Sharing Candidates Between Agencies Under GDPR
Every split fee placement starts with an awkward question: how do you tell another agency about your candidate without handing over data you are legally responsible for protecting?
It is the quiet reason a lot of split fee conversations never get going. One recruiter has a candidate they can’t place. Another might have the perfect role. But to find out, someone has to share a name, a CV, contact details, or a salary expectation, and all of that is personal data the candidate trusted you to look after.
Get it wrong and you are not just risking a relationship. You are risking a breach of UK GDPR, a complaint to the regulator, and a fine that dwarfs any single placement fee.
The good news: sharing candidates between agencies is entirely lawful when you do it properly. Here is what “properly” means.
What UK GDPR actually says about candidate data
Since Brexit, the UK runs its own version of GDPR (the UK GDPR), sitting alongside the Data Protection Act 2018 and enforced by the Information Commissioner’s Office. For recruitment, the practical takeaways have not changed much from the EU regime.
A candidate’s name, email, phone number, CV, work history, and salary expectations are all personal data. Some of what lands in a recruiter’s inbox goes further. Health information, or details that reveal ethnicity or religion, count as special category data and carry stricter rules.
The principle that trips agencies up most is not consent. It is purpose. You are allowed to process a candidate’s data for the reason they engaged you in the first place, which is to help them find a role. Sharing their details with a second agency to widen that search can sit squarely within that purpose. What matters is whether you have a lawful basis, whether the candidate knows the sharing can happen, and whether you share only what is genuinely needed.
The habit that creates real risk
Most split fee data problems don’t come from platforms or formal agreements. They come from the informal default.
A recruiter posts in a 5,000-member LinkedIn or WhatsApp group: “Senior Java dev, Manchester, £55k, available now, anyone got a role?” Or they email a full CV to a contact they met at an event, just in case.
Each of those is a disclosure of personal data to people the candidate never agreed to, with no record of who received it, no control over what they do with it, and no way to claw it back. Once a CV is in a group chat, it is everywhere. That is exactly the kind of uncontrolled processing the regulator takes a dim view of, and UK GDPR fines run to £17.5 million or 4% of global annual turnover, whichever is higher.
The casual approach feels low-stakes precisely because it is casual. The law does not see it that way. I covered the wider failings of the informal model in why manual split fee processes fail.
Three things you need to get right
Strip away the jargon and lawful candidate sharing comes down to three habits.
A lawful basis to share
Every act of processing personal data needs a lawful basis under Article 6 of the UK GDPR. For recruitment, two are realistic:
- Legitimate interests. The basis most agencies rely on. Helping a candidate into a job, including by working with a partner agency, is a legitimate commercial interest for you and a benefit to them. To use it, run and document a short legitimate interests assessment that weighs your interest against the candidate’s rights. It isn’t a free pass, but it suits split fees well.
- Consent. Some agencies ask candidates to opt in to having their details shared with partner agencies. Consent must be freely given, specific, and easy to withdraw, which makes it more brittle than legitimate interests, but it is clean and simple to explain.
Whichever you choose, the receiving agency needs its own lawful basis too. In most split fee arrangements both agencies are independent controllers of the data, each accountable for how they handle it. Your split fee agreement should make that explicit.
Telling candidates it can happen
Transparency is non-negotiable. Under the UK GDPR, candidates have to be told how their data will be used, and that includes the possibility of sharing it with partner agencies to find them a role.
Usually this is a one-line addition to the privacy notice you already give candidates when they register: that you may share their details with trusted partner agencies to identify suitable vacancies, and that they can object at any time. The test is simple. If a candidate would be startled to learn where their CV ended up, you have a transparency problem.
Sharing less, and later
Data minimisation says you should only process what you actually need. Applied to split fees, that has a powerful implication: you don’t need to reveal who a candidate is to find out whether a role is a fit.
A partner agency can assess a match from the facts that matter, such as job title, skills, location, salary band, seniority, and availability, without ever seeing the candidate’s name, current employer, or contact details. The identifying information only has to change hands once both sides have agreed to work together.
Stripping out identifiers like this is called pseudonymisation. It is not the same as full anonymisation, because the data can still be linked back to a person and so remains personal data, but it sharply lowers the risk during the riskiest phase: early discovery, when you are still talking to someone you may never end up working with.
How a platform changes the maths
This is where running split fees on a platform, rather than in a group chat, stops being a convenience and becomes a compliance advantage.
A well-built split fee platform applies these principles by default, which is what the UK GDPR calls privacy by design and by default:
- Candidate profiles are matched on skills, location, salary, and seniority, with names and contact details hidden until both agencies accept the match. The other side sees enough to judge fit, and nothing more.
- Identifying data is disclosed once, to one agreed partner, at the point you have both committed, rather than broadcast to a room full of strangers.
- Every disclosure is logged, so there is a clear record of who saw what and when. That accountability is exactly what a regulator expects to see.
- Data-sharing terms, controller responsibilities, and deletion obligations are built into the agreement both sides accept before anything is shared.
None of this removes your responsibility as a controller. You still need your lawful basis and your privacy notice. But it turns the most dangerous part of a split, the early sharing of candidate details, into a controlled, minimised, recorded step instead of a CV flying around WhatsApp. On Split Fee, the matching works exactly this way: anonymised until both agencies accept.
The short version
Sharing candidates between agencies is not a GDPR problem. Sharing them carelessly is.
If you have a lawful basis, you have told candidates the sharing can happen, and you pass on the minimum needed only to a partner who has committed, you are on solid ground. The split fee model is not in tension with data protection. Done right, it is one of the more privacy-respecting ways to place a candidate, because it is built on revealing as little as possible for as long as possible.
When we launch for UK permanent recruitment in mid-2026, anonymised, GDPR-conscious matching is built into the platform from day one. See how Split Fee works for agencies, then join the waitlist to be first in.
This article is general information, not legal advice. For guidance on your own circumstances, consult the Information Commissioner’s Office or a data protection professional.
What to read next
- What Is Split Fee Recruitment? The Complete Guide. Everything about the model in one place.
- Why Manual Split Fee Processes Fail. The trust and data problems baked into the informal approach.
- How Split Fee Works. The step-by-step process on our platform.