The five-minute GDPR-for-hiring summary

If you hire anyone in the EU, EEA, or UK — including remote workers — you are subject to GDPR. The good news: the rules for hiring are simpler than the rules for, say, ad-tech. You need to do five things.

1. Tell candidates what data you collect and why.
2. Have a lawful basis for collecting it (consent or legitimate interest).
3. Keep the data only as long as you need it.
4. Delete it on request.
5. Keep it secure (EU data residency where possible).

That is the entire framework. The rest is detail.

What counts as "candidate data"

CVs, cover letters, application form answers, interview notes, scoring sheets, portfolio links, and any AI-generated summaries about the candidate. All of it is personal data under GDPR Article 4. If it is on your laptop or in your inbox, it counts.

Lawful basis: consent vs legitimate interest

For the application itself, legitimate interest is the cleaner basis (the candidate applied to the job; you have an obvious business reason to read their CV). Consent is fragile — if the candidate withdraws it, you have to delete everything immediately, which complicates active hiring decisions.

Use consent only for:

• Keeping a candidate's CV in a "talent pool" after they were not selected.
• Forwarding their CV to other companies in your group.
• Any processing they would not reasonably expect.

When you need consent, ask for it explicitly with a tickbox. "I agree to my CV being kept for future roles for up to 12 months" — never a pre-ticked default.

What to put on your application form

A short paragraph above the submit button:

We collect this data to evaluate your application. Lawful basis: legitimate interest. Data retention: 90 days for unselected candidates, the duration of employment + statutory minimums for hires. You have the right to access, correct, or delete your data — email privacy@yourcompany.com. Full notice: yourcompany.com/privacy.

That is enough for a small business. If you have a Data Protection Officer (mandatory for some industries and any company processing data on a large scale), name them.

Retention: how long you can keep it

Default is as short as defensibly possible. For unselected candidates:

• Active hire: keep until the role is filled.
• Talent pool, with consent: up to 12 months, then delete.
• No talent-pool consent: delete within 30–90 days of role close.

For hired candidates, the data moves into your HR system and is governed by employment law (typically employment + statutory archive periods, which vary by country: 5 years in Germany, 6 years in the UK, etc.).

The right to erasure

If a candidate emails you saying "please delete my data," you have one calendar month to comply. That is GDPR Article 17 ("right to be forgotten"). Practically:

1. Delete from your ATS and any spreadsheets.
2. Delete the CV file from storage.
3. Delete the candidate's emails from your inbox or archive them in a way that is not searchable by name.
4. Notify any third parties you shared the CV with (e.g. interview panellists) and ask them to delete their copies.
5. Send a written confirmation back to the candidate.

If you do not have a lightweight way to do steps 1–4, your hiring stack is not GDPR-compliant.

Data residency: keep it in the EU

The single biggest source of GDPR pain is cross-border data transfer. If your ATS, CV-parser, or AI ranking sends the CV to a US-based service, you are doing a transfer of personal data outside the EU and need either an adequacy decision (the EU–US Data Privacy Framework, currently fragile) or Standard Contractual Clauses + a Transfer Impact Assessment.

The simpler path: pick vendors that store and process EU candidate data inside the EU. Penroll uses Supabase EU (Frankfurt) for storage; check your ATS provider's documentation for the equivalent.

AI and candidate data

The newest area of GDPR uncertainty is automated decision-making. If an AI scores a candidate and you reject them on that score alone, GDPR Article 22 applies — the candidate has the right to a human review, an explanation, and to contest the decision.

Practically, this means:

• AI ranking is fine as a triage layer.
• AI ranking as the sole decider — no.
• Always have a human read the top of the stack and decide.
• Document that you do this.

Most reputable AI hiring tools have this baked in. If yours auto-rejects without a human in the loop, change tools.

Your career-page footer

Three things must be on every page that collects candidate data:

1. A link to your privacy notice.
2. A note that the data is processed under GDPR.
3. Contact details for data-subject requests (an email address is fine).

That is enough for a startup. Larger companies will want a full Data Processing Notice with all the Article 13/14 fields.

What Penroll handles for you

If you use Penroll: the application form has the consent paragraph, the 90-day automatic deletion is in the database schema, the storage bucket is in the EU, and the AI calls are configured for zero-retention. The pipeline is GDPR-ready by default. Start a free account and the first job post is compliant out of the box.