DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Recruitment Tech and ATS Platforms: Candidate Data, CV Storage, and Automated Screening

#gdpr #privacy #recruitment #hrtech

GDPR for Recruitment Tech and ATS Platforms: Candidate Data, CV Storage, and Automated Screening

Applicant tracking systems are among the most data-intensive platforms in any business stack. A single recruitment cycle can generate thousands of CVs, cover letters, interview notes, psychometric test results, background check reports, and AI scoring outputs — all attached to identifiable individuals who never became employees.

That creates a significant GDPR exposure most HR tech companies underestimate. This guide covers the full compliance framework: from lawful bases for candidate processing to Article 22 obligations around automated screening, special category data in background checks, and the right of candidates to access their own rejection notes.

Why ATS Platforms Are High-Risk Data Processors

Under GDPR, an ATS platform occupies a dual role. If you build and sell recruitment software, you are typically a data processor — processing candidate data on behalf of your employer clients, who are the data controllers. But if your platform maintains talent pools, sends outreach to passive candidates, or runs AI screening independently, you may become a controller in your own right.

High-risk factors specific to recruitment tech:

  • Volume: Enterprise ATS platforms can hold millions of candidate records, many of whom were never contacted
  • Sensitivity: CVs contain full names, addresses, employment history, education, and sometimes protected characteristics
  • Duration: Data is frequently retained indefinitely "just in case" — a position the ICO and CNIL have consistently rejected
  • Automated processing: AI screening tools make or contribute to decisions about whether people progress — Article 22 territory
  • Third-party integrations: LinkedIn imports, Indeed apply flows, video interview platforms, and psychometric tools all involve data sharing that requires legal justification

If your platform stores candidate data on behalf of clients, you need a Data Processing Agreement (DPA) with each client. This is not optional.

Lawful Bases for Processing Candidate Data

The lawful basis question in recruitment is genuinely contested. Here are the main options and their practical implications:

Consent

Consent is often the first instinct but rarely the best choice for candidate processing. The problem: a candidate applying for a job is in an inherently unequal position relative to a potential employer. GDPR requires consent to be "freely given" — and regulators have questioned whether job applicants can truly refuse consent without risking their application.

If you rely on consent, it must be:

  • Specific (not buried in terms of service)
  • Informed (candidates understand exactly what you'll do with their data)
  • Freely given (they can withdraw without consequences for their application)
  • Actively given (no pre-ticked boxes)

For processing related to the application itself, consent is not required and often inappropriate. For additional processing — adding candidates to a talent pool, sharing CVs with partner agencies, running psychometric assessments — you need separate, specific consent.

Legitimate Interest

Legitimate interest is the most commonly used lawful basis for recruitment processing, but it requires a three-part test:

  1. Purpose test: Is there a genuine legitimate interest? (Yes — reviewing applications is a core business activity)
  2. Necessity test: Is processing necessary to achieve that purpose?
  3. Balancing test: Does the legitimate interest override the candidate's rights and expectations?

Processing CVs to assess suitability for an advertised role almost always passes this test. Retaining rejected candidates' data for five years to "build a talent pool" is much harder to justify. The balancing test will typically fail because candidates have a reasonable expectation that their application data is used for the specific role they applied for.

Contractual Necessity

For candidates who receive and accept job offers, contractual necessity covers most employment-related processing. But it does not apply during the application stage — the contract doesn't exist yet.

Special Category Data

Criminal record checks, health-related information, disability disclosures, and psychometric tests touching on protected characteristics are all special category data under Article 9. Standard legitimate interest does not cover these. You need either explicit consent or a specific legal basis under Article 9(2) — in the UK, that typically means Schedule 1 of the DPA 2018 (employment purposes).

CV and Cover Letter Storage: How Long Is Too Long?

This is where most recruitment platforms have a material GDPR problem. The GDPR storage limitation principle requires that personal data not be kept "for longer than is necessary." There is no specific retention period for CV data — the regulator expects a documented, justified policy.

Industry practice vs. regulatory expectations:

Practice Risk
Retaining all CVs indefinitely High — no justification exists
1-year retention after role closed Moderate — requires documented justification
6-month retention after role closed Low — broadly accepted as reasonable
Automatic deletion after 3 months with candidate-initiated extension Compliant

The ICO's guidance on recruitment is clear: if a candidate is unsuccessful and not placed in a talent pool with their explicit consent, their data should be deleted within a reasonable period after the recruitment exercise concludes.

What you need in your ATS:

  • Automated retention schedules with documented retention periods per data category
  • Candidate-facing mechanisms to extend retention (with clear consent)
  • Deletion logs to demonstrate compliance
  • Separate retention periods for different data types (CV vs. interview notes vs. background check results)

Talent Pools and Candidate Relationship Management

Talent pools — databases of candidates who didn't get hired but might be suitable for future roles — are a legitimate recruitment tool. They are also a GDPR minefield if not handled correctly.

Requirements for a compliant talent pool:

  1. Explicit, specific consent: Candidates must actively opt in to being retained for future opportunities. This consent cannot be buried in application terms — it must be a clear, separate ask.
  2. Transparent purpose: Tell candidates how long you'll keep them, what roles you might contact them about, and how they can remove themselves.
  3. Regular refresh cycles: Consent decays. Candidates who gave permission two years ago may have changed circumstances. Annual re-engagement is a reasonable practice — and deleting those who don't re-engage.
  4. Easy withdrawal: Candidates must be able to remove themselves from a talent pool without affecting any active applications.

If your platform allows clients to search a talent pool of candidates who applied elsewhere on the network, you are creating a data marketplace. This requires very explicit consent from candidates and careful DPA structuring between your platform and all employer clients.

Automated CV Screening and Article 22

Article 22 of GDPR gives individuals the right not to be subject to solely automated decision-making that produces "legal or similarly significant effects." Rejection from a job application almost certainly qualifies as a similarly significant effect.

What this means in practice:

If your ATS uses AI to screen CVs and automatically reject candidates without human review, you are likely triggering Article 22 obligations. This includes:

  • Keyword matching tools that filter out CVs before a recruiter sees them
  • AI scoring systems that rank candidates, where low-scoring candidates are never reviewed
  • Video interview analysis tools that assess candidate suitability automatically

Compliance requirements for automated screening:

  1. Human review: There must be a human in the loop who can meaningfully override the automated decision. Rubber-stamping AI outputs doesn't count — regulators will look at whether reviewers have the time and information to exercise genuine judgment.
  2. Right to explanation: Candidates must be able to request a meaningful explanation of any automated decision that affected them.
  3. Objection right: Candidates have the right to object to automated processing and request human review.
  4. Transparency in privacy notice: You must disclose the use of automated decision-making in your recruitment privacy notice.

The French CNIL has specifically investigated algorithmic scoring in recruitment. The UK ICO's guidance on AI and data protection requires fairness assessments for automated hiring tools. If your product uses any form of ML scoring, a Data Protection Impact Assessment (DPIA) is required.

Background Checks: Criminal Record Data as Special Category

Criminal record information is explicitly listed as special category data under Article 10 of GDPR (not Article 9 — a common source of confusion). Processing it requires specific legal authority, typically meaning you need a legal obligation to conduct the check (regulated industries) or explicit candidate consent combined with an Article 10 legal basis under national law.

In the UK, the DBS check system provides the legal framework for criminal record processing in employment contexts. In the EU, requirements vary significantly by member state.

Key compliance points:

  • Do not retain criminal record check results longer than necessary to complete the hiring decision
  • Do not run criminal record checks without a legal basis — general curiosity about candidates does not qualify
  • If integrating with third-party background check providers, you need a DPA and must ensure their processing is lawful
  • Candidates have the right to see background check results that affect hiring decisions

Interview Notes and Assessor Feedback

Interview notes and assessor feedback are personal data. This is frequently overlooked by employers and recruitment platforms alike.

What candidates can request:

Under GDPR's right of access (Article 15), a candidate can submit a Subject Access Request (SAR) and ask for all the data you hold on them — including interview notes, assessor scores, and feedback written during the recruitment process. Courts and regulators have confirmed this extends to informal notes written by interviewers.

There is a partial exemption for references, but it does not extend to internal assessor notes made during an interview.

Practical implications for ATS platforms:

  • Your platform needs to capture and store structured interview notes in a retrievable format
  • Deletion of interview notes cannot happen arbitrarily — it must follow a documented retention policy
  • Clients need to understand that unstructured notes in free-text fields are subject to SARs
  • If notes contain assessments about protected characteristics (disability, pregnancy, ethnicity), the exposure is significant

Job Board Data Imports: LinkedIn and Indeed

Many ATS platforms offer one-click imports from LinkedIn Recruiter, Indeed, and similar platforms. The GDPR lawfulness of this practice depends on what the candidate has agreed to on the originating platform.

LinkedIn's terms permit recruiters to view and contact candidates who have made their profiles visible to recruiters. Importing that profile data into a separate ATS system — where it persists beyond LinkedIn's own retention controls — is a different matter. LinkedIn's data terms have specific restrictions on bulk exports and third-party storage.

What you need:

  • A documented legal basis for retaining imported job board data
  • Clear disclosure to candidates that their profile has been imported (the GDPR transparency obligation requires informing individuals about processing even when data is collected from third parties — Article 14)
  • Deletion workflows that apply the same retention rules as to direct applications

Candidates who discover their LinkedIn profile was imported into an ATS they never interacted with frequently file SARs and complaints. This is an enforcement area where regulators have increasing visibility.

Candidate Right to Access Screening Notes

When a candidate submits a SAR, your platform is likely where most of the relevant data lives. ATS vendors who are processors must contractually commit to supporting client controllers in responding to SARs — this is required under Article 28 GDPR.

What a compliant SAR response must include:

  • A copy of the CV and cover letter as submitted
  • All personal data held in the candidate profile
  • Interview notes and assessor feedback
  • AI scoring outputs or screening results
  • Any communications sent to the candidate
  • Information about how long the data will be retained

You have one calendar month to respond (extendable by two months for complex requests). Failure to respond is one of the most commonly actioned GDPR complaints.

Data Portability for Candidates Switching Platforms

Article 20 gives individuals a right to data portability — to receive their data in a structured, commonly used, machine-readable format. For recruitment platforms, this applies when processing is based on consent or contractual necessity.

If a candidate used a platform to build a profile and apply for jobs, they have a right to export that profile data in a portable format. ATS vendors should build export functionality that covers candidate-submitted data.

Third-Party Integrations: Video Interview Tools and Psychometric Testing

Video interview platforms and psychometric testing tools introduce additional complexity:

Video interviews: Video recordings are biometric data under GDPR if used to analyse physical characteristics, voice patterns, or facial expressions. Several AI video interview platforms have faced regulatory scrutiny for facial analysis features. If your ATS integrates with such tools, you need a DPIA and likely explicit consent (not legitimate interest) for biometric processing.

Psychometric testing: Tests that assess personality, cognitive ability, or other characteristics must be handled carefully. Results can reveal protected characteristics (neurodevelopmental conditions, mental health indicators). Candidates need transparency about how results are scored, stored, and used — and whether any automated decision-making is involved.

In both cases, your integration creates a data sharing arrangement that requires a DPA with each third-party tool and clear disclosure to candidates.

Multi-Jurisdictional Recruitment: EU and US Candidates

When recruiting across borders, you face a dual compliance challenge:

EU candidates are protected by GDPR regardless of where the employer is based. US companies recruiting EU candidates must comply with GDPR.

US candidates are protected by a patchwork of state laws — California's CPRA, Virginia's VCDPA, and others. If your platform operates in multiple US states, you need to understand which state privacy laws apply to candidate data.

International data transfers: Sending EU candidate data to a US-based ATS requires appropriate transfer mechanisms — Standard Contractual Clauses (SCCs) are the most common route. If you're a US-based platform storing EU candidate data, your data processing agreements with EU clients need to address this explicitly.

Privacy Notices in Job Postings

Every job posting that invites applications should link to or include a candidate-specific privacy notice. This is a basic Article 13 requirement — candidates must be informed at the point of data collection how their data will be used.

A compliant recruitment privacy notice covers:

  • Who is the data controller
  • What data is collected and for what purpose
  • The lawful basis for processing
  • How long data is retained
  • Whether automated decision-making is used
  • How candidates can exercise their rights (SAR, erasure, objection)
  • Whether data is shared with third parties or transferred internationally

Generic website privacy policies that briefly mention "job applicants" do not satisfy this requirement. Job posting privacy notices should be specific, accessible, and reviewed whenever your processes change.

10 Common GDPR Mistakes Recruitment Tech Companies Make

  1. No candidate-specific privacy notice — pointing candidates to a general website privacy policy
  2. Indefinite CV retention — no deletion schedules, data retained "just in case"
  3. Consent buried in terms — treating application submission as consent to all processing
  4. No Article 22 compliance for AI screening — automated rejection without human review or explanation mechanism
  5. Missing DPAs with clients — processing candidate data without a compliant data processing agreement
  6. Importing job board data without transparency — failing to notify candidates under Article 14
  7. Ignoring SAR obligations — no process for responding to candidate SARs within 30 days
  8. No DPIA for high-risk processing — skipping impact assessments for AI scoring, biometric video tools, or large-scale screening
  9. Treating background check results as permanent records — retaining them beyond the hiring decision
  10. No data portability functionality — candidates cannot export their own profile data

Get a Free Privacy Compliance Scan

If you run a recruitment platform or ATS and aren't sure what data your site is collecting — or whether your compliance documentation is in order — Custodia can help.

Our free website scanner identifies cookies, trackers, and third-party data flows in 60 seconds. No account required to start.

Scan your website free at app.custodia-privacy.com/scan →

Last updated: March 2026

Top comments (0)