You find a great profile on LinkedIn, you add it to your pool, you reach out. Classic. Except at that very moment, GDPR has already created an obligation you haven't met — and it isn't consent. It's information. Most recruiters miss it. Here's why it matters and how to comply without breaking your sourcing flow.
Summary
- The opening misconception: consent ≠ information
- Article 14: informing when the data didn't come from the candidate
- What lawful basis for sourcing?
- The "I'll inform them later" trap
- The compliant sourcing checklist
- FAQ
1. The opening misconception: consent ≠ information
A common belief: "I don't have the candidate's consent, so I can't source them." False in most cases.
- Sourcing can rest on a lawful basis other than consent — most often legitimate interests (see §3).
- But the absence of consent does not exempt you from a separate, systematic obligation: informing the person.
Consent is a possible lawful basis. Information is a transparency obligation that applies regardless of the basis. They are different things — and it's the information that's missed.
2. Article 14: informing when the data didn't come from the candidate
When you collect data directly from a candidate (they apply, they upload their CV), GDPR article 13 applies. When you obtain their data elsewhere — LinkedIn, a jobboard, a referral — it's article 14.
Article 14 requires you to inform the person of:
- the identity and contact details of the controller (and DPO if applicable);
- the purposes and lawful basis of the processing;
- the categories of data concerned;
- the recipients if any;
- the retention period;
- the rights (access, rectification, erasure, objection, etc.);
- and — specific to article 14 — the source of the data (e.g. "LinkedIn") and whether it came from a publicly accessible source.
Information must be provided within a reasonable period — and no later than the first contact with the person, if you communicate with them (art. 14(3)). In practice for sourcing: your first outreach message must contain — or point to — the article 14 notice.
3. What lawful basis for sourcing?
In practice, candidate sourcing most often relies on legitimate interests (art. 6(1)(f)): matching a professional profile to a job opportunity is a legitimate interest of the recruiter, subject to a balancing test against the person's rights. This requires:
- minimisation — only capture data relevant to the professional matching (art. 5(1)(c));
- a clear right to object (art. 21), explicitly highlighted to the person;
- and — again — the article 14 transparency notice, regardless of consent.
If the processing is for direct marketing-like activity, the right to object is absolute: the person can object at any time and processing for that purpose must stop.
4. The "I'll inform them later" trap
A common mistake: adding dozens of profiles to a pool, planning to inform them only when first contacted. Two problems:
- The article 14 clock (one month max from collection) runs even if you haven't contacted them.
- Storing sourced profiles without information is building a non-compliant database — quickly visible in case of a complaint or audit.
The right move isn't to stop sourcing — it's to make the article 14 notice accessible at the moment of first contact (or, at the latest, within one month), covering source, lawful basis, retention and right to object.
5. The compliant sourcing checklist
- Lawful basis identified (most often legitimate interests) and documented.
- Article 14 notice ready, including source and right to object, delivered in the first message or via a link.
- Minimisation: only store what's relevant.
- Retention period (consistent with your CV retention policy).
- Easy-to-exercise right to object, made visible.
- Audit trail (who was sourced, when, from which source).
A serious ATS should make this information and the audit trail easy — not leave it to each user's goodwill. It's the difference between a defensible practice and one that's exposed at the first complaint.
Where this article comes from
Marvin Recruiter integrates GDPR and AI Act in product design. This article is the output of our in-house R&D — regulation, ICO/CNIL/AEPD doctrine, Digital Omnibus monitoring. Informative, not legal advice. Not yet reviewed by a lawyer. Validate compliance decisions with your DPO or a specialised law firm.
FAQ
Do I need consent to source a candidate on LinkedIn?
Not necessarily — sourcing usually relies on legitimate interests. But you must inform the person (art. 14) and offer an easy right to object.
When must I inform a sourced candidate?
No later than one month after collection, and no later than first contact if you reach out before that month expires (art. 14(3)).
Do I have to tell them where I found their data?
Yes. Article 14 requires you to indicate the source of the data (LinkedIn, jobboard, referral, etc.) and whether it came from a publicly accessible source.
Can a candidate refuse to be in my database?
Yes — right to object (art. 21), absolute for direct marketing-like activity. Processing for that purpose must then stop.
The profile is public — am I exempt?
No. A profile being public removes neither the information duty nor the person's rights.
Informative article up to date as of 15 May 2026. Sources: (UK) GDPR / Regulation (EU) 2016/679 (art. 5, 6, 14, 21); ICO recruitment guidance; CNIL and AEPD doctrine. Not legal advice.
Suggested internal links: GDPR & recruitment guide · CV retention (R2) · AI Act and recruitment (A1) · Request a demo.
