Skip to content
Freeths - Law firm
GDPR data padlock

Keep your immigration recruitment GDPR compliant

HR professionals will be conscious of the significant amount of sensitive personal data that has to be collected and processed in order to sponsor a non-EEA employee. All employers, whether large or small, must comply with GDPR, so you must be aware of how international recruitment practices may have potential to breach the regulations and what you can do to become compliant.

At several stages of sponsoring a non-EEA employee you, as an employer, will be required by the Home Office to retain, process and share personal data.

You may be required to conduct the Resident Labour Market Test (RLMT) when sponsoring a new hire under Tier 2 (General). Broadly (subject to some exceptions), you do this by advertising the vacant role in the UK nationally for a period of 28 days. This gives the opportunity to UK settled workers to apply. An employer can only proceed with sponsorship once it has been established that no settled worker is suitable for the role.

To prove that this process has been conducted fairly, several documents must be retained by the employer on the sponsored non-EEA employee’s file. This is for the duration of their sponsorship and up to one year from the date it ends. A Tier 2 (General) employee can be sponsored for up to 6 years, so you may be retaining their personal information for a period of up to 7 years.

You must retain the following documents from the recruitment process:

  • all applications short listed for final interview, in the medium in which they were received. Examples are emails, CVs, application forms. These should include the applicants’ details such as name, address and date of birth;
  • the names and total number of applicants short listed for final interview; and
  • for each settled worker who was rejected, interview notes, which show the reasons why they have not been employed.

Whilst in some cases it is possible to rely on ‘legal obligation’ as a lawful basis to process personal data, the requirements to retain the above documents are not enshrined in the Immigration Rules. They originate in Home Office guidance. Conceivably, you may be able to argue that ‘legitimate interests’ apply here. However, this requires you to take on responsibility for ensuring that the rejected applicants and non-EEA employees’ rights and interests are fully considered and protected.

GDPR compliance steps include:

  1. Inserting a privacy notice in the body of your posted vacancy. This could clearly state the possibility of applicants’ personal data being retained and shared with legal advisors and the Home Office for the purpose of meeting immigration requirements. You must also make it clear how long data will be stored.
  2. Not retaining data which falls outside of these requirements. For instance, the guidance does not require you to keep documents of those who were not shortlisted for final interview or retain documents that are not specified.

If you have any concerns regarding how you can adapt your current HR immigration practices to comply with Home Office requirements and GDPR, lease contact our Business Immigration team who work with dedicated in-house GDPR experts to deliver comprehensive solutions for your employment needs.

The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.

Client service

‘Doing the right thing’ is at the heart of Freeths. Find out more about our excellent client service and the strong set of values that guide the way we work.

Our service


Talk to us

Freeths are a leading national law firm with 13 offices across the UK. If you have a query about our services or just want to find out more, why not give us a call?

Contact: 03301 001 014

Choose an office:

Portfolio close
People CV Email

Remove All

Click here to email this list of people to a colleague.