Keep your immigration recruitment GDPR compliant

HR professionals will be conscious of the significant amount of sensitive personal data that has to be collected and processed in order to sponsor a non-EEA employee. All employers, whether large or small, must comply with GDPR, so you must be aware of how international recruitment practices may have potential to breach the regulations and what you can do to become compliant. At several stages of sponsoring a non-EEA employee you, as an employer, will be required by the Home Office to retain, process and share personal data. You may be required to conduct the Resident Labour Market Test (RLMT) when sponsoring a new hire under Tier 2 (General). Broadly (subject to some exceptions), you do this by advertising the vacant role in the UK nationally for a period of 28 days. This gives the opportunity to UK settled workers to apply. An employer can only proceed with sponsorship once it has been established that no settled worker is suitable for the role. To prove that this process has been conducted fairly, several documents must be retained by the employer on the sponsored non-EEA employee’s file. This is for the duration of their sponsorship and up to one year from the date it ends. A Tier 2 (General) employee can be sponsored for up to 6 years, so you may be retaining their personal information for a period of up to 7 years.


You must retain the following documents from the recruitment process:

  • all applications short listed for final interview, in the medium in which they were received. Examples are emails, CVs, application forms. These should include the applicants’ details such as name, address and date of birth;
  • the names and total number of applicants short listed for final interview; and
  • for each settled worker who was rejected, interview notes, which show the reasons why they have not been employed.


Whilst in some cases it is possible to rely on ‘legal obligation’ as a lawful basis to process personal data, the requirements to retain the above documents are not enshrined in the Immigration Rules. They originate in Home Office guidance. Conceivably, you may be able to argue that ‘legitimate interests’ apply here. However, this requires you to take on responsibility for ensuring that the rejected applicants and non-EEA employees’ rights and interests are fully considered and protected.


GDPR compliance steps include:

  1. Inserting a privacy notice in the body of your posted vacancy. This could clearly state the possibility of applicants’ personal data being retained and shared with legal advisors and the Home Office for the purpose of meeting immigration requirements. You must also make it clear how long data will be stored.
  2. Not retaining data which falls outside of these requirements. For instance, the guidance does not require you to keep documents of those who were not shortlisted for final interview or retain documents that are not specified.


If you have any concerns regarding how you can adapt your current HR immigration practices to comply with Home Office requirements and GDPR, lease contact our Business Immigration team who work with dedicated in-house GDPR experts to deliver comprehensive solutions for your employment needs.


The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.