This article provides practical tips to HR professionals on how to handle CVs within the recruitment and employee lifecycle.


When collecting personal data in the form of CVs during the recruitment process, UK data protection laws require organisations to be transparent regarding their processing of personal data from the outset and throughout the process. This is achieved by providing privacy information to potential applicants i.e. an applicant privacy notice.

Organisations should inform the applicant of specific information as required under Article 14 and 15 of the UK General Data Protection Regulation.  This includes how and for what purpose their personal data will be processed as well as who their data will be shared with, how long it will be kept and the rights they have to their personal data e.g. right of access. Notices should also include the legal basis for processing.

The legislation provides certain legal grounds for processing personal data in certain scenarios such as; contract, consent, vital interests and the public interest. The most relevant legal basis in this context is generally legitimate interest, the organisation’s legitimate interest in recruitment of new employees. Relying on consent, in this context, would not be an appropriate legal basis due to the imbalance of power between the applicant and the employer, in other words, the consent would not be freely given as the applicant is depending on the employer to process their personal data in the expectation of gaining employment. Where third party recruitment agencies are utilised, privacy information of the recruiter and the potential employer should be provided to the applicants.  Employers should be wary of simply relying on their recruitment agency’s privacy notice as quite often it only covers the agency’s processing rather than any potential employer.

Some thought should also be given to the timing of providing the Applicant Privacy Notice. Under Article 13 of UK GDPR, privacy information should be provided to the applicant “at the time when the personal data are obtained”. This could for example, take the form of a pop-up notice or a link on an online job application form. The pop-up should appear at the time but prior to the applicant submiting their information.  If the CV is collected indirectly e.g. via a recruitment agency, the Applicant Privacy Notice should be provided (a) within a reasonable period after collecting the CV, but within one month at the latest; (b) at the first point of communication; or (c) of if you need to share the CV with another recipient e.g. a Group company, at the point when the data is disclosed.  

Once the CVs have been collected, they should only be used for the purpose for which they were collected. They should be stored securely with the appropriate technical and organisational security measures applied and only shared with the relevant managers. This is important as organisations can be fined up to 4% of the annual global turnover or £17.5m whichever is higher. For example, in 2019 the recruitment company Monster was found to have left  CVs exposed online for years, causing considerable reputational damage as well exposing the company to data protection fines.

When an organisation opts for filtering CVs via an AI or machine learning tool, certain additional data protection requirements must be complied with. Firstly, organisations are required to conduct due diligence including a Data Protection Impact Assessment, to ensure the tool is not biased against any particular group of data subjects and the appropriate security is in place. Secondly, any training data provided to the company developing the AI should be pseudonymised or anonymised where possible, and where not possible, checks must be in place to ensure that it is not biased. For example, in 2015, Amazon discovered its resume-filtering algorithm was biased against women when recruiting for tech-related positions, and subsequently abandoned the in-house tool at considerable expense. Additionally, organisations must notify applicants and allow them the opportunity to opt-out.

The processing of CVs for the recruitment process should be documented in the Record of Processing Activities, including checking references and any background checks. Following the recruitment process, unsuccessful applicants’ CVs may be destroyed after a reasonable period of time e.g. six months. Should you wish to keep them on file in case another relevant position comes up, you must have a valid legal basis to keep them, such as consent and organisations should consider how practically to obtain this consent during the recruitment process. Successful applicants’ CVs may be kept for longer as discussed further below.

Sharing CVs Internally

Once the recruitment process is complete, employees’ CVs should be held security, centrally and only accessible by the HR Department. Subject to limited exceptions, it would not be appropriate for the HR Team to share CVs internally post-recruitment, as they could potentially contain sensitive data, such as information concerning disabilities. Sharing CVs internally would be to use them for a new purpose, which would arguably not be expected by the employee therefore it is important that the employer establishes its lawful basis for such activity. Otherwise, it could be seen as a breach of integrity and confidentiality by the employer.

Maintaining CVs Online

Shortened CVs may be published online both internally and on public-facing websites, for example, many organisations maintain profiles of senior management on their intranet. When publishing employee profiles, only the necessary information should be made available such as qualifications, a summary of work experience and professional contact details. Any information which would be considered private should be removed, such as health data, personal contact details, marital status etc. Similarly, on a public-facing websites, only the relevant, professional information should be included. It is arguable whether a work-issued mobile phone number should be included as even this may be seen as overly-intrusive.

The legal basis for this processing would be the ‘legitimate interest’ of the organisation. Using the legal basis of consent would not appropriate due to the lack of independence of the employee in relation to the employer. Having said that, it is best practice to give the employee the opportunity to review the information to ensure it is accurate and to add any further information. Similarly, organisations ought to offer the employee to opportunity to consent to their photograph being published online as this could cause disclosure of special category data perhaps and normally consent would be obtained as it is not strictly necessary for performance of the employment contract for public to know what employees look like. In compliance with the principle of accuracy, online profiles should be updated where necessary during the course of the employee relationship.

Incorporating CVs in the Tender Process

Utilising CVs in the context of a tendering process is standard business practise, however, it does involve using CVs for a new purpose other than that for which they were collected. Where possible, employees should be notified of the possibility of sharing data for a tendering process in the Employee Privacy Notice. Again, the process must be documented in the Record of Processing Activities. The legal bases would be employment contract and legitimate interest rather than consent, due to the imbalance of power between employee and employer. The personal data provided should only be that which is strictly necessary for the process such as qualifications, training, and a summary of relevant work experience.

As a matter of courtesy and in line with best practice, the employee should be given the opportunity to the review the information to be shared before it is submitted. Similarly, if photographs are to be included, the employee should be given an opportunity to review and consent to the photograph where possible.

Destruction and Deletion of CVs

The principle of storage limitation applies to CVs, meaning they should only be kept as long as necessary to fulfil the purposes for which they were collected. When determining the retention schedule for CVs, organisation must also consider applicable statutory limitations. For example, employees have various statutory periods within which to bring claims, such as unfair dismissal or discrimination, and it would be good practice to bear these statutory timeframes in mind when setting retention period for CVs if this information could bear relevance to such potential claims. In addition, organisations should also have a documented process for securely destroying personal data.

It is important to have in place documented policies and processes for handling CVs throughout the employment process, from recruitment to the end of the employee contract and beyond, to demonstrate compliance with data protection legislation.   

Insight from Loretta Maxfield is a Data Protection specialists at Thorntons. For more information contact Loretta on 03330 430350.

About the author

Loretta Maxfield
Loretta Maxfield

Loretta Maxfield


Data Protection & GDPR, Intellectual Property

For more information, contact Loretta Maxfield on +44 1382 346814.