Consent clause in a CV – when is it needed and when is it not?
In most recruitment processes in Poland, adding a consent clause to a CV is not required under the GDPR and often it is even unnecessary. Consent is only needed in strictly defined situations, such as when special category data is involved or when a CV is intended to be used in future recruitment processes.
Consent is one of the legal bases that allows a given entity (data controller) to process personal data (GDPR, Art. 6(1)(a)).
For a long time, adding a consent clause to a CV was standard practice. And even though GDPR has been in place for quite a while now, and even the Polish supervisory authority (UODO) has pointed out that this practice is incorrect, we still have not fully managed to move away from it.
Recruiters keep asking for it (most often in an incorrect form).
Candidates worry that without it, they will automatically be rejected from the recruitment process.
And so the cycle continues.
Why is a consent clause in a CV usually NOT justified?
Because:
(1) Some of the data included in a CV is not processed based on consent at all, but on other legal grounds — such as legal obligations or steps necessary to enter into a contract.
(2) For most of the remaining data, implied consent is sufficient — simply sending the CV is enough.
What types of personal data are we talking about?
Personal data can generally be divided into three categories:
(1) Ordinary data, such as first name, last name, address, date and place of birth, phone number, profession, image (e.g. a photo in a CV), email address, etc.
(2) Special categories of personal data (so-called sensitive data), defined in a closed list under Article 9 GDPR, revealing:
– racial or ethnic origin,
– political opinions,
– religious or philosophical beliefs,
– trade union membership,
– genetic data,
– biometric data used for the purpose of uniquely identifying a natural person,
– data concerning health, sex life or sexual orientation.
(3) Data relating to criminal convictions and offences, referred to in Article 10 GDPR.
What data can be processed without consent?
Consent is not the default legal basis in recruitment and, in most cases, is not required under GDPR.
(1) Recruitment for an employment contract
Here, labour law (Article 22¹ §1 of the Polish Labour Code) requires specific data:
– first name and last name,
– date of birth,
– contact details and,
– education, qualifications, and employment history (excluding information about salary in current and previous employment relationships), but only where necessary for the given position.
In certain professions, additional legal provisions may require or allow employers to collect further data.
(2) Recruitment for civil law contracts (B2B, freelance etc.)
Here, the Labour Code does not apply. However, data necessary to conclude a contract can still be processed based on: taking steps prior to entering into a contract (Art. 6(1)(b) GDPR), or a legal obligation (if applicable). In practice, the scope of data is usually similar.
👉 In both cases, data is not processed on the basis of consent.
What data can be processed based on implied consent?
In addition to required data, CV often includes extra information such as:
– interests,
– links to social media (e.g. LinkedIn, portfolio),
– projects.
In most cases, these are ordinary data
Such information may be processed based on the candidate’s consent — but no additional clause is required.
👉 The act of sending a CV is treated as implied consent to process ordinary personal data included in it.
When is an explicit, written consent clause required?
There are essentially two situations where including a consent clause makes sense and is actually required:
(1) When the CV contains special category data (Art. 9 GDPR)
Explicit consent is required only when a candidate voluntarily discloses such data in their CV — for example information about political views, religion, health or sexual orientation — and this is not required by law.
It is important to remember that:
– employers must not encourage or request such data unless there is a clear legal basis,
– in the case of criminal data (Art. 10 GDPR), consent does not apply at all — such data can only be processed if explicitly permitted by law.
(2) When the candidate wants their CV to be used in future recruitment processes
If a candidate wants the company to keep and reuse their CV for future roles, consent is required. Without such consent, the CV may only be used for the specific recruitment process for which it was submitted.
Many companies now address these issues through internal forms, checkboxes, or clauses included in online application systems. If consent has already been collected in this way, including it again in the CV is unnecessary — although not incorrect, provided the content of the consent itself does not create a conflict.
What data in a CV may be considered special category data?
GDPR defines a closed list of such data.
How can you distinguish ordinary data from special category data in a CV?
For example:
✔ “I enjoy watching political debates” or “I am interested in religious studies” – these are general statements that do not reveal political views or religious beliefs.
❌ “I support this political party” or “I am a practicing Catholic” – these clearly do.
👉 As a rule, if information is not required by law or genuinely necessary in the recruitment process, it should not be included in a CV.
Why are most consent clauses in CVs simply incorrect?
Because in most cases they are:
– not adapted to the actual legal situation,
– based on outdated legal grounds,
– or misleading.
As a result, they are flawed and provide no real value.
What should a proper consent clause look like?
There is no single official template.
There is no requirement to include:
– the legal basis,
– or the name of the company.
What matters is that the consent is tailored to the specific purpose.
Example 1:
“I consent to the processing of my personal data by XYZ for the purposes of future recruitment processes conducted for a period of 6 months.”
Example 2:
“I consent to the processing of special categories of personal data included in my CV, as referred to in Article 9(1) GDPR.”
Can consent be withdrawn?
Yes, consent can be withdrawn at any time. Withdrawal does not require justification and must not result in negative consequences for the candidate.
However, it only applies going forward. That means withdrawal does not affect the lawfulness of processing carried out before it was withdrawn, but from that moment on, the company loses the right to further process the data.
The candidate must be informed about this right at the time of data collection.
This article relates to the Polish legal framework and is based on the legal status, case law, and practice applicable at the time of publication. The scope and manner of processing personal data in recruitment and employment relationships may differ between countries and depend on local laws.
Sources and further reading
Polish Labour Code (Act of 26 June 1974) (Dz.U. 1974 nr 24 poz. 141)
Act of 10 May 2018 on Personal Data Protection(Dz.U. 2018 poz. 1000)
Polish Data Protection Authority (UODO), Data protection in the workplace. Guide for employers, October 2018.