DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR and Recruitment: How to Handle Candidate Data Compliantly

#gdpr #hr #privacy #compliance

You received 200 applications for a single role. CVs with home addresses, phone numbers, work history going back a decade. LinkedIn profiles you screenshotted. Interview notes your hiring panel scribbled down. Assessment scores from a psychometric tool. References from former managers.

What does GDPR say about what you can do with all of it?

The answer is: quite a lot. GDPR recruitment compliance is one of the most overlooked areas of data protection — and one of the most common sources of complaints. Candidates know their rights. They know they can ask what data you hold about them. They know you need a reason to process it. Most employers haven't thought carefully about any of this.

This guide covers the full lifecycle of candidate data under GDPR — from the job posting to the final hire decision, and everything that happens to rejected candidates' data afterwards.

What Data Recruitment Involves

Before addressing what GDPR requires, it's worth being clear about what personal data a typical recruitment process generates:

  • CVs and resumes — name, address, contact details, employment history, education, sometimes salary expectations
  • Cover letters — personal statements, career motivations, sometimes sensitive disclosures
  • LinkedIn profiles — scraped or saved, including profile photos and network connections
  • Application form data — diversity monitoring data, disability disclosures, right-to-work declarations
  • Assessment results — psychometric scores, technical test outputs, written exercise submissions
  • Interview notes — panel members' subjective observations, ratings, and comments
  • Reference check data — opinions and assessments from former colleagues or managers
  • Background check results — criminal record data (which is special category under GDPR), credit checks, DBS disclosures

All of this is personal data. Most of it is sensitive. Some of it — criminal record data in particular — has heightened protections under GDPR Article 9 and 10. A compliant GDPR recruitment process handles each category appropriately.

Lawful Basis for Processing Candidate Data

GDPR requires a lawful basis for every processing activity. In recruitment, two bases are most relevant:

Legitimate Interest (Active Recruitment)

For candidates who have applied to a specific open role, legitimate interest is the most common lawful basis used by employers. The three-part test requires that the processing is necessary for a legitimate purpose, that it wouldn't unduly harm the candidate's interests, and that it passes a proportionality check.

Assessing a candidate's suitability for a job they applied for — using the information they submitted — easily passes this test. You don't need consent to review a CV someone sent you.

Consent (Talent Pools and Future Opportunities)

For retaining data beyond the active recruitment cycle — keeping a candidate's CV on file for future roles, adding them to a talent pool — consent is the appropriate basis. Legitimate interest is harder to justify when there's no active vacancy and no immediate purpose.

Consent must be freely given, specific, informed, and unambiguous. Burying it in a terms of service checkbox doesn't count.

The Job Listing Privacy Notice: What Candidates Must Be Told

Before candidates apply, they must be informed about how their data will be used. This is a GDPR Article 13 obligation: at the point of collection, you must provide a privacy notice covering:

  • Who the data controller is (your company)
  • What data you collect and why
  • Your lawful basis for processing
  • Who you share data with (third-party recruiters, ATS platforms)
  • How long you retain the data
  • What rights the candidate has (access, erasure, objection)
  • Whether any automated decisions are made

This doesn't require a wall of legal text. A clear, readable "Candidate Privacy Notice" linked from the job application form is the standard approach. What it cannot be is absent altogether — which is the situation at most companies currently doing GDPR recruitment wrong.

Third-Party Recruiters: The Data Processor Relationship

If you use a recruitment agency, they are processing personal data on your behalf. Under GDPR, that makes them a data processor — and Article 28 requires a written Data Processing Agreement (DPA) before they can legally handle candidate data for you.

The DPA must specify:

  • What data is being processed and for what purpose
  • Security obligations the recruiter must meet
  • Restrictions on using candidate data for their own purposes (e.g., their own talent database)
  • What happens to the data when the relationship ends

Many recruitment agencies send over CV shortlists without any DPA in place. That's a GDPR violation — and the liability sits with you as the controller.

ATS Platforms: Another Data Processor Requiring a DPA

Your Applicant Tracking System — Greenhouse, Lever, Workable, SmartRecruiters, or any other — processes candidate data on your behalf. They're a data processor. You need a DPA.

Most reputable ATS vendors include a DPA as part of their terms of service or offer one on request. Before using any ATS for GDPR recruitment purposes, confirm:

  1. A DPA is in place (check your contract)
  2. Data is stored within the EEA, or adequate transfer safeguards exist (Standard Contractual Clauses) if stored in the US
  3. Candidates are informed about ATS processing in your privacy notice
  4. You can delete candidate data from the ATS when retention periods expire

CV Screening and Automated Decision-Making: When Article 22 Applies

Many ATS platforms offer automated screening — keyword matching, scoring algorithms, or AI-based ranking. This is where GDPR's Article 22 becomes relevant.

Article 22 restricts solely automated decisions that have a significant effect on a person. If your ATS automatically rejects candidates based on algorithmic scoring without any human review, that likely triggers Article 22 requirements:

  • Candidates must be informed that automated processing occurs
  • They must have the right to request human review
  • They must be able to contest the decision

If a human reviews every application before rejection, Article 22 probably doesn't apply — the automated scoring is just a tool, not the decision-maker. But if your system auto-rejects CVs that don't hit a keyword threshold, you need to be transparent about it and provide a challenge mechanism.

For GDPR recruitment purposes: document what your ATS does, whether it makes any decisions autonomously, and what your candidate-facing disclosure says about it.

Sharing CVs Internally: Data Minimisation in Practice

GDPR's data minimisation principle applies to internal sharing too. Not everyone in your organisation needs to see every detail of a candidate's CV.

Best practice:

  • Limit access to hiring panel members who need it for that specific role
  • Avoid emailing CVs as attachments — they end up in inboxes indefinitely
  • Use your ATS for centralised, access-controlled sharing
  • Remove personal contact details when sharing with people who don't need them
  • Delete panel notes once the hiring decision is made (subject to retention rules)

Consider who actually needs what information. The CEO reviewing a senior hire needs more context than a junior panel member doing a technical screen.

Rejected Candidates: How Long to Keep Their Data

This is one of the most common GDPR recruitment failures. Companies receive hundreds of applications, hire one person, and then hold everyone else's data indefinitely because they never thought about it.

GDPR's storage limitation principle is clear: you can't keep personal data longer than necessary.

Standard practice for rejected candidates is to delete their data within 6 to 12 months of the recruitment process ending. This is enough time to:

  • Handle any employment tribunal claim arising from the decision
  • Respond to a DSAR from the candidate
  • Complete any hiring appeals process

Some sectors (financial services, public sector roles requiring security clearance) have specific requirements that may justify longer retention. But for most employers, 6 months post-rejection is the defensible position.

State your retention period in your candidate privacy notice. Then enforce it — which means configuring your ATS to flag or automatically delete records past the retention date, or building a regular deletion schedule into your HR process.

Talent Pools: Explicit Consent Required

Keeping a candidate's details for future roles — a "talent pool" or "talent bank" — goes beyond the original purpose of assessing them for a specific job. This requires explicit consent.

To build a compliant GDPR talent pool:

  1. Ask candidates separately if they consent to being kept for future opportunities
  2. Explain clearly what "future opportunities" means (role types, departments, timeframe)
  3. Make it optional — applying for the current role must not be conditional on joining the talent pool
  4. Include a clear, easy opt-out mechanism
  5. Re-seek consent after a defined period (typically 12 months) if they haven't been contacted
  6. Delete promptly when someone withdraws consent

Do not add candidates to a talent pool without their consent, even if you think they'd be a great fit for something later.

Background Checks: Proportionality and Special Category Data

Criminal record data is special category data under Article 10 of GDPR. Processing it requires both a lawful basis and specific legal authorisation — in the UK, this is typically covered by Part 2 of the Data Protection Act 2018 for DBS checks in regulated sectors.

For GDPR recruitment purposes, background check proportionality means:

  • Only run criminal record checks for roles where they're legally required or clearly justified by the nature of the work
  • Don't run comprehensive background checks on all candidates as a matter of course
  • Inform candidates at the outset that a background check is required for the role
  • Limit who can access the results to those with a genuine need
  • Delete criminal record check results promptly after the hiring decision

Broader background checks — employment history verification, credit checks — also require justification. They should be proportionate to the role, and candidates must be told they're happening.

Reference Checks: Consent Before Contact

Before you contact a candidate's references, you should obtain the candidate's consent. This matters for two reasons:

  1. Sharing a candidate's name and employment details with a third party requires a lawful basis
  2. The candidate may have given references' details as part of their application — that doesn't mean they've consented to you contacting them at any stage of the process

Best practice: ask for references once you've made a conditional offer, and confirm with the candidate before making contact. This is both good practice and GDPR-compliant.

The reference check itself generates data (the referee's opinions). Treat this data accordingly: store it securely, don't share it beyond those who need it, and delete it with the rest of the candidate record after the retention period.

DSARs from Unsuccessful Candidates: What You Must Provide

Rejected candidates have the same GDPR rights as anyone else. If an unsuccessful applicant submits a Data Subject Access Request (DSAR), you must respond within one calendar month and provide:

  • All personal data you hold about them (CV, cover letter, application form data)
  • Interview notes and assessment scores
  • Any internal communications that reference them by name
  • Information about who their data was shared with
  • The purposes and lawful basis for processing
  • Retention period information

The tricky area is interview notes. Hiring managers often write notes they'd rather keep private. But if those notes contain personal data about the candidate, they're subject to DSAR. Train your hiring panels to write professional, objective notes — and assume they're disclosable.

You can redact third-party personal data (other candidates' names, referee opinions expressed in a personal capacity) but you cannot withhold the candidate's own data on the grounds that it's inconvenient.

Practical Checklist: 8 Things to Fix in Your Recruitment Process

  1. Add a Candidate Privacy Notice to every job listing and application form — cover lawful basis, retention period, third-party sharing, and candidate rights.

  2. Sign DPAs with your ATS provider and any recruitment agencies before they handle candidate data.

  3. Set a retention period of 6–12 months for unsuccessful candidates and enforce it — either through ATS automation or a scheduled deletion process.

  4. Don't build talent pools without explicit consent — add a separate opt-in at the application stage with a clear explanation and easy opt-out.

  5. Review what your ATS does automatically — if it auto-rejects or auto-scores candidates, disclose this to applicants and implement a human review pathway.

  6. Restrict internal CV sharing — use your ATS, not email forwards, and limit access to the relevant hiring panel.

  7. Treat interview notes as disclosable — train hiring managers to write professional, objective notes that they'd be comfortable sharing in a DSAR.

  8. Get candidate consent before contacting references — don't call references until you've made a conditional offer and confirmed the candidate agrees.

How Custodia Helps

Custodia helps organisations manage privacy compliance across their data flows — not just on the website, but across the tools and processes that handle personal data. From generating accurate privacy notices to tracking data processor relationships, Custodia gives you a clear view of your compliance posture without the complexity of enterprise privacy software.

If your recruitment process involves an ATS, a third-party recruiter, or any automated screening — Custodia can help you document it, audit it, and keep it compliant as your team grows.

Start a free website scan at Custodia →

Last updated: March 27, 2026. This post provides general information about GDPR recruitment compliance. It does not constitute legal advice. Requirements vary by jurisdiction and sector — consult a qualified privacy professional for advice specific to your organisation.

Top comments (0)