You are currently not logged in. Any progress made will be lost.

Clients and GDPR

Clients and GDPR

GDPR does not distinguish between the size of organisations processing personal data.  Accountability is spread across the supply-chain wherever personal data is being processed.

Recruiters are classed as data processors in their business relationships with researchers and end client.  Recruiters are however data controllers for the personal data they own and control e.g. recruitment databases.


A contract is an agreement between parties which sets out the responsibilities and liabilities of all parties subject to contracts.

Controllers have to document who they have appointed as data processors and have contracts in place with their data processors

A data processor’s activities must follow the documented contractual instructions from the data controller.

Contracts can:

  • Vary in length
  • Vary in what they cover
  • Vary in complexity

Contracts can have different and sometimes confusing names.  For example, Master Service Agreement (MSA) or Service Level Agreement (SLA): these document the whole of a business relationship including payment, timescales, intellectual property rights, data protection and so on. 

You might also receive ‘addendums’ to previous MSAs or SLAs which include new data protection requirements.  You might also be asked to enter into a data processing agreement.  You might also not receive anything.  In such instances you should request one as it is a requirement of processing personal data that a contract is in place.

If you are not supplied a contract you should remind your client that there is a legal obligation to have a contract and as they are commissioning you to undertake work on their behalf they will be responsible for any potential liabilities which may arise due to no contract being in place.

The most common agreement is a data processing agreement (MSAs and SLAs tend to be for larger companies).  Whatever contract you receive specific terms need to be included to be compliant with GDPR – see

If you sub-contract any recruitment to others you will have responsibility for providing a data processing contract.

When you receive a contract check the following before signing:

  • What is the liability in the event of a personal data breach? Your insurance provider may recommend that you do not undertake contracts with unlimited liability.
  • What are the expectations of your IT systems?  They may not be to the standard expected by the controller.
  • What are the data transfer requirements?  The client may request a particular type of file transfer and not accept sending personal data via password protected spreadsheets for example.

Try to negotiate any contractual terms which are problematic.  Clients can be flexible on some requirements.


Statement of Work

Each individual project needs a record of the data processing to be undertaken. The data controller, your client, must instruct you on what data processing is involved. Clients may send the data processing instructions as a Statement of Work or within their Project Brief. However the instructions are sent the Statement of Work should include the following data processing information:


  • The purpose of the data processing
  • The subject matter
  • The dates (from and to) of the data processing
  • What the processing activities are e.g. recruitment screening, sending participant profiles, etc
  • Types of personal data being collected e.g. name, email, addresses, financial information
  • Any special categories of personal data e.g. ethnicity, health data, etc.
  • Categories of data subject e.g. employees, subscribers
  • Any data transfer requests e.g. the method for sending participant profiles
  • Any end of contract requirements e.g. returning client supplied samples


Client supplied samples

There are some extra points to note when you receive client supplied samples:


  • Individuals must be told during data collection the source of their data (this can be revealed at the end of the session if participants agree to participate on this basis)
  • Confirm with clients that they have checked samples and that the personal data can be used for research purposes
  • Confirm with clients the method of contact that is allowed for client-supplied samples e.g. telephone, email, etc.
  • Report back immediately any complaints or data subject requests received during your recruitment activities using client-supplied sample
  • As clients are data controllers they have responsibility for fulfilling any data subject request relating to data subject rights such as subject access, erasure, etc.


Participant information

 When you are acting as a data processor you have a responsibility to inform participants of the following:

  • What their data is going to be used for
  • Who is going to have access to it
  • How long it will be held for
  • What purposes it will be used for
  • Where it will be stored (EU, EEA, other countries?)

With video/digital recordings

  • Each use of any recording should be stated separately, and consent obtained for each use.
  • Different purposes and uses cannot be bundled together.


Data breach notification

In contracts with clients it is likely there will be time limits for notifying any personal data breaches which you are responsible for. This is usually within 24 hours of identifying the breach.

You should report any breach that involves data supplied by clients.  Your clients must notify you if they lose any data that you have supplied to them.  You may need to take legal advice before/during a data breach and may need to inform your insurance provider.