Blog
5 min read

GDPR-compliant hiring: what companies need to know

GDPR is not just for marketing

When most people think of GDPR, they think of cookies and email lists. But the General Data Protection Regulation covers every processing of personal data — including recruitment.

When a candidate sends a CV, they entrust you with their name, address, education, work experience, and sometimes sensitive data like date of birth or health status. How you store this data, who accesses it, and when you delete it — all of this is governed by GDPR.

And the penalties are not symbolic. Data protection authorities actively monitor compliance, and fines can reach up to 20 million euros or 4% of annual turnover.

What are your obligations?

You need a legal basis to process a candidate’s personal data. In recruitment, the two most common ones are:

  • Performance of a contract or pre-contractual measures: The candidate applies for a position, thereby requesting the processing of their data for selection purposes. This is the standard basis during the hiring process.
  • Consent: If you want to retain data after the process ends (e.g., for future opportunities), you need the candidate’s explicit consent.

Important: consent must be freely given, specific, and revocable. “By applying for this position, you agree to indefinite storage of your data” is not valid consent.

2. Informing the candidate

The candidate must know:

  • who processes their data (identity of the controller),
  • for what purpose the data is processed,
  • how long it is stored,
  • what rights they have (access, rectification, erasure, portability),
  • whether the data is shared with third parties.

This information must be available before or at the time of application — not only upon request.

3. Purpose limitation

You may only process candidate data for the purpose for which it was collected. If a candidate applied for a web developer position, you may not use their data for marketing or share it with another company without their consent.

4. Storage limitation

After the hiring process ends, you must delete the data of non-selected candidates — unless you have their consent for longer retention. The recommended retention period without consent is usually until the end of the selection process or a few months after (in case of appeals).

5. Data security

You must adequately protect candidates’ personal data. This means:

  • limiting access to people who need the data,
  • protection against unauthorized access (passwords, encryption),
  • logging who accessed data and when.

Where do companies most commonly make mistakes?

CVs sitting in email inboxes

A candidate sends a CV by email. The email stays in the inbox forever. It gets forwarded to colleagues. Printed and left on a desk. This is probably the most common GDPR violation in hiring — and the hardest to fix without a proper system.

Spreadsheets without controls

An Excel file with candidates circulating across the team without access restrictions is problematic. Who has a copy? Did someone save the file to a USB drive? Are candidate data from previous postings still in the spreadsheet?

Learn more about why spreadsheets are problematic for candidate management in our article on ATS vs. spreadsheets.

No processing records

The law requires you to maintain records of processing activities — documented procedures describing what data you collect, why, how long you store it, and who accesses it. Many companies do not have these records at all.

Not informing candidates of their rights

Candidates have the right to request access to their data, rectification, or erasure. If you do not inform them of these rights or fail to respond to a request within the legal deadline (one month), that is a violation.

How does an ATS help with GDPR compliance?

A good ATS does not solve all GDPR challenges, but it significantly simplifies compliance:

  • Centralized storage: All candidate data is in one place, not scattered across email inboxes, spreadsheets, and folders.
  • Access control: You define who has access to which data. A reviewer only sees what they need.
  • Automatic deletion: The system reminds you or automatically deletes data after the retention period expires.
  • Consent management: The candidate provides consent at the time of application, which is documented and verifiable.
  • Audit trail: The system logs who accessed data, when, and what they did.

Practical tips for companies

1. Prepare a privacy notice

Write a clear privacy notice for candidates and publish it on your job posting or careers page. Include all required information: controller identity, purpose, retention period, candidate rights.

Consent for longer data retention must be separate from the application itself. A candidate can apply for a position without consenting to data storage for future postings — and this must be clearly separated.

3. Define retention periods

Determine how long you store candidate data after the process ends. A typical period is 6 to 12 months with consent, immediately after the process ends without it.

4. Train your team

Everyone involved in hiring must know the basics of GDPR. They do not need to know the entire regulation — it is enough to know that CVs are not to be printed and left on desks.

5. Use the right tool

Spreadsheets and email are not adequate tools for GDPR-compliant hiring. An ATS system designed with data protection in mind saves you worry and reduces risk.

Conclusion

GDPR compliance in hiring is not just a legal obligation — it is also an expression of respect for candidates. When a candidate knows their data is safe and that you have a clear process, it builds trust.

Do not wait for a data protection authority to remind you. Get your hiring process in order today — and start with a tool that makes compliance easier.

Try Rekrutko and see what GDPR-compliant hiring looks like in practice.

Ready for better hiring?

No commitment. Just a conversation.

Contact Us