GDPR and recruiting data
Rules under the EU General Data Protection Regulation that govern how organisations collect, store, process, and delete personal data about candidates and employees throughout the hiring lifecycle.
Michal Juhas · Last reviewed May 27, 2026
What is GDPR and recruiting data?
GDPR (General Data Protection Regulation) is the EU framework that treats every candidate profile, application, and interview note as personal data requiring a lawful basis to collect, a defined retention period, and a clear deletion path. Recruiters sourcing EU-based candidates must comply whether their organisation is based in the EU or not.
In practice
- A sourcer who saves a LinkedIn profile to an ATS without notifying the candidate is likely in breach of GDPR transparency requirements, even if the data was publicly visible.
- When a candidate emails "please delete my data," that is a formal erasure request under Article 17 and requires a documented response within 30 days.
- Adding an AI screening tool that auto-rejects candidates without human review may trigger Article 22 rights, requiring a human review capability before the tool goes live.
Quick read, then how hiring teams use it
This is for recruiters, sourcers, TA ops, and HR partners who need shared vocabulary in compliance reviews, vendor calls, and data audits. Skim the first section for a fast shared picture. Use the second when setting up tools, running enrichment, or onboarding a new AI screening platform.
Plain-language summary
- What it means for you: Every candidate record is regulated personal data. You need a reason to store it, a limit on how long you keep it, and a way to delete it when asked.
- How you would use it: Check lawful basis before sourcing outreach, add a privacy notice to every application form, and set ATS retention rules to auto-delete old profiles.
- How to get started: Ask your DPO or legal team for the current retention schedule. If one does not exist, draft a simple table mapping each data category to a retention period and a deletion owner.
- When it is a good time: Before adding any enrichment vendor or AI screening tool to your stack.
When you are running live reqs and tools
- What it means for you: Each new tool that processes candidate data is a GDPR processor. You need a Data Processing Agreement before you send it data, and it must appear in your Records of Processing Activities.
- When it is a good time: During vendor procurement, not after go-live. Retroactive DPAs slow rollouts and create enforcement exposure.
- How to use it: Map each tool to a lawful basis, a retention period, and a data category. Review the map when tools change or when sourcing expands to new EU jurisdictions.
- How to get started: Pull your current ATS retention settings and compare them to your written policy. Most teams find mismatches in the first review.
- What to watch for: Using legitimate interests for everything without completing the balancing test, and AI tools that claim GDPR compliance but cannot produce their own data handling documentation on request.
Where we talk about this
On AI with Michal live sessions, GDPR appears as a practical constraint on sourcing automation and AI tool selection rather than a legal lecture. The GDPR and first-touch candidate outreach module runs before any webhook build so teams understand lawful basis before wiring candidate data across vendors. AI in recruiting sessions flag Article 22 when discussing automated screening. Bring your actual stack to workshops to get feedback on where your GDPR gaps are most likely to sit.
Around the web (opinions and rabbit holes)
Third-party creators move fast. Treat these as starting points, not endorsements, and verify any regulatory guidance against official ICO or EDPB publications before acting on it.
YouTube
- The ICO (UK Information Commissioner) channel publishes short guides on legitimate interests and rights requests that apply directly to recruiting contexts.
- Search "GDPR HR data retention" for practitioner-facing explainers from privacy law firms that cover the retention schedule question in practical terms.
- r/GDPR has threads on candidate data retention, AI screening, and erasure requests from practitioners dealing with real operational questions.
- r/recruiting occasionally covers GDPR for sourcing and shows how teams handle consent in practice.
Quora
- Does GDPR apply to recruitment? collects practitioner and legal answers; quality varies, so cross-check specifics with your DPO.
GDPR basis comparison
| Scenario | Likely lawful basis | Key risk |
|---|---|---|
| Application via careers site | Contract performance | Must delete if withdrawn |
| Proactive sourcing outreach | Legitimate interests | Requires balancing test |
| Silver-medalist pool | Consent | Must maintain consent records |
| AI screening tool output | Legitimate interests | Article 22 if fully automated |
Related on this site
- Glossary: GDPR and first-touch candidate outreach, EU AI Act (hiring use cases), Candidate data enrichment, Human-in-the-loop (HITL), Background screening integration, Applicant tracking system (ATS)
- Guides: Sourcers
- Live cohort: Workshops
- Membership: Become a member
Frequently asked questions
What is the lawful basis for storing candidate profiles under GDPR?
Most recruiting teams use legitimate interests or consent as the lawful basis for proactive sourcing. Consent is fragile: candidates can withdraw it and you must stop processing. Legitimate interests requires a balancing test showing your need outweighs the candidate's privacy rights, which takes a few documented paragraphs to justify. Applications submitted through a careers site usually qualify under contract performance. Whichever basis you choose, document it in your Records of Processing Activities before you start collecting and update it when tools change. Getting DPO or legal sign-off before wiring enrichment APIs to your ATS saves compliance work later.
How long can we keep rejected candidate data after a hiring decision?
There is no fixed GDPR number, but most supervisory authorities and employment lawyers suggest 6 to 12 months after the final decision, long enough to defend against a discrimination claim. Write your chosen period into a retention policy, communicate it in your privacy notice, and build automated deletion workflows in your ATS or applicant tracking system. Silver-medalist pools need separate consent and a clear re-engagement or deletion path once the consent period expires. Indefinite storage without a refresh is the most common GDPR violation recruiters create without noticing, especially in legacy ATS databases built before 2018.
What must a GDPR-compliant candidate privacy notice include?
Your notice must name the data controller, list data categories collected, state the lawful basis for each processing activity, identify third-party processors such as enrichment vendors or AI screening tools, name the supervisory authority candidates can complain to, and give the retention period. It must also explain candidate rights: access, rectification, erasure, portability, objection, and restriction. Recruiters frequently omit the processor list and the right to object. Plain-language summaries are encouraged; legal boilerplate buried in a careers site footer usually fails the transparency standard regulators apply during audits.
Does GDPR restrict how we use AI screening tools in hiring?
Yes. Automated decisions that have legal or similarly significant effects, such as an AI tool that advances or rejects candidates without human review, trigger Article 22 rights: candidates can request human review, challenge the outcome, and receive an explanation of the logic used. The EU AI Act layers additional conformity requirements on top for high-risk hiring systems. In practice: keep a human-in-the-loop at every pass-fail screening step, log which model version ran, and retain enough context to reconstruct why a specific candidate was flagged or passed.
How do we handle a candidate's erasure request under GDPR?
Delete the candidate's personal data unless a legitimate ground overrides the request: an ongoing legal claim, a statutory retention obligation, or another lawful basis still in effect. Log every erasure request, the decision made, and the deletion date. Check whether the data lives across multiple systems: ATS, spreadsheets, enrichment tool exports, calendar entries, and AI chat histories that may contain profile details. Deleting from the primary ATS does not cover all locations. Build a cross-system erasure checklist, test it quarterly, and keep records showing you can respond within the 30-day statutory deadline across your full tool stack.
How should TA teams document their data retention policy for recruiting?
Write one policy document mapping each data category (applications, sourced profiles, interview notes, offer letters, background check results) to a retention period, a lawful basis, and a deletion owner. Store it where legal and TA can both access it, link to it from your candidate privacy notice, and review it every 12 months or when you add new tools. Your Records of Processing Activities under Article 30 must reflect the same categories. During any vendor procurement, run the new tool through a RoPA update before signing the contract. Retroactive compliance reviews after go-live are harder and more expensive than building the habit upfront.