Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult qualified legal counsel for guidance specific to your organization.
If your recruiting team is still treating GDPR as a 2018 problem that got solved once and filed away, this guide is overdue.
The regulatory landscape around candidate data has changed dramatically since GDPR first came into force. In 2026, recruiters are navigating not just the original regulation, but a second compliance layer introduced by the EU AI Act, which directly affects any organization using AI-powered screening tools, ATS ranking algorithms, or automated candidate shortlisting. Fines have been levied. Audits are happening. And the original blog posts written at GDPR launch are nowhere near sufficient preparation for where things stand today.
This guide covers what GDPR actually requires of recruiting teams in practical terms, where most organizations are still getting it wrong, and what the intersection of GDPR and the EU AI Act means for your hiring stack in 2026.
What Does GDPR Mean for Recruiters?
The General Data Protection Regulation is an EU law, but its reach extends well beyond European borders. GDPR applies to any organization that collects or processes the personal data of individuals physically located in the European Union, regardless of where that organization is based.
This means a US-headquartered recruiting agency posting jobs to EU candidates on LinkedIn, a global staffing firm with EU operations, or a SaaS company with a distributed team hiring in Germany or France, all of which are subject to GDPR. The physical location of your company’s servers or offices is not the determining factor. What matters is whether you are processing personal data belonging to EU residents.
For recruiting agencies and staffing firms operating across multiple geographies, this distinction is critical. Non-compliance is not a purely European risk.
Data Controllers vs. Data Processors: What Recruiters Need to Understand
GDPR draws a clear line between two roles, and misunderstanding which one applies to your team is a common compliance gap.
A data controller determines the purpose and means of processing personal data. In recruitment, the employer or recruiting firm that decides to collect candidate resumes, store applicant information, and make hiring decisions is the data controller. This carries the heavier burden; controllers are responsible for ensuring the lawful basis for processing, managing candidate rights requests, and maintaining accountability across their entire data ecosystem.
A data processor handles personal data on behalf of the controller. Your applicant tracking system provider, background check vendor, or any third-party tool that receives candidate data from you is acting as a data processor. Controllers are responsible for ensuring their processors also comply with GDPR, which means signed Data Processing Agreements (DPAs) with every vendor that touches candidate data.
Spreadsheets, shared inboxes, and informal file-sharing tools are not data processors in any meaningful compliance sense. There are risks.
Penalties for Non-Compliance: What’s Actually at Stake in 2026
The financial stakes are real and have increased since GDPR’s initial rollout. Fines under GDPR reach up to €20 million or 4% of a company’s total global annual turnover, whichever figure is higher. For large multinationals, 4% of global revenue can dwarf the flat cap.
Enforcement has matured considerably since 2018. Data protection authorities across EU member states are now conducting proactive audits rather than waiting for complaints. High-profile fines for mishandled candidate data, inadequate consent mechanisms, and unlawful data retention have been levied against organizations of all sizes.
Reputational damage often outlasts the fine itself. Candidates in 2026 are more data-conscious than they were in 2018. A data breach or public enforcement action signals to the talent market that your organization cannot be trusted with personal information, a significant competitive disadvantage in tight hiring markets.
The 6 Core GDPR Principles Every Recruiting Team Must Follow
Every instance of collecting or processing candidate data requires a lawful basis. In recruitment, the two most commonly applicable bases are legitimate interest and consent.
Legitimate interest allows you to process candidate data without seeking explicit consent, provided you have a genuine, documented reason that does not override the candidate’s rights and freedoms. Sourcing a candidate for a role they appear qualified for, processing a received job application, or contacting a candidate you found on a professional networking platform within a reasonable timeframe are generally considered legitimate interests. The key requirement is documentation: you need to record why legitimate interest applies in each scenario, not simply assert it.
Consent applies when you want to do something beyond the core recruitment activity, for example, retaining a candidate’s data for future roles after the original position has been filled, or using their information for any non-recruitment purpose.
Data Minimisation: Only Collect What You Actually Need
GDPR’s data minimisation principle requires that the personal data you collect is adequate, relevant, and limited to what is necessary for the stated purpose. In recruiting terms, this means auditing your application forms and screening processes to remove any fields or questions that do not directly inform the hiring decision for the specific role.
Common violations include asking for date of birth where age is not a legal requirement for the role, requesting full home addresses at the application stage when only a general location is needed, and storing detailed personal information about candidates who were screened out in the first round.
A useful practical test: for every data field you collect, ask whether a hiring decision could not be made without it. If the answer is no, the field should not exist.
Purpose Limitation: Recruitment Data Stays for Recruitment
Data collected during a recruitment process must only be used for that recruitment process. This sounds straightforward, but it is regularly violated in practice. Using rejected candidate resumes to build a marketing list, sharing applicant data with unrelated business units, or repurposing candidate contact details for employer branding outreach without fresh consent all breach purpose limitation.
If you want to retain a candidate’s information for future opportunities, a common and legitimate practice for talent pipelines, you must inform the candidate of this intention upfront and obtain their explicit consent to do so. Assuming permission because a candidate applied once is not sufficient.
Retention Periods: How Long Can You Keep Candidate Data?
GDPR requires that personal data be kept for no longer than necessary. In recruitment, the general recommendation from data protection authorities is to delete unsuccessful candidate data within six months of the recruitment process concluding, unless the candidate has explicitly consented to a longer retention period for talent pipeline purposes.
Successful candidates’ data transitions into the employment relationship and is governed by separate HR data obligations. The compliance gap most commonly exploited by auditors is not the active hiring pipeline; it is the years-old database of rejected applicants that nobody has touched since the original application closed.
Reviewing your candidate database for outdated records is not a one-time exercise. It needs to be a scheduled, recurring process. A recruiting CRM with automated data retention policies dramatically reduces the operational burden of staying clean.
Consent vs. Legitimate Interest: What’s the Difference?
GDPR designates certain categories of data as “special category” data, requiring explicit consent for processing. In recruitment, this includes: disability and health information, racial or ethnic origin, religion or philosophical beliefs, political opinions, trade union membership, and biometric or genetic data.
Any time your recruiting process touches these categories- EEO surveys, background checks, accessibility accommodations, and certain video interview analysis tools, you must obtain clear, specific, written consent before processing. The consent request must explain exactly what data is being collected, how it will be used, who will have access to it, and how the candidate can withdraw their consent.
Consent must be freely given. Conditioning a candidate’s progression in the hiring process on their agreement to provide sensitive data is not valid consent under GDPR.
When Legitimate Interest Applies and How to Document It?
For standard recruitment activity processing a job application, reviewing a resume, conducting an interview, and storing interview notes, legitimate interest is typically the appropriate lawful basis. You don’t need to ask every candidate for consent to read their CV.
However, legitimate interest cannot be asserted informally. It requires a documented Legitimate Interest Assessment (LIA) that records: what the specific interest is, whether the processing is necessary to achieve it, and whether the candidate’s rights and interests outweigh your legitimate interest. This documentation must be available if a candidate or data protection authority questions the basis for processing their data.
Handling Candidate Data From Job Fairs, Referrals, and LinkedIn
Sourced candidates who did not actively apply but whose data was collected through outreach require particular care. Under GDPR, you must inform a sourced candidate that you hold their data and intend to process it, typically within 30 days of collecting it and before you use it for any purpose.
When candidates hand over CVs at job fairs, you need a documented process for capturing and recording their consent. Email templates, physical consent forms, or QR-code linked privacy notices all work; what does not work is simply pocketing a business card and adding someone to your database.
For LinkedIn-sourced candidates, your legitimate interest window to make contact is generally understood as 30 days from sourcing. Contacting a candidate for a role that has no reasonable connection to what you sourced them for falls outside legitimate interest.
What Are Candidates’ Rights Under GDPR and How Do You Comply?
Under GDPR, any candidate has the right to request that you delete all personal data you hold about them. Once a valid request is received, you have one calendar month to comply by deleting the candidate’s data from every system where it is stored, including your ATS, email archives, shared drives, and any third-party processors you have shared the data with.
The right to erasure is not absolute; it can be overridden by legal obligations or legitimate ongoing proceedings, but in most standard recruitment scenarios, a deletion request must be honored. You must also ensure that once data is deleted, the same individual is not re-entered into your systems without fresh consent or a new application from the candidate.
Documenting the deletion recording that a request was received, when it was acted upon, and what was removed is essential for demonstrating compliance in the event of an audit.
Right of Access and Rectification Requests
Candidates also have the right to request a copy of all personal data you hold about them (a Subject Access Request, or SAR), and to request corrections if any data is inaccurate.
A common mistake is failing to include interview notes, recruiter assessments, and internal commentary in SAR responses. GDPR’s definition of personal data is broad; if a document contains information about an identifiable individual, it is personal data and is in scope for a SAR. Recruiters should assume that any notes taken about a candidate are disclosable.
This is a strong argument for keeping interview notes factual, professional, and job-relevant from the start.
Responding to Data Subject Requests Within the One-Month Window
The one-month response window is firm. Organizations that fail to acknowledge or fulfill data subject requests within this timeframe face direct enforcement risk, separate from any underlying compliance violations.
Larger organizations or those managing high candidate volumes should establish a formal intake process for data subject requests, a dedicated email address, a documented internal workflow, and clear ownership for fulfillment. The reports and analytics capabilities in your recruitment platform should be able to rapidly surface all data held on a specific individual, making SAR fulfillment a matter of hours rather than days.
Is Your Recruiting Software GDPR Compliant?
Your applicant tracking system is where the majority of candidate personal data lives, and it carries significant compliance weight as your primary data processor. When evaluating ATS compliance, the key questions are: Does the platform support configurable data retention periods with automated deletion? Does it provide a full audit trail of who accessed, modified, or deleted candidate records? Does it support candidate consent management, including the ability to record consent, track withdrawal, and honor deletion requests across all stored records?
RecruitBPM’s platform is built with GDPR compliance as a core requirement rather than an afterthought. Our dedicated GDPR compliance page outlines how data is handled, stored, and protected across the platform.
Data Processing Agreements With Your ATS and Third-Party Vendors
Every vendor in your recruiting technology stack that receives or processes candidate data must have a signed Data Processing Agreement with your organization. This is not optional. Under GDPR, data controllers are accountable for their processors if a vendor mishandles candidate data; your organization shares responsibility if a proper DPA was not in place.
Before onboarding any new tool job boards, background check providers, video interviewing platforms, or AI screening tools, request and review their DPA. Key provisions to confirm: where data is physically stored (EU hosting is generally safer for compliance), sub-processor lists, breach notification timelines (GDPR requires notification within 72 hours), and data deletion commitments at contract end.
Spreadsheets fail GDPR on multiple dimensions. They offer no audit trail, no access controls, no automated deletion, no breach detection, and no way to fulfill a data subject request comprehensively without manually hunting through every file. The same applies to email inboxes used as candidate tracking systems and shared drives with broad access permissions.
The transition from ad hoc data management to a proper recruitment and ATS platform is not just an efficiency improvement; it is a compliance requirement for any organization serious about GDPR. For organizations that have been managing candidate data in spreadsheets and want to migrate cleanly, RecruitBPM’s data migration support includes structured processes for transferring candidate records securely.
GDPR and the EU AI Act: What Recruiters Need to Know in 2026
How the EU AI Act Intersects With GDPR in Hiring?
The EU AI Act, which entered into force in August 2024, creates a second compliance framework that sits alongside and in some areas overlaps with GDPR. For recruiting teams, the two regulations interact most directly when AI tools are used to influence hiring decisions.
GDPR’s Article 22 already restricts purely automated decision-making that has a significant legal or similarly significant effect on individuals. Automatic candidate rejections driven entirely by an algorithm, without meaningful human review, are potentially non-compliant under GDPR regardless of the AI Act. The AI Act extends and formalizes these obligations further.
The practical implication: any recruiter using AI recruiting software for resume screening, candidate ranking, or shortlisting needs to understand both regulatory frameworks, not just one.
High-Risk AI Classification: Does Your Screening Tool Qualify?
The EU AI Act takes a risk-based approach, classifying AI systems into prohibited, high-risk, limited-risk, and minimal-risk categories. AI tools used in recruitment and hiring are explicitly classified as high-risk under Annex III of the Act. This category includes AI systems that screen resumes, rank candidates, predict job performance, or otherwise influence hiring outcomes.
High-risk classification triggers a set of mandatory requirements for both the AI system provider and the deploying organization. As a deployer (the employer or recruiting firm using the tool), your obligations include: ensuring meaningful human oversight of AI-assisted decisions, maintaining logs of AI-supported hiring recommendations, informing candidates when AI is being used in their assessment, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, and being able to explain the basis for AI-assisted decisions if challenged.
These requirements layer directly on top of existing GDPR obligations; they do not replace them.
The August 2026 Deadline and What Recruiters Should Be Doing Now
The core compliance obligations for high-risk AI systems under the EU AI Act were initially targeted for August 2, 2026. As of early 2026, the EU’s Digital Omnibus package is under discussion and may adjust some of these timelines, potentially extending certain deadlines to December 2027 or August 2028 for some system categories, conditional on the availability of harmonized technical standards.
However, organizations should not treat potential deadline extensions as permission to delay. Regulators and legal experts consistently advise treating August 2026 as the planning horizon. The steps required to audit your AI tools, establish human oversight processes, document DPIAs, and ensure vendor DPAs cover AI-specific obligations take time to implement properly.
Concrete actions to take now: audit every AI or automated feature in your current recruiting stack; identify which tools qualify as high-risk; confirm with each vendor whether their system is being registered in the EU AI database; establish documented human review checkpoints in your screening workflow; and review your existing GDPR compliance infrastructure for any gaps that the AI Act’s additional requirements expose.
For teams using RecruitBPM, our AI recruiting features are designed with human-in-the-loop oversight built into the workflow, supporting both GDPR and EU AI Act compliance postures.
GDPR Recruitment Compliance Checklist for 2026
Use this checklist as a starting framework. It is not exhaustive and does not replace legal advice, but it covers the most common compliance gaps found in recruiting operations.
Data Audit and Inventory
- [ ] Identify all systems where candidate personal data is stored (ATS, email, shared drives, spreadsheets, third-party tools)
- [ ] Document what categories of data are collected, from which sources, and for what stated purpose
- [ ] Confirm that every data collection point has a documented lawful basis (legitimate interest or consent)
- [ ] Review candidate database for outdated records exceeding your stated retention period
- [ ] Confirm that all data held predating your current GDPR policy has either been re-consented to or deleted
Consent and Transparency Practices
- [ ] Privacy notice is available to candidates at the point of data collection and written in plain language
- [ ] Job application forms collect only necessary data fields (data minimisation review)
- [ ] Sensitive data fields (disability, EEO) have explicit consent mechanisms
- [ ] Talent pipeline candidates have consented to extended retention and future contact
- [ ] Sourced candidates are notified of data collection within 30 days
- [ ] Process is in place to honor right-to-be-forgotten requests within one calendar month
ATS and Vendor Due Diligence
- [ ] Signed Data Processing Agreement in place with your ATS provider
- [ ] DPAs reviewed and signed with all third-party vendors receiving candidate data
- [ ] ATS supports configurable data retention and automated deletion
- [ ] ATS provides a full audit trail of data access and modifications
- [ ] International data transfer mechanisms (Standard Contractual Clauses) confirmed for any non-EU data hosting
AI Tool Compliance (EU AI Act Layer)
- [ ] Inventory of all AI/automated features used in recruitment completed
- [ ] High-risk AI tools identified and vendor EU AI Act readiness confirmed
- [ ] DPIAs completed for high-risk AI processing
- [ ] Human oversight checkpoints documented in screening and shortlisting workflows
- [ ] Candidate disclosure process in place for AI use in hiring decisions
Team Training and Ongoing Compliance
- [ ] Data Protection Officer appointed (or external DPO engaged) if required
- [ ] All recruiting team members trained on lawful bases, candidate rights, and data minimisation
- [ ] Data breach response protocol documented (72-hour notification requirement)
- [ ] Quarterly data audit and annual compliance policy review scheduled
Conclusion: GDPR Compliance as a Competitive Advantage
GDPR compliance in recruitment is not a bureaucratic overhead; it is a signal. Organizations that handle candidate data with transparency, respect, and rigor build trust faster with the talent market than those that treat compliance as a checkbox exercise.
In 2026, the compliance landscape will have become more complex than it was at GDPR’s launch, with the EU AI Act adding a second layer of obligations for any team using AI in their hiring stack. The organizations that get ahead of these requirements now by auditing their tools, establishing clear processes, and choosing recruiting technology built for compliance will not be scrambling to catch up when enforcement intensifies.
RecruitBPM is built to support compliant, efficient recruiting at every stage. Our applicant tracking and recruitment platform includes GDPR-designed data management, configurable retention policies, and audit-ready reporting. If your team is evaluating whether your current stack meets the compliance standard for 2026, request a live demo, and we’ll walk through it with you.
FAQs
Does GDPR apply to my recruiting agency if we’re based outside the EU?
Yes, if you collect or process personal data from individuals physically located in the EU, including sourcing EU candidates or placing workers in EU roles, GDPR applies to your operations regardless of where your company is headquartered.
How long can we keep rejected candidate data?
The general recommendation from data protection authorities is six months after the end of the recruitment process, unless the candidate has explicitly consented to a longer retention period for talent pipeline purposes. Your data retention policy should be documented and applied consistently.
What is a Data Processing Agreement, and do we need one with our ATS provider?
A DPA is a contract that defines the obligations and rights of a data controller and data processor under GDPR. Yes, you are required to have a signed DPA with your ATS provider and any other vendor that receives or processes candidate personal data on your behalf.
Do we need a Data Protection Officer?
A DPO is mandatory if your organization is a public body, carries out large-scale systematic monitoring of individuals, or processes large volumes of special category data. Many recruiting firms are not required to appoint a formal DPO, but it is good practice to designate someone internally responsible for data protection oversight regardless.
How does the EU AI Act affect our ATS?
If your ATS uses AI features to screen, rank, or shortlist candidates, it likely qualifies as a high-risk AI system under the EU AI Act. This triggers obligations including human oversight, DPIA completion, candidate disclosure, and vendor compliance verification. You should confirm your ATS provider’s EU AI Act readiness and ensure your internal workflows include meaningful human review of AI-assisted decisions. RecruitBPM’s AI recruiting features are designed with these requirements in mind.
What should we do if a candidate submits a right-to-erasure request?
Acknowledge the request promptly and complete the deletion within one calendar month. Remove the candidate’s data from all systems, ATS, email, shared files, and third-party processors, and document that the deletion was completed. Notify any sub-processors who also hold the candidate’s data to delete it as well.
