Recruiters and staffing agencies: agreements with employers and candidates online

Recruiters close dozens of agreements a month — with clients for filling positions and with candidates for personal data processing. See how zipzipdoc speeds up every step.

Recruiters and staffing agencies: agreements with employers and candidates online

A recruiter works on two fronts simultaneously — closing agreements with employers to fill positions, and obtaining GDPR consent from every candidate for personal data processing. Both types of documents are mandatory, and both can be handled digitally in a fraction of the usual time.

Legal framework for recruitment businesses

Recruiters and staffing agencies handle large volumes of personal data (CVs, contact details, salary expectations, performance records) and must comply with GDPR (Regulation 2016/679) rigorously. Specifically:

• Lawful basis for CV processing: GDPR requires a lawful basis before storing or processing any candidate’s CV. For active candidates, consent is the most appropriate basis — and it must be explicit, specific and documented.
• Retention limitation: CVs and candidate profiles cannot be stored indefinitely. A standard approach is 12 months of active database life, renewable with the candidate’s consent.
• Data subject rights: candidates have the right to access their stored data, request correction, and request erasure. Your CRM and contract system must support these rights.

For recruiters, a signed GDPR consent from each candidate is not optional — it is the legal foundation for your entire candidate database.

What recruiters and staffing agencies need

• Placement agreement with the employer: fee, exclusivity, guarantee period
• Candidate GDPR consent: a legal requirement before storing a CV in the database
• NDA when filling sensitive executive or confidential roles
• Confidentiality agreement for exclusive mandates

The placement agreement — what it must contain

A staffing agency agreement between the recruiter and the employer must clearly define:

1. Fee structure — percentage of first-year salary or flat fee? When is the fee triggered (start date, end of probation)?
2. Guarantee period — if the placed candidate leaves or is terminated within 3 months, is the fee refunded or replaced?
3. Exclusivity — is the employer permitted to search simultaneously with other agencies, or is this an exclusive mandate?
4. Payment terms — net 30, split payments, invoicing trigger.
5. Definition of successful placement — to avoid ambiguity about when the fee is earned.
6. Off-limits clause — restriction on recruiting the employer’s other employees.

Why GDPR consent must be in writing

Since GDPR came into force in 2018, any processing of a candidate’s CV requires a lawful basis — and for active candidates who have not applied to a specific job, consent is the most appropriate basis. Verbal consent is insufficient — you need a documented record. zipzipdoc generates a candidate GDPR consent in 30 seconds. The candidate signs on their phone before the first interview.

Related contract types: Mandate agreement · GDPR consent · NDA — non-disclosure agreement

Numbers that speak for themselves

| Statistic | What it means | |---|---| | 89 % | of recruiters still send GDPR consents by email | | 2.3 days | average wait for a placement agreement signature | | 15 min | saved per new candidate | | 100 % | GDPR compliance when collecting CVs |

How it works step by step

Step 1: A candidate expresses interest in a position.

Step 2: The recruiter sends a CV processing GDPR consent via zipzipdoc.

Step 3: When the candidate is suitable, the client company receives a placement agreement for signing.

DPA between recruiter and employer: when is it required

GDPR establishes a precise accountability hierarchy. When a recruiter processes candidate CVs on behalf of an employer, the relationship is controller (employer) — processor (agency). This must be covered by a Data Processing Agreement (DPA) under Article 28 GDPR.

What the DPA must specify

A DPA between a client company and a recruitment agency must define:

• Subject matter and duration: CVs for specific positions during the mandate period
• Nature and purpose: candidate evaluation and shortlisting
• Categories of data processed: name, contact details, work history, assessment results
• Agency obligations: technical and organisational security measures, prohibition on re-use without consent
• Sub-processors: ATS platforms (Greenhouse, Lever, Workable, Teamtailor) must be explicitly listed

When a DPA is not required

If the agency acts as an independent data controller — making its own decisions about purpose and means of processing — rather than as a processor on behalf of the client, a standard Article 28 DPA is not required. This applies when:

• The agency maintains its own candidate database and determines the purpose independently
• Active sourcing is conducted without a specific mandate from the client

Guarantee structure and fee recovery

The guarantee clause — typically 3–6 months — is standard in retained and contingency recruitment. If the placed candidate leaves or is dismissed within the guarantee window, the agency either provides a free replacement or refunds a portion of the fee.

Typical guarantee fee return schedule

| Candidate departure within | Fee refund | |---|---| | 30 days | 100% | | 31–60 days | 75% | | 61–90 days | 50% | | 91–180 days | 25% | | Over 180 days | 0% |

Guarantee terms must clearly specify what triggers the guarantee (voluntary departure, performance dismissal) and what falls outside it (layoffs due to restructuring, force majeure, role elimination).

Exclusivity: balancing risk and commitment

An exclusive mandate gives the agency assurance that its investment in the search will be rewarded. For the employer, exclusivity means a commitment not to engage other agencies or approach candidates directly during the mandate period. This can slow down a fill if the agency underperforms.

A practical middle ground: 45–60 days of exclusivity, then conversion to a non-exclusive mandate if the role remains unfilled. This incentivises performance while protecting the employer’s timeline.

Frequently asked questions

Is written GDPR consent required when collecting a CV?

Yes. Processing a CV is processing personal data. If the candidate has proactively applied to a job, the lawful basis can be “legitimate interest” or “pre-contractual necessity.” For cold-sourced candidates (LinkedIn, referrals), explicit written consent is the safest approach. It must be archived with a timestamp and be withdrawable by the candidate.

How do I handle NDA for sensitive positions?

For executive roles or positions with access to highly confidential information, a two-sided NDA between the recruiter and the employer protects both parties. The candidate receives a confidentiality notice but is typically not party to the recruiter-employer NDA. zipzipdoc generates NDA templates specifically for recruitment scenarios.

Can I send GDPR consents to candidates in bulk?

Yes. Bulk sending lets you send consent to multiple candidates at once. Each receives a personalised document with their own signing link and signs with OTP verification. The dashboard tracks who has signed and who has not responded.

How long can I keep a candidate’s CV in my database?

GDPR’s storage limitation principle requires that data is not kept longer than necessary. Standard practice: 12 months of active database life. After that, either renew the candidate’s consent or delete their data. Your contract and consent management system must support this cycle.

What is an “off-limits” clause in a recruitment agreement?

An off-limits (or “no poach”) clause restricts the recruiter from approaching the client’s existing employees for other placements during the agreement period. This protects the employer’s workforce stability. Typically extends 12–24 months after placement.

“I send GDPR consents to candidates automatically. Placement agreements are signed within a day.” — Eve M., senior recruiter

Start free →