Should I Include a GDPR Clause in My CV? A Guide
Written by Mike Potter, Author • Last updated on 24 June 2024

Should I Include a GDPR Clause in My CV? A Guide

In the digital age, we all regularly share personal information online. The GDPR (General Data Protection Regulation) is an EU law that regulates how companies and organisations process and store our personal data. Sending your CV to a company involves sharing personal data, and organisations have obligations about how they handle your document. In this article, we discuss the impact of GDPR on your CV, and whether you should consider adding a GDPR clause to your job applications.

What is a GDPR Clause?

GDPR stands for General Data Protection Regulation. The EU introduced this landmark human rights and privacy law in 2016 to regulate information privacy and data security. It holds companies accountable for the personal data they request, collect, process and store from individuals, creating greater transparency, security and accountability. The law means companies have to take more care than ever with any personal data you provide them. When the UK left the EU, the GDPR was retained in UK law under the UK GDPR, which sits alongside the Data Protection Act 2018.

CVs tend to include several pieces of personal data. ‘Personal data’ is any information relating to a personally identifiable individual. This means any information someone could use to identify you personally, counts as personal data. Personal data in your CV might include your full name, your address, your contact details, your date of birth or your personal photograph.

Including a GDPR clause in your CV can provide clarity to the hiring company on your level of consent regarding the storage, processing and sharing of your CV. This can be a simple, short sentence that sets out data security parameters for the organisation to follow.

Importance of a GDPR Clause in your CV

Although companies have a legal responsibility to handle your personal data securely and responsibly, a GDPR clause in your CV can put your mind at ease. It can help to avoid any doubts or confusion about the company’s compliance with data storage and handling regulations.

GDPR places certain demands and legal restrictions on how companies can store, use, and share your personal data. The law encourages transparency, integrity, and responsibility, so individuals can be sure of the security of any data they share. Under GDPR, ‘personal data’ is a broad concept that includes any data that a company or individual could use to identify a person. The law introduces responsibilities around the collecting, structuring, organising, using, storing, sharing, disclosing, erasing, and destruction of this data.

The GDPR states that collecting and processing personal data must have a clear purpose, must be legal, and must be respectful of individual rights. Data processing must be transparent, and individuals have a right to access their personal data and know how the company is using it. Failure to comply with the regulations, or failure to report any breaches to the relevant authorities within a strict 72-hour timeframe, can result in serious fines.

By including a GDPR clause in your CV, you can provide clear permission and consent to the hiring company on how they handle your personal data. This could include guidance on storing your data, retaining your CV on file, or sharing it with recruiters and other companies.

Although companies have a legal responsibility to handle your personal data in a secure and responsible manner, a GDPR clause in your CV can help to put your mind at ease.

Key Aspects of GDPR Clause in CV

The same data protection principles apply to your CV as to any other piece of personal data you provide to a company. Companies have a legal obligation to handle your CV responsibly. This includes storing it securely, whether in digital or printed form. It also includes adhering to regulations on the length of time they’re allowed to keep it on file and the process of sharing your CV, both internally and externally.

According to the GDPR, companies are only allowed to process your personal data for a stated purpose. In the case of your CV, this means they’re allowed to process it as part of their recruitment activity. Employers should provide applicants with a privacy notice, explaining how they handle CVs.

There are six legal bases for processing personal data, such as that provided on your CV. Companies must adhere to at least one of these clauses, and it should be identified on their privacy notice.  

The most common valid reason for a company holding your CV is that they have your explicit consent to do so. This clause states that you have to provide consent for the hiring company to process your personal data. In recruitment, it’s generally accepted that if you send a company your CV by choice, as part of a job application or even as a speculative inquiry, this constitutes consent. Employers still need to provide a privacy notice that outlines the basis upon which they’re storing your personal data, giving you the chance to opt out of consent if you wish.

The other main reason for processing your CV is a concept called ‘legitimate interest’. This clause states that the employer is processing your personal data for reasons that any person would reasonably accept, and because there is a valid reason to do so.

One type of data that employers are prohibited from processing is sensitive, or special category, data. This is data related to protected characteristics and data that, in the context of your CV, could lead to discrimination in the recruitment process. Special category data includes information on your gender, age, ethnicity, religion, political beliefs, or health and disabilities. A personal photo on your CV can also count as special category data.

Expert tip:

GDPR requires companies to make their recruitment privacy policies available to candidates. This shows how the company intends to use, store, retain and delete your data. Sending your CV to an employer usually implies consent to the terms of the privacy notice. If you can’t find a privacy notice, you could include a GDPR clause on your CV confirming your consent regarding the company’s processing of your personal data.

Example GDPR Clause

If you’re adding a GDPR clause to your CV, make sure it’s short, concise and to-the-point. Be as clear as possible about the consent you’re granting, to avoid any confusion. Here are two GDPR clause examples you can use as a guide for writing your own:

GDPR clause example 1:

I authorise the processing of personal data contained within my CV, according to GDPR (EU) 2016/679, Article 6.1(a).

GDPR clause example 2:

I hereby consent to the processing of this CV and the personal data contained within, by anyone who receives this document for the sole purpose of considering my application for employment opportunities, in accordance with Article 6.1(a) of GDPR (EU) 2016/679.

GDPR Clause in CV: Practical Implications

GDPR has numerous practical implications, both for hiring companies and applicants. It requires companies to have a privacy notice for their hiring process, and to make this available to applicants at the point of application. If they use a third-party recruiter or portal, companies should make their privacy notice available as soon as possible upon receipt of the CV.

There are also regulations relating to the storing and deletion of personal data in CVs. Companies may only keep CVs for as long as they need to use them. For most companies, this would be for as long as the recruitment process is ongoing. For companies to keep a CV longer than this, they must have ‘legitimate interest’, or a reason to do so.

For applicants, GDPR should mean you can have more confidence that your personal data will be processed and stored responsibly. There should be transparency about how your data will be used. GDPR also gives control to the individual over their personal data. The nature of GDPR should ensure that you don’t need to add a GDPR clause to your CV. However, if you’re unsure how the hiring company is going to use your data, or you haven’t seen a published privacy notice, you could add one outlining your consent for peace of mind.

Future Implications and Challenges

After leaving the EU, the UK government adopted GDPR under a new UK GDPR regulation. This leaves the possibility of changing the law open for the future. In 2023, the government published the Data Protection and Digital Information Bill, which could modify existing data security laws, leading to implications in various sectors.

At present, GDPR applies rigorous regulations to the recruitment process, making companies carefully consider how they process personal data on CVs. GDPR means companies should be transparent about how they intend to use your CV. Organisations must follow stricter regulations about sharing your CV both internally and externally, and they must store and delete your data securely. All these things should reassure candidates about the use of their CV by recruiters and employers.

Conclusion: Should you include GDPR Clause in your CV?

GDPR provides some much-needed clarity and transparency to the way companies handle our personal data. Employers should act responsibly in the processing and storage of your CV. If you can’t see a privacy notice in the job advert, you may want to include a GDPR clause at the end of your CV to clarify your consent.

CV templates from CVwizard can help you design a professional CV with a GDPR clause. Sign up today and follow the simple steps to get started. With CVwizard’s app, you can also find job opportunities in your local area and manage the application process from start to finish.

Share via:
Mike Potter
Mike Potter
Mike Potter is an experienced copywriter specialising in careers and professional development. He uses extensive knowledge of workplace culture to create insightful and actionable articles on CV writing and career pathways.

Make an impression with your CV

Create and download a professional CV quickly and easily.

Create CV