Applicant Privacy Notices: Why Every Company Needs One

Applicant Privacy Notices: Why Every Company Needs One

Most organizations understand the importance of having a website Privacy Policy. Far fewer realize that one of the first personal data processing activities they undertake is recruitment.

Every time a company receives a CV, conducts an interview, collects references, performs background checks, or stores candidate information in an Applicant Tracking System (ATS), it is processing personal data.

Yet many organizations have no Applicant Privacy Notice and provide candidates with little or no information about how their personal data is collected, used, shared, stored, or retained.

From a data protection perspective, this creates unnecessary legal, compliance, and reputational risks.

What Is an Applicant Privacy Notice?

An Applicant Privacy Notice is a document that explains how an organization processes personal data during the recruitment process.

It informs candidates about:

What personal data is collected;
Why the information is collected;
How the information will be used;
Who receives the data;
How long the data will be retained;
Whether data will be transferred internationally;
What rights candidates have regarding their information.

In simple terms, it is the recruitment equivalent of a Privacy Policy.

Why Is an Applicant Privacy Notice Important?

One of the fundamental principles found across modern privacy laws is transparency.

Under the UAE Personal Data Protection Law (PDPL), organizations must provide individuals with information regarding the processing of their personal data.

Similar transparency obligations exist under:

DIFC Data Protection Law No. 5 of 2020;
ADGM Data Protection Regulations 2021;
GDPR.

A candidate should not have to guess:

Why their CV is being collected;
Whether references will be contacted;
How long interview notes will be retained;
Whether information will be shared with recruiters, HR providers, or group companies.

An Applicant Privacy Notice provides this transparency and helps organizations demonstrate accountability.

What Personal Data Do Employers Collect During Recruitment?

Many employers underestimate how much personal data is processed before employment even begins.

Typical recruitment data includes:

Candidate Information

Name;
Contact details;
Nationality;
Employment history;
Educational background;
Professional qualifications.

Recruitment Records

CVs and resumes;
Cover letters;
Interview notes;
Assessment results;
Psychometric testing results.

Background Verification Data

Depending on the role, organizations may collect:

References;
Qualification verification records;
Right-to-work documentation;
Background screening results.

Technical Data

Online recruitment platforms may also collect:

IP addresses;
Login information;
Website analytics data;
Application tracking information.

All of this information constitutes personal data and should be handled appropriately.

Legal Risk: Recruitment Data Is Often Forgotten

In our experience, recruitment data is one of the most overlooked categories of personal data.

During privacy reviews, organizations frequently discover that:

CVs are stored indefinitely;
Interview notes are kept without retention rules;
Shared HR folders contain historical candidate files;
Recruitment agencies continue to retain candidate information long after hiring decisions have been made;
Candidate information is shared internally without clear controls.

In many cases, no one within the organization has considered what happens to applicant data after the recruitment process ends.

Real-World Case: Candidate Files Stored for Years

During a privacy assessment for a medium-sized UAE business, the HR department maintained a shared folder containing more than five years of historical recruitment records.

The folder included:

CVs of unsuccessful candidates;
Interview evaluation forms;
Salary expectations;
Reference checks;
Copies of identification documents submitted during recruitment.

The organization had no:

Applicant Privacy Notice;
Candidate retention policy;
Defined retention period;
Process for deleting unsuccessful applicant records.

When asked why the information was retained, the HR team explained:

"We might need it someday."

From a privacy perspective, this was difficult to justify.

Following the review, the company implemented:

An Applicant Privacy Notice;
A recruitment retention schedule;
A 12-month retention period for unsuccessful candidates;
Automated deletion procedures;
HR privacy training.

The result was a significant reduction in privacy risk while maintaining operational efficiency.

Situations like this are extremely common and often remain undiscovered until an audit or regulatory inquiry occurs.

What Should an Applicant Privacy Notice Include?

A well-drafted Applicant Privacy Notice should clearly explain recruitment-related processing activities.

Identity of the Employer

The notice should identify the organization responsible for processing candidate data.

Categories of Personal Data

Candidates should understand what information is collected.

Recruitment Purposes

Typical purposes include:

Candidate assessment;
Interview management;
Background screening;
Reference verification;
Compliance with legal obligations;
Talent pool management.

Data Sharing

The notice should explain whether information may be shared with:

Recruitment agencies;
Group companies;
Background screening providers;
HR software vendors;
Government authorities where required.

International Data Transfers

If candidate information is transferred outside the UAE, organizations should explain:

Where the data is transferred;
Why the transfer occurs;
What safeguards are implemented.

Retention Periods

Candidates should know how long their information will be retained.

Data Subject Rights

The notice should explain available rights, including:

Access;
Correction;
Deletion;
Restriction of processing;
Objection to processing where applicable.

How Long Can Candidate Data Be Retained?

One of the most common questions relates to unsuccessful candidates.

There is no universal retention period under UAE law.

However, organizations should avoid retaining candidate information indefinitely.

In practice, many employers adopt retention periods ranging from:

6 to 12 months after the recruitment decision

Longer retention may require additional justification and transparency.

The appropriate period should be documented within a Retention Schedule.

Is Candidate Consent Required?

Not necessarily.

Many organizations assume they need candidate consent for all recruitment activities.

In reality, recruitment processing is often justified through:

Steps taken prior to entering into employment;
Compliance with legal obligations;
Legitimate business interests;
Recruitment administration.

The more important issue is ensuring transparency and lawful processing rather than relying solely on consent.

Common Recruitment Privacy Mistakes

Organizations frequently expose themselves to unnecessary risks by:

Having no Applicant Privacy Notice;
Retaining CVs indefinitely;
Keeping interview notes without justification;
Failing to review recruitment vendors;
Sharing candidate information internally without restrictions;
Using recruitment data for unrelated purposes;
Failing to define retention periods.

These issues are often identified during privacy audits and due diligence reviews.

Applicant Privacy Notice Compliance Checklist

Organizations should ensure they have:

✓ Applicant Privacy Notice

✓ Recruitment Data Mapping

✓ Candidate Retention Schedule

✓ Vendor Review for Recruitment Providers

✓ Access Controls for Recruitment Files

✓ Procedures for Candidate Rights Requests

✓ Secure Storage for Applicant Information

✓ International Transfer Assessment (where applicable)

✓ HR Privacy Training

Why Applicant Privacy Notices Matter Beyond Compliance

An Applicant Privacy Notice is not simply a legal document.

It also demonstrates professionalism and transparency.

Candidates increasingly expect organizations to explain:

How their information is handled;
Whether it is secure;
How long it will be retained;
What happens after recruitment ends.

Organizations that provide clear privacy information often strengthen trust and enhance their employer brand.

Conclusion

Every recruitment process involves the collection and use of personal data. Without an Applicant Privacy Notice, organizations may struggle to meet transparency obligations and demonstrate compliance with modern privacy laws.

By implementing a clear Applicant Privacy Notice, appropriate retention periods, and effective recruitment data governance, organizations can reduce privacy risks, improve compliance, and build greater trust with candidates from the very beginning of the employment relationship.

Frequently Asked Questions

Is an Applicant Privacy Notice required under UAE PDPL?

While PDPL does not specifically use the term "Applicant Privacy Notice," organizations must provide candidates with information about how their personal data is processed. In practice, an Applicant Privacy Notice is the most effective way to meet this transparency requirement.

Can a company keep my CV forever?

Generally, no. Organizations should retain applicant data only for as long as necessary for recruitment purposes and should define retention periods in a formal Retention Schedule.

What happens to my personal data if I am not hired?

Your information may be retained for a limited period to manage future opportunities, defend potential claims, or meet legal obligations. The retention period should be clearly explained in the Applicant Privacy Notice.

Should recruitment agencies provide privacy information?

Yes. Recruitment agencies processing candidate data should also provide transparency information and comply with applicable privacy obligations.

Can applicant data be transferred outside the UAE?

Yes, but organizations should ensure that international transfers comply with applicable legal requirements and appropriate safeguards are implemented.