ATS GDPR Compliance 2026: What EU Companies Actually Need

Q: What GDPR requirements apply to candidate data in an ATS?

The GDPR requirements that apply specifically to candidate data managed in an ATS are: lawful basis for processing (Article 6), which for candidates is typically consent or legitimate interest depending on whether the candidate applied directly or was sourced; purpose limitation (Article 5(1)(b)), meaning candidate data can only be used for the purpose for which it was collected and cannot be repurposed without fresh consent; data minimisation (Article 5(1)(c)), meaning only data relevant to the hiring decision should be collected and stored; storage limitation (Article 5(1)(e)), meaning candidate data cannot be retained indefinitely after the hiring process ends — typical retention periods for unsuccessful candidates are 6 to 24 months depending on jurisdiction and role type; right of access (Article 15), requiring you to respond to Subject Access Requests within 30 days with all personal data you hold on the candidate; right to erasure (Article 17), requiring genuine deletion of all personal data when requested; and data transfer restrictions for data moved outside the EU or EEA. The distinction between infrastructure compliance (where the data is stored) and process compliance (how you handle the data) is critical: your ATS vendor handles the former; your HR team handles the latter with the vendor’s tools.

Q: Does EU data residency matter for GDPR ATS compliance?

EU data residency means that candidate data is stored on servers physically located within the European Union or European Economic Area, which means it is subject to EU jurisdiction and does not require a separate legal transfer mechanism under Chapter V of the GDPR. It matters for GDPR compliance in a specific way: if your ATS stores data outside the EU (for example, in US data centers), the data transfer itself requires a valid legal basis such as Standard Contractual Clauses or an adequacy decision. The EU-US Data Privacy Framework (adopted July 2023) provides an adequacy decision for transfers to certified US companies, but this framework has faced legal challenges in the past and could be invalidated. EU data residency eliminates this transfer risk entirely. For companies with EU operations or EU candidates, EU data residency is the most legally robust approach and removes a significant source of compliance uncertainty. Treegarden stores all candidate data on EU servers. Greenhouse and Workable have EU data residency options but they may require specific configuration to activate.

Q: What is the difference between anonymisation and deletion in an ATS?

This distinction matters significantly for GDPR compliance and is one of the areas where ATS platforms differ most. Anonymisation replaces identifying personal data fields with non-identifying values — for example, replacing a candidate's name with a random ID and blanking their email. The candidate's historical application data remains in the system for analytics and reporting purposes, just without the personally identifying fields. Deletion removes all records of the candidate from all data stores, including reporting aggregates, email logs, profile records, and backup systems. The GDPR right to erasure (Article 17) is typically interpreted as requiring genuine deletion, not anonymisation, when a candidate exercises their deletion rights. However, anonymisation can be appropriate for retention of aggregated analytics data where the individual cannot be re-identified. The question to ask your ATS vendor is: when a candidate is deleted, does any personal data remain in any system, including backups and analytics databases? If the answer is yes, that system is not fully compliant with Article 17. Treegarden implements genuine deletion. Some other ATS platforms default to anonymisation.

Q: How should an ATS handle GDPR consent capture for candidates?

GDPR consent for candidate data processing must meet four criteria to be valid: it must be freely given (not a precondition of applying where legitimate interest is not the lawful basis), specific (the candidate must know what data is being collected and for what purpose), informed (the privacy notice must be provided at the point of consent), and unambiguous (a pre-ticked box is not valid consent; the candidate must actively opt in). In practice, this means your ATS application form must include a privacy notice explaining how candidate data will be used, who it will be shared with, how long it will be retained, and how candidates can exercise their rights. The consent action must be a positive opt-in rather than an opt-out, and the timestamp of consent must be recorded and retrievable. An ATS that handles this correctly will: display the privacy notice before or during application, record the timestamp of consent with the candidate record, enable you to update the privacy notice version and re-consent candidates when material changes are made, and produce a consent audit trail for regulatory inspection.

The Infrastructure vs Process Gap

Here is the misunderstanding that causes the most compliance problems: an ATS vendor that is “GDPR compliant” means the vendor’s own systems meet GDPR requirements. It does not mean your use of those systems is automatically compliant. The distinction between infrastructure compliance and process compliance is where most companies are exposed.

Your ATS vendor is responsible for: storing data securely on appropriately located servers, signing a Data Processing Agreement with you as required by Article 28 GDPR, ensuring that deletion requests to the platform system actually delete data from all stores, providing you with the tools to manage consent, retention periods, and subject access requests.

Your company is responsible for: capturing valid consent at the point of application, setting and enforcing data retention periods, responding to Subject Access Requests within 30 days, ensuring you are not processing candidate data beyond the purpose for which it was collected, training your HR team on what they can and cannot do with candidate data, and documenting your processing activities in a Record of Processing Activities (ROPA).

An ATS that is GDPR-native — built specifically with EU compliance architecture from the start — provides better tooling for the process side. But no ATS vendor can make your HR processes compliant; they can only provide the infrastructure and tools that make compliance achievable.

What GDPR Actually Requires for Candidate Data

Lawful basis for processing

You need a documented lawful basis for processing each candidate’s data. For direct applicants (people who responded to your job posting), the lawful basis is typically consent (captured at application) or legitimate interest (pursuing a business purpose). For sourced candidates (people your team identified and reached out to), the lawful basis is almost always legitimate interest. The lawful basis must be determined before processing starts and must be documented.

Consent capture at application

Your application form must present a privacy notice before or during the application, explain what data is collected and why, identify who data is shared with (including your ATS vendor), state how long data will be retained, and explain how candidates can exercise their rights. The candidate must actively confirm consent — a pre-ticked checkbox does not constitute valid consent under GDPR. The consent action must be timestamped and stored in a retrievable audit trail.

Data retention limits

Candidate data cannot be retained indefinitely. Common retention practices: 6 months for unsuccessful applicants who were not interviewed, 12 months for candidates who reached an interview stage, up to 24 months for candidates added to a talent pool who gave explicit consent for longer retention. These are guidelines — your specific retention periods should be documented in your privacy notice and enforced automatically by your ATS’s retention workflow, not managed manually.

Right to erasure

When a candidate requests deletion of their data, you must comply — typically within 30 days. The deletion must be genuine: all personal data fields removed from all data stores, including email logs, application records, and backups (typically within one backup cycle). The distinction between anonymisation and genuine deletion matters here: anonymisation leaves a record but removes identifying fields; genuine deletion removes the record entirely. Article 17 GDPR requires genuine deletion in most circumstances.

Subject Access Requests

A candidate can request all personal data you hold on them under Article 15 GDPR. You have 30 days to respond. The response must include all data you hold, the purposes of processing, who data is shared with, the retention period, and information about their rights. Your ATS should make it possible to export a complete candidate data package in response to a SAR in minutes, not hours.

Data residency and transfer restrictions

Data stored on servers outside the EU/EEA requires a transfer mechanism. EU data residency eliminates this requirement. If your ATS stores data in the US, verify the legal basis for the transfer — typically Standard Contractual Clauses or the EU-US Data Privacy Framework (adopted 2023, but historically challenged).

Platform Comparison: GDPR Compliance Capabilities

Platform	EU Data Residency	Genuine Deletion	Consent Capture	Auto Retention
Treegarden	Native (all plans)	Yes — full deletion	Built-in, timestamped	Configurable workflows
Pinpoint	EU residency option	Yes	Built-in	Available
Greenhouse	EU option (higher tiers)	Anonymisation default; deletion available	GDPR tools available	Configurable
Workable	EU option (higher plans)	Available	GDPR consent available	Available
Lever	Primarily US-based	Available	GDPR tools available	Limited

GDPR ATS Evaluation Checklist

Before selecting an ATS for a company with EU hiring, verify each of these with the vendor:

☐ Where is candidate data stored? (EU servers preferred for EU companies)
☐ Can individual candidates be permanently deleted from all stores, including backups and email logs?
☐ Is GDPR consent captured at the point of application with a timestamp?
☐ Does the consent record store the privacy notice version shown to the candidate?
☐ Are automated data retention workflows available with configurable periods?
☐ Can you export a complete candidate data package for Subject Access Request response in under 10 minutes?
☐ Is there a signed Data Processing Agreement available without requiring a separate legal process?
☐ Are there re-consent workflows for dormant candidates approaching retention expiry?
☐ Can candidates access their own data through a self-service portal?
☐ Are audit trails of all data processing actions available for regulatory inspection?

Treegarden was built as an EU-first platform. EU data residency is not a configuration option — it is the default. All candidate data is stored on servers within the EU. Genuine deletion (not anonymisation) is available from all plans. Consent capture with timestamping is built into the application form. Automated retention workflows are configurable. Data Processing Agreements are available immediately upon account creation. Candidate portals for self-service access to their own data are supported.

The practical significance: a Treegarden customer who receives a Subject Access Request from a candidate can generate a complete data export within minutes. A Treegarden customer who receives a deletion request can delete all candidate records with a single action and confirm the deletion with an audit trail. These are not edge cases — GDPR requests from candidates are a normal part of operating in the EU hiring market, and the time cost of handling them manually on a non-GDPR-native platform is non-trivial.

GDPR-native ATS for EU companies

EU data residency. Genuine deletion. Consent capture. Built in from day one. Startup $299/mo · Growth $499/mo · Scale $899/mo.

Request a demo →

Frequently Asked Questions

What GDPR requirements apply to candidate data in an ATS?

The key GDPR requirements for candidate data are: a documented lawful basis for processing (Article 6), purpose limitation, data minimisation, storage limitation with enforced retention periods, right of access for Subject Access Requests within 30 days (Article 15), right to erasure with genuine deletion capability (Article 17), and data transfer restrictions for data moved outside the EU. Your ATS vendor handles infrastructure compliance; your HR team handles process compliance using the vendor’s tools.

Does EU data residency matter for GDPR ATS compliance?

EU data residency means candidate data is stored on servers within the EU, subject to EU jurisdiction, eliminating the need for a separate data transfer mechanism. It matters because transfers outside the EU require a valid legal basis (SCCs or adequacy decision) that can be legally challenged. EU data residency removes this transfer risk entirely. Treegarden stores all candidate data on EU servers by default.

What is the difference between anonymisation and deletion in an ATS?

Anonymisation replaces identifying fields with non-identifying values while keeping the record for analytics; deletion removes all records from all stores including backups. The GDPR right to erasure (Article 17) requires genuine deletion in most circumstances — not just anonymisation — when a candidate exercises deletion rights. Ask your ATS vendor specifically whether deletion removes personal data from all systems including analytics databases and backup systems.

How should an ATS handle GDPR consent capture for candidates?

Valid GDPR consent must be freely given, specific, informed, and unambiguous. This means your application form must show a privacy notice before or during application, require an active opt-in (no pre-ticked boxes), timestamp the consent with the privacy notice version, store the consent record retrievably, and support re-consent workflows when the privacy notice changes materially. An ATS that handles this correctly records consent timestamps that can be produced for regulatory audit.