)
When you apply for a job, you share a lot of personal data with recruiters and employers. But do you know how to protect it? From your contact details and work history to education and references, your CV contains data that needs to be handled responsibly.
Since the General Data Protection Regulation (GDPR) rules were introduced in 2018, data privacy has become a bigger part of the recruitment process. Adding a simple GDPR statement to your CV can help clarify how your personal information may be used during job applications. It also shows employers that you understand modern hiring practices and take professional standards seriously.
While a CV GDPR clause is not always required, many job seekers choose to include one to support transparency and demonstrate awareness of processing personal data.
Disclaimer
This article is for general informational purposes only and does not constitute legal advice. For the most accurate and up-to-date guidance, consult official GDPR sources, legal professionals, or your employer’s data protection policies.
Ready to get hired?
Use our CV builder to create a professional CV
Tailor your CV for any job application
AI writing assistant to boost your CV
Quick, easy, and ready in minutes.
Understanding UK GDPR: What jobseekers need to know
The General Data Protection Regulation (GDPR) is a UK data privacy law that explains how organisations collect, store, and use personal information. For job seekers, this applies whenever you submit a CV, complete an application form, or share details with a recruiter.
Your CV may include contact details and personal data, such as your name, phone number, email address, work experience (employment history), and education (qualifications). Employers and recruiters must legally handle this data responsibly and only use it for legitimate recruitment purposes.
In some cases, recruiters may rely on legitimate interest to process your CV during hiring. However, if your information is shared with a third-party recruiter or stored for future opportunities, employers or recruiters may request additional consent. This is why some applicants include a GDPR consent statement directly on their CV.
It is also important to avoid including unnecessary personal information on your CV. Under GDPR principles, employers should collect only data relevant to recruitment decisions. Sensitive information, known as special category data, includes details about health, religion, ethnicity, or political beliefs, and should only be shared when necessary.
Not sure what personal information to include on your CV? Explore our CV writing guides on:
What is a GDPR Clause in a CV?
A GDPR clause CV is a short statement explaining how your personal information may be used during recruitment. It is typically placed at the bottom of a CV and gives consent to your details being used in the hiring process. Some job seekers also include a retention period, clarifying how long their CV can be stored for future opportunities.
However, a GDPR consent CV statement is not always required. Many employers already include privacy notices within their online application forms or recruitment processes.
Refer to the Information Commissioner's Office (ICO UK), which explains why employers must be transparent about how candidate data is collected, stored, and used.
Why is GDPR compliance important for your CV?
Understanding GDPR can help you feel more confident when sharing your CV online or applying through recruitment agencies. It also helps you understand how employers may store, review, and share your information during the hiring process.
For example, recruiters and employers should explain how candidate data is used, whether information is shared with a third-party recruiter, and how long CVs may be kept on file. This is particularly relevant when uploading your CV to UK job boards or online recruitment platforms.
Being aware of GDPR principles can also help you protect your privacy during job applications. Before submitting your CV, check that your personal contact details are accurate and avoid including unnecessary personal or special category information unless it is relevant to the role.
How to include a GDPR statement in your CV
A GDPR statement in CV applications is usually placed at the bottom of the document, underneath sections such as work experience, education, or references. Keep the wording short, professional, and easy to read.
A simple example could look like this:
“I consent to the processing of my personal data for recruitment purposes in accordance with the UK General Data Protection Regulation (GDPR).”
Some candidates also choose to mention a retention period, particularly when applying through recruitment agencies or online CV databases.
GDPR clause example with time period:
“I consent to my CV being stored for recruitment purposes for up to 12 months.”
Pro tip
Always keep your CV GDPR clause concise and avoid adding overly complex legal language. Employers usually explain their data handling practices within online application forms or privacy policies, so a separate statement may not always be necessary.
Common mistakes to avoid for GDPR on a CV
Confusing a GDPR clause in a CV with a confidentiality clause or NDA.
Copying long legal templates directly into your CV.
Including too much personal or special category information, such as health details, religion, or medical history.
Using unclear wording or placing the statement in a way that affects your CV layout.
Forgetting that many employers already explain data handling within application forms or privacy policies.
CV Checklist
Key takeaways
Protecting your personal information is now an important part of writing a modern CV in the UK.
A CV GDPR clause is a short statement explaining how your personal information may be used during recruitment.
Your CV includes personal data such as your contact details, phone number, employment history, and qualifications.
Under the General Data Protection Regulation (GDPR), employers and recruiters must follow GDPR rules when processing personal data.
Some job seekers include a GDPR consent statement in their CV when applying through recruitment agencies, CV databases, or online job boards.
Before submitting job applications online, always check your personal details, privacy settings, and how your information may be stored or shared.
Next steps?
Want to strengthen your next job application? Explore our career blog for advice on cover letters, ATS-friendly CVs, LinkedIn profiles, interview preparation, employee benefits, and salary expectations in the UK. You can also use our AI CV builder to create a professional application tailored to your career goals, in-demand jobs and modern recruitment practices.
FAQs
Do I legally have to include a GDPR statement on my CV?
No. A GDPR statement in CV applications is not a legal requirement in the UK. However, some job seekers choose to include a CV GDPR clause when applying through recruitment agencies, CV databases, or online job boards.
What should my GDPR statement say?
A GDPR consent statement CV should be short, clear, and professional. A common example is: “I consent to the processing of my personal data for recruitment purposes in accordance with the UK General Data Protection Regulation (GDPR).” Some candidates also include a retention period explaining how long their CV may be stored for future opportunities.
Where should the GDPR statement appear on my CV?
A GDPR clause CV is usually placed at the bottom of your CV, underneath sections such as work experience, education, or references. Keep the wording concise so it does not affect the CV layout or readability of your application.
Can a recruiter share my CV with other companies without my permission?
Recruiters must follow the General Data Protection Regulation when processing personal data. In some situations, recruiters may rely on legitimate interest during recruitment, but they should still explain how your information is collected, stored, or shared, especially with a third-party recruiter or employer.
How long can an employer keep my CV after I apply?
There is no fixed time limit, but many employers keep CVs for around 6 to 12 months. Under GDPR, they should not keep your personal information longer than necessary and should explain their retention period in privacy policies or application forms.
What is a Subject Access Request (SAR)?
A Subject Access Request (SAR) allows you to ask an organisation what personal information they hold about you under the UK's data protection legislation. This may include your CV, application form details, interview notes, or other recruitment records linked to your personal documents.
