DPDPA Compliance for Recruitment Agencies in Bhubaneswar

Recruiters hold enormous candidate databases — CVs, contact details, employment history — frequently sourced and shared without a clear lawful basis or retention limit.

Bhubaneswar context: An emerging IT and education city where new startups lack baseline privacy notices. The obligations below apply to recruitment and staffing agencies operating in Bhubaneswar, Odisha — there is no local exemption and no turnover threshold under the DPDP Act.

DPDPA applies. Candidate data sourced from job boards and shared with client employers makes processor/transfer obligations central.

• CVs and resumes
• Candidate contact details
• Employment & salary history
• Interview notes and assessments
• Background-check data

• Holding CVs indefinitely 'for future roles'
• Sharing candidate data with clients without consent
• No deletion mechanism for candidates
• Scraped data with no lawful basis

• Consent or clear lawful basis for candidate processing
• Notice explaining how CVs are used and shared
• Retention schedule for inactive candidates
• Contracts governing client-employer data sharing
• Grievance Officer for candidate requests

• Reusing old CVs without fresh consent
• Forwarding candidate data to clients silently
• No erasure on candidate request

• Add a candidate consent + notice step
• Set an inactive-candidate purge schedule
• Create a candidate data-deletion request flow
• Document client data-sharing terms

Can we keep CVs for future opportunities?

Only with consent and a defined retention period communicated to the candidate. Indefinite retention is not defensible.

Do candidates have a right to deletion?

Yes. Data principals can request erasure, and you need a process to honour it.