GDPR and first-touch candidate outreach
The set of legal obligations under GDPR that apply the moment a recruiter first contacts a passive candidate: documenting a lawful basis, disclosing data sources, offering opt-out rights, and retaining a record of the first communication and the consent status it established.
Michal Juhas · Last reviewed May 4, 2026
What is GDPR and first-touch candidate outreach?
GDPR and first-touch candidate outreach covers the legal obligations that activate the moment a recruiter contacts a passive candidate for the first time. Under the General Data Protection Regulation, that first message is not just a business communication: it is the point at which the recruiter must disclose that they hold the candidate's personal data, explain where they obtained it, state the purpose and legal basis for processing it, and make it easy for the candidate to opt out or request deletion.
Most sourcing compliance gaps are first-touch gaps. The data was collected lawfully, the outreach was well-intentioned, but the moment of disclosure was skipped or buried, which means the processing chain is technically non-compliant from the first send.
In practice
- A sourcer sends an InMail that says "I found your profile on LinkedIn and wanted to reach out about a role" without naming where their email address came from or how they can be removed from the recruiter's CRM. That gap is an Article 14 GDPR failure even if the message is polite and the candidate never complains.
- A TA ops lead adding a one-line privacy footer to every outreach template ("We found your details via [source]. To update or remove your record, reply to this email or visit [link]") is a minimal but meaningful compliance step that most teams have not taken before a workshop.
- When a candidate replies to a sequence saying "please remove me from your list" and the recruiter marks them as do-not-contact in the CRM but does not suppress them in the enrichment tool, the next monthly run re-adds them to the pipeline and the automated sequence fires again. That second contact after an opt-out is the moment a regulatory complaint becomes likely.
Quick read, then how hiring teams use it
This is for recruiters, sourcers, TA, and HR partners who need the same vocabulary in debriefs, vendor calls, and policy reviews. Skim the first section when you need a fast shared picture. Use the second when you are deciding how it shows up in the ATS, sourcing tools, or candidate communications.
Plain-language summary
- What it means for you: Every first message to a passive candidate triggers a legal obligation to tell them you hold their data, where you got it, why you are using it, and how they can ask you to stop. This applies even if the message is a friendly LinkedIn note.
- How you would use it: Add a privacy disclosure line to every outreach template. Document the lawful basis for each sourcing campaign. Maintain a suppression list and wire it to every tool in your sequence stack.
- How to get started: Pull your three most-used outreach templates today. Check whether each one names the data source and includes an opt-out mechanism. If not, add one line before the next send. Then document the lawful basis for the outreach in a one-page record.
- When it is a good time: Before you automate any outreach sequence. Automation at scale without a compliance layer multiplies every gap across every candidate it touches.
When you are running live reqs and tools
- What it means for you: When outreach runs through automation, the GDPR obligations do not scale down with the volume: every candidate in a sequence of 500 needs the same disclosure a recruiter would give in a one-to-one message. The suppression list, the DPA chain, and the deletion workflow all need to be in place before launch.
- When it is a good time: After legal has signed off on the lawful basis and template language, and after the suppression list is wired as a filter in every tool in the stack. Not while the outreach copy is still changing every cycle.
- How to use it: Include the disclosure in message step one of every sequence. Set a maximum follow-up count so the sequence stops before a non-response becomes evidence of unwanted processing. Log the disclosure date and channel per candidate record in your CRM.
- How to get started: Build a one-page compliance template: lawful basis, data sources, disclosure language, opt-out mechanism, suppression list location, and deletion workflow owner. Run it past legal before the first automated campaign. Update it when you add a new enrichment vendor or outreach channel.
- What to watch for: Sequences that fire a fourth or fifth follow-up after no response, enrichment tools that re-add opted-out candidates on the next run, outreach copy that skips the data source because the template was copied from a sales sequence, and DPAs that name the CRM but not the enrichment vendor that supplied the contact detail.
Where we talk about this
On AI with Michal live sessions, sourcing automation blocks address GDPR compliance as infrastructure, not an afterthought: lawful basis, template design, suppression lists, and DPA chains are part of the technical setup before any sequence launches. AI in recruiting workshops connect the same obligations to screening-stage decisions and candidate communications at scale. If you want a live room review of your current outreach templates and sequence design, join Workshops and bring your actual sequence copy and vendor list.
Around the web (opinions and rabbit holes)
Third-party creators move fast here. Treat these as starting points, not endorsements, and verify current regulatory guidance directly for your jurisdiction before making compliance decisions.
YouTube
- GDPR for Recruiters Explained covers the practical obligations that apply to sourcing and outreach for talent teams operating under EU law.
- Cold Email and GDPR: What You Need to Know walks the disclosure and opt-out requirements that apply equally to sourcing outreach and B2B sales sequences.
- Data Protection for HR Professionals covers retention, deletion, and DSAR handling for teams that manage candidate records at scale.
- GDPR and cold recruiting outreach: what do you actually include? in r/Recruitment is a frank thread on what practitioners are doing in practice versus what the regulation technically requires.
- Has anyone received a GDPR complaint from a candidate? in r/recruiting covers real post-mortems from teams that discovered their compliance gap the hard way.
- Suppression lists in recruiting sequences: how do you manage them? in r/sourcing covers the opt-out infrastructure that most sourcing automation setups skip until a problem surfaces.
Quora
- Do GDPR rules apply when recruiting passive candidates? collects legal and practitioner perspectives on the obligations that apply to sourcing outreach across EU and non-EU contexts.
Compliance checklist for first-touch outreach
| Step | What it covers | Who owns it |
|---|---|---|
| Document lawful basis | Legitimate interest balancing test per campaign | TA ops or legal |
| Add privacy disclosure | Source, purpose, opt-out link in message template | Recruiter or ops |
| Wire suppression list | Filter opted-out records from every tool in the stack | TA ops |
| DPA for enrichment vendors | Subprocessor named and agreement signed | Legal or procurement |
| Deletion workflow | Remove record from CRM and subprocessors within 30 days | TA ops |
Related on this site
- Glossary: Talent data aggregators for sourcing, Contact enrichment for sourcing, Proprietary talent pool, Workflow automation, Human-in-the-loop, Niche talent pool sourcing strategy
- Blog: AI sourcing tools for recruiters
- Guides: Sourcers
- Live cohort: Workshops
- Membership: Become a member
Frequently asked questions
What lawful basis do most recruiters use for contacting passive candidates?
Legitimate interest is the most common basis for B2B-adjacent sourcing outreach: the recruiter has a genuine business need to fill a role, and the candidate's professional profile is publicly available in a relevant context. However, legitimate interest is not automatic. It requires a balancing test that weighs your interest against the candidate's privacy expectations. If you are messaging someone whose profile does not obviously signal openness to new roles, or who works in a jurisdiction with stricter norms (Germany, France), the test is harder to pass. Document the test in a one-page record before the campaign launches, not after the first complaint arrives. Pair this with your talent data aggregators DPAs so the lawful basis covers both the data source and the outreach step.
What must a first-touch outreach message include under GDPR?
Article 14 of GDPR requires that when personal data is obtained from a third party rather than directly from the individual, you inform them of: the categories of data you hold, the purposes and legal basis for processing, the source of the data, and their rights including the right to access, erasure, and object. In practice, this means the first message should name where you found the candidate ('your profile on LinkedIn'), why you are processing their data ('to assess whether you might be interested in a role at [Company]'), and how they can request deletion or opt out. A one-line privacy notice at the foot of a cold InMail or email is a minimal implementation; a link to a full privacy page is better. The requirement applies whether the outreach is manual or automated.
How do automated outreach sequences change the GDPR obligation?
Automation does not reduce the obligation; it multiplies the blast radius of any gap. When a manual recruiter sends a non-compliant message, the error affects one candidate. When an automated sequence fires the same message to 500 profiles, the error is scaled by 500. This is why sourcing automation cohorts spend time on the sequence design before the launch: each step in the sequence needs a review of whether it is still lawful if the candidate has not responded, how long the cadence continues before the data is considered stale, and what the opt-out mechanism is for each channel (email unsubscribe, LinkedIn withdraw). Log whether each candidate in the sequence received a privacy disclosure and when, so a data subject access request can be answered in minutes rather than reconstructed from a chat history.
What happens when a candidate asks to be removed from your records?
A data subject access request or erasure request requires a response within 30 days under GDPR. You must confirm what data you hold, where it came from, what you have done with it, and then delete it or document a reason why retention is legally required (a live dispute, for example). In sourcing practice, this means your CRM or proprietary talent pool must have a deletion workflow, not just a manual archive step. If the candidate's data also reached an enrichment vendor or outreach tool, those subprocessors need to be notified of the deletion request. Build the workflow before the first campaign. Teams that try to reconstruct it after the first request discover they cannot find all the places the data landed.
Does the GDPR obligation change if outreach goes through LinkedIn InMail?
LinkedIn is a joint controller for data on its platform, which changes the DPA structure but does not eliminate your obligation to tell the candidate you are processing their data for a specific purpose. If you source a candidate on LinkedIn and then contact them by email using a detail obtained from an enrichment tool, the email is unambiguously your personal data processing operation and the Article 14 obligation applies fully. If you only contact them through InMail and do not store their data outside LinkedIn, the liability is lower but not zero: you still need a documented lawful basis and you still must honour any opt-out or access request the candidate sends to you, not just to LinkedIn. When in doubt, name the source and offer the opt-out in the first message regardless of channel.
How should sourcing teams handle candidates who respond with opt-out requests?
An opt-out from a passive candidate means two things: stop all outreach immediately on every channel, and delete or suppress their record from your active pipeline and any nurture sequence. The suppression step is often missed: a deleted CRM record can re-enter via the next enrichment run if there is no suppression list in place. Maintain a do-not-contact list keyed on email address and LinkedIn URL, and feed it as a filter to every sourcing and enrichment tool you run. Log the opt-out date and the channels it covered so you can demonstrate compliance if the candidate follows up. Building this list before the first campaign costs 30 minutes; rebuilding trust after a second contact following an opt-out request costs significantly more.
Where do teams most often get first-touch GDPR compliance wrong?
Three failure modes appear repeatedly in workshops. First, no privacy disclosure in the first message: teams assume a standard InMail template is GDPR-compliant because a vendor said so. Second, no documented lawful basis for the outreach: 'we thought it was fine' is not a balancing test. Third, subprocessor gaps: the enrichment vendor that supplied the email address is not named in the privacy notice or in a DPA, which means the whole data chain is undocumented. A fourth gap is automation without a suppression list, so opt-outs re-enter the next sequence run. Fix these in order: document the lawful basis first, add the disclosure to the template second, wire the suppression list third, then audit your subprocessors. Pair this checklist with your talent data aggregators review for a consistent legal layer.
