Infyva
Back to Blog Compliance

GDPR and Candidate Data: What Hiring Teams Need to Know

Collecting candidate data during hiring triggers GDPR obligations that many HR teams don't fully understand. Here's what the regulation actually requires and a practical compliance checklist.

I
Infyva TeamInfyva Editorial Team
March 20269 min read

Why Hiring Teams Need to Take GDPR Seriously

GDPR has been in force since 2018, but enforcement action against hiring processes specifically has increased sharply since 2022. Data protection authorities in Germany, France, Ireland, and the Netherlands have all issued fines or formal findings against companies for how they handled candidate data during recruitment. If your company hires in or from the EU, this applies to you, regardless of where your headquarters is located.

The core issue is that candidate data is personal data. Resumes, cover letters, interview notes, assessment results, background check outputs, and any other information you collect about a job applicant fall within GDPR's scope. Processing that data requires a lawful basis, proper notice to candidates, and a defined retention period, among other requirements.

What Data You Can Collect

GDPR does not prohibit collecting candidate data. It requires that the data you collect be adequate, relevant, and limited to what is necessary for the purpose. In a hiring context, this generally permits:

  • Contact information (name, email, phone, address)
  • Work history and qualifications
  • Educational background
  • Assessment results directly relevant to the role
  • Interview notes and evaluation scores
  • Right-to-work documentation (once required)

What you should not collect without clear justification and, in some cases, explicit consent: protected characteristic information (race, religion, health status), social media profiles beyond publicly available professional data, and personal information not relevant to the role's essential functions.

Special category data (health, disability, biometric, criminal record) requires explicit consent or another specific legal basis and must be handled with additional safeguards.

The Lawful Basis for Processing Candidate Data

Every processing activity must rest on a lawful basis. For candidate data in hiring, the most commonly applicable bases are:

  • Pre-contractual necessity: Processing candidate data is necessary to take steps at the candidate's request prior to entering a contract. This covers most standard recruitment processing: reviewing applications, conducting interviews, and running assessments.
  • Legitimate interests: This can cover some processing, such as maintaining a talent pool of promising candidates who were not hired for the current role. However, legitimate interests requires a balancing test and cannot override candidates' fundamental rights and interests.
  • Consent: Consent is the appropriate basis when you want to do something that isn't strictly necessary for the hiring decision, such as adding a candidate to a marketing list or sharing their profile with a sister company. Consent must be freely given, specific, informed, and unambiguous. Candidates cannot be required to consent as a condition of applying.

Retention Limits

You cannot retain candidate data indefinitely. GDPR requires that personal data be kept "no longer than necessary for the purposes for which the personal data is processed." For unsuccessful candidates, common practice and data protection authority guidance converges around the following:

  • 6 months after the end of the recruitment process: adequate in most jurisdictions to respond to any discrimination claims or data subject access requests
  • Up to 1-2 years with explicit consent from the candidate: appropriate for a talent pool where the candidate has agreed to be contacted for future roles
  • For hired candidates: data moves into employment records, governed by employment data retention rules which vary by country

You need a documented retention schedule and a mechanism to actually delete or anonymize data when the period expires. Storing candidate data indefinitely in an ATS "just in case" is a GDPR violation.

The Right to Erasure in Hiring

Candidates have the right to request deletion of their personal data. When a candidate submits an erasure request, you must delete their data unless you have a legal obligation to retain it (for example, to defend against a pending discrimination claim) or another specific exemption applies.

Operationally, this means your ATS and any other systems containing candidate data need to be capable of complete deletion upon request, not just suppression or anonymization (though anonymization can substitute for deletion in some cases if done properly). You also need a documented process for receiving, verifying, and fulfilling erasure requests within the required 30-day response window.

AI Tools and GDPR Liability

If you use AI tools in hiring, including ATS systems with algorithmic screening, video interview platforms with AI scoring, or any automated decision-making system, GDPR Article 22 is directly relevant. Candidates have the right not to be subject to solely automated decisions that produce significant effects, unless they have given explicit consent, the decision is necessary for a contract, or it is authorized by law.

In practice, this means that if your AI tool produces a reject decision without any human review, that may constitute solely automated decision-making subject to special requirements, including the right to human review and explanation upon request. The safest approach is to require human sign-off on all AI-generated reject decisions and to document that human review occurred.

Practical GDPR Compliance Checklist for Hiring

  • Privacy notice provided to candidates at the point of data collection, explaining what data is collected, why, on what legal basis, and how long it will be retained
  • Documented retention schedule for all categories of candidate data, with deletion processes verified to work in your ATS
  • Process documented for handling data subject access requests within 30 days
  • Process documented for handling erasure requests, including verification steps
  • AI tools assessed for Article 22 compliance, with human review step documented in workflow
  • Data processing agreements in place with all third-party vendors who access candidate data (ATS providers, background check vendors, assessment platforms)
  • Special category data handling reviewed if collecting health, disability, or criminal record information
  • Candidate consent process reviewed if maintaining a talent pool for future roles

GDPR compliance in hiring is less about preventing data collection and more about doing data collection with intention, documentation, and respect for candidates' rights. Companies that get this right also tend to build more organized hiring processes and better candidate experiences, because the disciplines required for compliance are also the disciplines required for operational clarity.

Tags

GDPR hiringcandidate data privacyGDPR recruitmentdata protectioncandidate data

Share this article

Post Share

Practice makes perfect

Ready to put this into practice?

Infyva gives you AI-powered voice interviews, real-time scoring, and detailed feedback. Free plan available for candidates.

Start Free See How It Works

Related Articles

Compliance

The EU AI Act and What It Means for Your Hiring Process

8 min read

Compliance

ADA Compliance in Hiring: What Every Employer Needs to Know in 2026

9 min read