Outbound Recruiting & GDPR

The world has started to take online privacy seriously, with GDPR leading the way. Here's what we know about GDPR and Outbound Recruiting. 
A guide to GDPR for outbound recruiting
We've gathered extensive legal advice regarding GDPR and recruiting in the past few years. But, Intro is not a law firm and this is not legal advice. We're just sharing our insights to help you better understand how GDPR relates to outbound recruiting.


There are three key concepts within GDPR.

Data subject

Data subjects are candidates that can be identified through their personal data. 'Personal data' has a broad definition and includes name, address, titles as well as cultural and genetic information.

Data controller

The data controller is the entity which determines the purposes and means of the data processing. Typically, the employer is the one who decides why and how they process candidates' personal information. You remain the controller even if you use an external service like Intro or a recruiting agency.

Data processor

A processor is an entity that processes data upon instruction of the data controller. A controller can have several processors. If you use Intro to find and reach out to candidates, Intro is your processor.

Does GDPR apply to us?

GDPR applies to all organizations (even outside the EU) who process personal data of citizens of the European Union.

What can happen if we don't comply with GDPR?

The supervisory authority can sanction warnings, reprimands, and corrective orders as well as fines up to €20 million (or up to 4% of your annual global turnover).

Is it legal for my organization to source candidates?
When you source passive candidates, you process personal data. In order to do this legally, you need follow the requirements set out in the GDPR.

Legal basis

If your organization is hiring and the data you process is for specified, explicit, and legitimate purposes, you comply with GDPR. Since recruiting is considered a legitimate interest, you don't need explicit consent – as long as you follow the requirements below. Note that this only applies for professional, non-sensitive, information. If you want to process genetic, religious or other sensitive information, you need explicit consent.
GDPR regulations state that you must email candidates 'within a reasonable period after obtaining the personal data, but at the latest within one month' to notify them that you're processing their information and the details of the processing.


When you notify the candidate that you're processing their data, you need to include the information required by Article 14 in GDPR, such as the purposes of the processing, what information you're processing, the sources, how and for how long you store the data, as well as inform the data subject about their rights under the GDPR.


The candidates must have the right to access, correct, and ask for the data you're processing to be deleted.

Sounds complicated?

Good news. Intro helps you be compliant. Scroll down to learn more.



Are we compliant if we use Intro?

Yes, our product is designed to help you make sure to follow the requirements outlined above. For example, we include a Privacy Notice upon first contact with the candidate, notifying them in a transparent way about the processing. We also give them a chance to control the processed data. Read more about our approach to candidates here.

As a processor, how is Intro complying with GDPR?

Intro's shift from being a search engine to an automated service was designed with GDPR in mind. Just like a recruiting agency, we only process candidate data upon request from our customers. Learn more about how we source candidates.