Data Controllers vs Processors in Recruitment Agencies

Written by


This blog is the third in our series of data protection advice. Part one covers The Eight Privacy Rights Under GDPR in the UK and part two concerns Measures Recruitment Agencies Must Take to be GDPR Compliant.

When it comes to GDPR compliance in recruiting, there are two key roles to distinguish: data controllers and data processors. Understanding the difference between these roles and their respective responsibilities is essential.

When it comes to processing personal data, whether through a standard job posting on social media or a recruitment platform/software, the legal basis for processing and the information disclosed to data subjects may vary.

Data Controllers

Under the UK GDPR, the data controller holds primary responsibility for protecting the privacy and rights of data subjects, such as website visitors. In other words, the data controller determines how and why the organisation manages data.

In recruitment, the data controller initiates the processing of personal data once the recruiter has collected sufficient information on prospective applicants. This involves gathering contact details, grades, certificates, CVs, general data, exam results, and other relevant documents. The data controller applies its own methods to process the collected data. In certain cases, the data controller may engage a third party or external service to process the acquired data.

Roles that typically include data controller responsibilities are those within an organisation that have the authority and decision-making power over how personal data is processed. Typically these would include:

  1. Human Resources Manager, HR managers often handle the personal data of employees, job applicants, and contractors. They determine the purposes and means of processing employee data, including recruitment, performance management, payroll, and employee records.
  2. Marketing Manager: Marketing managers are involved in collecting and processing customer data for marketing campaigns. They determine the purposes, methods, and channels through which customer data is used for marketing activities.
  3. IT Manager: IT managers are responsible for managing and securing data systems within an organisation. They oversee data storage, data access controls, and data security measures.
  4. Executive/Managerial Positions: Executives and managers who have decision-making authority within an organisation may also assume data controller responsibilities. This can include making decisions about data processing activities and ensuring compliance with data protection laws.
  5. Data Protection Officer: Larger organisations may have a designated data protection officer. The DPO is responsible for overseeing an organization’s data protection activities, ensuring compliance with data protection laws, and acting as a point of contact for data subjects and regulatory authorities.

Data Processors

On the other hand, a data processor is solely responsible for processing the data provided by the data controller. The data processor is an entity chosen by the data controller to handle and process the data. The data processor does not own or have control over the data and is bound to follow the directives of the data controller. They cannot change the purpose or method of using the data.

Certain recruiters may have additional specialised responsibilities, such as conducting or scheduling assignments for applicants, coordinating interviews, etc. Under the UK GDPR, these agencies are considered data processors as they perform specific tasks on behalf of the data controller.

Roles that typically take on data processor responsibilities often include:

  1. IT Administrators: IT administrators handle technical aspects of data processing, such as managing databases, configuring systems, and maintaining network infrastructure.
  2. Software Developers: Developers who create and maintain software applications used for data processing, including recruitment platforms, applicant tracking systems, or other HR-related software.
  3. Cloud Service Providers: Organisations that provide cloud computing services, including storage, hosting, or processing of data on behalf of the data controller.
  4. Outsourced Service Providers: External companies or service providers engaged by the data controller to perform specific tasks involving data processing, such as background checks, psychometric testing, or interview scheduling.
  5. Payroll Administrators: Personnel responsible for processing employee payroll and related financial data, ensuring accurate calculations and compliance with relevant regulations.
  6. Customer Support Representatives: Representatives handling customer inquiries or support requests, which may involve accessing and managing customer data as part of providing assistance.
  7. Data Entry Operators: Individuals responsible for entering and organising data into systems or databases as part of data processing activities.

It’s important to note that the roles mentioned above can vary depending on the specific industry, organisation, and data processing activities involved. Additionally, some individuals or organisations may have hybrid roles where they perform both data controller and data processor functions depending on the context and specific tasks being performed.

If we can help with any GDPR issue, contact us at

Measures Recruitment Agencies must take to be GDPR Compliant

This blog is the second in our series of data protection advice. Part one covers The Eight Privacy Rights Under GDPR in the UK and part three is Data Controllers vs...

5 Top Client Excuses to Avoid Fees and How to Handle Them

If you are a recruiter and suspect you may have fallen foul to a backdoor hire, don't always go in all guns blazing on a client and candidate. It can be as simple as an...
Ghosting candidates loses candidates

Three Reasons Why You Shouldn’t Ghost Your Candidates

Let’s face it, as a recruiter you are going to be spinning a lot of plates and you’ll be forgiven for dropping one every now and again, but our advice for preventing...

Data Controllers vs Processors in Recruitment Agencies

This blog is the third in our series of data protection advice. Part one covers The Eight Privacy Rights Under GDPR in the UK and part two concerns Measures Recruitment...
Ready to get paid with the bill

Act As If…You Might Just Get Paid!

Talking about backdoor hires and disputed fees can sound a bit… sinister, but sometimes (stress on sometimes) there wasn’t anything underhand happening. There is a good...