How GDPR affects Staffing and Recruiting
Updated: November 2025
GDPR affects staffing and recruiting by how data can be stored, collected and processed. The processing generally occurs when the recruiter gathers data on potential candidates and performs a search among them. The recruitment process can include contact information, grades, certifications, CVs, general data, tests and other documents. Companies conduct both personality and skills tests, and document an interview with the candidate.
Key Takeaways
Here are a few key directives of GDPR that affect the daily work of recruiters and hiring teams:
• You need a legitimate interest to process candidate data. GDPR obliges you to collect data only for “specified, explicit and legitimate purposes.” This means, for example, that you can source candidate data as long as you collect only job-related information and intend to contact the sourced candidates within 30 days.
• You must obtain the candidate’s consent to process sensitive data. GDPR requires you to obtain consent when processing data such as disability information, cultural, genetic, or biometric information, or information gathered for an EEO survey or background check. In these cases, you must ask for consent in a clear and intelligible way and provide candidates with clear instructions on how to withdraw their consent should they wish to.
• You must be transparent about the processing of candidate data. Companies must have clear privacy policies, and recruiters are obliged to make those policies available to candidates. You must also disclose where you store candidate data (e.g. your ATS) and state that you will use this data for recruitment purposes only.
• You need to assume responsibility for compliance (accountability). Your company needs to demonstrate compliance with the GDPR. For example, under GDPR, your company is responsible for determining with whom it does business (e.g., an ATS provider or a sourcing services provider). If your contractors fail to comply with the law, your company is also accountable.
Also, you are obliged to comply when candidates exercise their rights under GDPR:
• Candidates have the “right to be forgotten.” Candidates have the right to request that you delete and cease processing their personal data. You must locate every place that you keep their information (e.g. spreadsheets) and delete it within one month after receiving the candidate’s request.
• Candidates have the right to access their data and request that it be rectified. Candidates have the right to ask what data of theirs you hold. They can also request that you make corrections to any inaccuracies (rectify). You must grant both requests within one month and provide candidates with a free, electronic copy of their own personal data.
Source candidates with care
Sourcing is an essential function for organisations that want to find great people. However, sourcing requires finding and storing personal candidate data, so complying with GDPR is critical.
First, keep in mind that you need a legitimate interest to source candidates and process their personal data. Ensure that you:
• Actually intend to contact those candidates. Simply building your talent database by adding candidate data in case you need it in the future is not legal under GDPR.
• Plan to contact candidates as soon as possible. You can only retain a candidate’s data without informing them for a limited time (typically one month). Contact these candidates as quickly as possible and delete their data if they request it. If you change your mind about a candidate and decide not to contact them, you must delete their data immediately.
• Collect only the data you need. You may want to process candidate data related to education, work history, skills, and contact details. These types of data make sense for your recruitment process. However, you should not process irrelevant data (e.g. cultural information) for recruiting purposes. If you need to process this data, ensure that you clearly explain it when contacting candidates and obtain their consent.
• Obtain data lawfully. Gathering data from social profiles is legal under GDPR if those profiles are publicly accessible and if you can reasonably assume that candidates expect to be contacted. For example, you may assume that a publicly accessible LinkedIn profile indicates a reasonable expectation of contact. Only then can you proceed to process candidate data.
GDPR Affects Different Types of Recruitment
There are mainly two different ways to perform recruitment. First, you have the traditional individual job posting. Second, this can be achieved by applying to a recruitment platform. Depending on how you recruit, both the legal basis for processing and the information to provide to the data subjects differ. Therefore, in the following, we describe the legal basis and the information to give in both situations. After that, we describe the special category recruitment of an External Search. We conclude this article by explaining how to process two data types relevant to the recruitment process.
AI and Automated Decision-Making in Recruitment
The rise of AI-powered recruitment tools has introduced new compliance considerations, in addition to those outlined in the GDPR. The EU AI Act classifies AI systems used for recruitment and candidate evaluation as high-risk systems. This means that if you use AI tools for CV screening, candidate ranking, video interview analysis, or automated assessments, you face additional transparency and documentation requirements.
Under the EU AI Act, certain AI practices are prohibited outright as of February 2025. These include using emotion recognition technology in video interviews, systems that infer sensitive characteristics (like race, political opinions, or sexual orientation) from biometric data, and any form of social scoring of candidates.
If your recruitment process involves automated decision-making systems, you must inform candidates that AI is being used in their application assessment. You should also ensure that meaningful human oversight exists in the decision-making process. When selecting recruitment software or ATS providers, verify that they comply with both GDPR and the EU AI Act requirements. This includes requesting documentation from vendors regarding their AI risk assessments, data governance measures, and policies for algorithmic transparency.
Key compliance deadline: August 2, 2026, marks the date by which complete documentation and transparency requirements for high-risk AI systems must be in place.
Individual Job Posting
A data subject applies for a job listing. The candidate sends their application to either a recruitment firm or the hiring company.
The primary legal basis for processing is the recruitment contract. But consent is also possible if it fulfils the legal requirements. That is, it must be, e.g. explicit and freely given.
Also, it is important to provide the applicant with relevant information about the processing activity. This information must be clear, and you must present it in a clear and easily accessible manner. The information provided to the data subject should advise against attaching sensitive data to the application. Additionally, if the legal basis for the processing is consent, you must inform the applicant of the right to withdraw the consent at any time.
According to the GDPR, the applicant must be informed that their data will be stored for future recruitment purposes and must be able to withdraw their consent or object to the processing of their data.
GDPR’s Effect on Recruitment Platforms
As part of recruitment firms or for larger organisations, they use recruitment platforms to process candidate data. The data can include various documents, such as a resume and notes from an interview. The data can be of varying sensitivity levels. Sometimes it is the combination of data that could be considered intrusive. As a general rule, recruitment platforms utilise personal data in ways that necessitate a data protection impact assessment. Often, there are large-scale data sets, and candidates are profiled, scored and data sets are matched from different sources.
The legal basis for processing can be either a contract, consent, or legitimate interest. Legitimate interest can be invoked when a documented legitimate interest exists. Second, this interest must outweigh the applicant’s interest in not having their personal data processed. Since it is in the applicant’s interest to be recruited, this is normally not a problem. This is because the candidate has applied for the work. However, you cannot process more data than necessary to fulfil the identified interest, such as providing an effective and purposeful service.
Generally, contractual necessity is the most suitable legal basis for most data uses in a recruitment platform. Keep in mind that all functionalities and uses of data must be spelt out in the terms and privacy policy of the recruitment platform.
Head Hunting (External Search)
Sometimes a hiring company, either on its own or with the help of a recruitment firm, performs an external Search (also called headhunting). This search can be based on legitimate interest, provided that the headhunter respects the potential candidate’s restrictions regarding their availability to the job market. The legitimate interest can, e.g. be to find talented candidates for recruitment. Additionally, the interest may include informing and mediating an offer to these candidates.
When a headhunter has collected candidates by searching the web, they must contact each individual and obtain their consent to proceed. The candidate must receive information about, for example: what personal data has been collected, from what sources, retention periods, recipients to whom the data will be disclosed, the purposes and legal basis for processing, the individual rights of the candidate, and that the candidate may object to further processing.
A rule of thumb is to communicate within the same channel as you found the CVs – such as LinkedIn Recruiter, or LinkedIn. Do not export the data into your own CRM or email program and continue the recruitment process without the candidate’s consent.
For an external Search to be compliant with GDPR, it cannot include more data than what is strictly necessary and relevant to the job offer. You must inform the data subject about the processing of their data. Additionally, you must provide the data subject with the opportunity to object to it.
Special Category Data
According to the data minimisation principle, a controller must limit the data that it processes to what is necessary. You assess the necessity with consideration of the purpose of the processing. A recruiter cannot process special category data if it is not relevant to the specific job offering, and information about this collection must be provided at the initial contact, i.e., in the job listing. This includes both health data and data on criminal records.
Managing the References
In recruitment, it is common to process data from references. These references normally only include a name and a way of contacting them, such as a phone number. It is the applicant’s responsibility to tell the reference about the processing of their personal data. However, the recruiter must inform the applicant of their responsibility to contact their references.
Perfect your recruitment Privacy Policy
The best way to ensure compliance and transparency is with an informative privacy policy. Your privacy policy must clearly explain how your company collects, processes and protects candidate data. It should also explain the candidate’s right to withdraw their consent and rectify, delete or access their data.
Frequently Asked Questions
Q: What’s the difference between a legitimate interest and consent for processing candidate data?
A: Legitimate interest lets you process candidate data for hiring without permission if you contact them within 30 days, and they can object. Consent requires you to ask first, especially for sensitive data like health information. Use legitimate interest for sourcing; use consent for special category data.
Q: How does the EU AI Act change my recruitment compliance obligations?
A: Emotion recognition in video interviews, systems inferring protected traits, and social scoring are banned as of February 2025. For other AI tools, you must tell candidates that AI is involved and ensure human oversight. Complete compliance documentation is due by August 2, 2026.