If you're a US company hiring in Germany, France, the Netherlands, or anywhere in the EU, your hiring process is subject to GDPR — whether your ATS vendor mentioned it or not. The regulation doesn't care where your company is incorporated. The moment you collect a CV from an applicant located in the EU, you are processing EU personal data, and the General Data Protection Regulation applies in full.
Most US HR teams discover this through one of three routes: a data subject access request from a rejected candidate, a privacy complaint to a supervisory authority, or a GDPR audit triggered by an EU M&A due diligence process. None of these are good times to find out that your ATS doesn't support the compliance workflows you've been assuming it did.
This guide covers exactly what GDPR requires in recruitment, which ATS features you need to support those requirements, and an honest assessment of how the leading platforms handle it.
What GDPR actually requires in recruitment
GDPR imposes several specific obligations on organisations processing candidate data. These aren't suggestions — they're legal requirements with enforcement teeth.
Lawful basis for processing
Every piece of candidate data you process needs a documented lawful basis under Article 6. In recruitment, the most common bases are legitimate interests (you have a legitimate interest in evaluating applicants for open roles) and contractual necessity (processing is necessary to take pre-contractual steps at the candidate's request). Consent is technically available as a basis, but it creates complications: candidates may feel they have no choice but to consent, and consent must be freely given, specific, and withdrawable — which makes it difficult to maintain as a basis through a hiring process. The important point is that you need to document which lawful basis you're relying on, and your privacy notice to candidates must specify it.
Data minimisation
You may only collect personal data that is adequate, relevant, and limited to what is necessary for the recruitment purpose. In practice, this means your application forms should not collect information you don't actually use in the hiring decision — date of birth, national ID numbers, marital status, and similar fields are red flags unless there is a clear operational necessity. Many ATS platforms offer highly flexible application form builders that allow excessive data collection by default. The compliance burden is on you to configure them appropriately.
Candidate consent and privacy notice
Candidates must receive a clear privacy notice at the point of application explaining who is processing their data, why, what the lawful basis is, how long it will be retained, and what their rights are. If you intend to share their data with third parties (interview scheduling tools, background check providers, reference checking platforms), this must be disclosed. Your ATS application form must deliver this notice — not bury it in a footer link that candidates can skip.
Right to erasure (right to be forgotten)
Rejected candidates can request deletion of their data. You have 30 days to comply. Without ATS tooling that can locate, compile, and delete all data associated with a specific individual — across the candidate profile, application history, interview notes, and any integrations — fulfilling this request manually becomes a multi-hour exercise that creates error risk. Your ATS needs a proper data deletion workflow that covers all linked records.
Data Subject Access Requests (DSARs)
Any individual whose data you hold can request a copy of all personal data you have on them within 30 days. For recruitment, this means every piece of data in a candidate profile: their CV, application form responses, interview notes, assessor feedback, communication history, and any internal ratings or tags. The request must be fulfilled comprehensively. An ATS that keeps interview notes in a separate system from the candidate profile, or that stores communication history in a recruiter's email inbox rather than in the ATS record, will make DSAR compliance a painful manual exercise.
Data retention limits
You cannot keep candidate data indefinitely. Standard practice for unsuccessful applicants is 6–12 months post-rejection, though some jurisdictions (Germany in particular) have more specific expectations. Your ATS needs automated retention policies: flag data approaching its retention date, prompt for review or deletion, and execute deletion automatically for data past its retention window without active intervention needed from HR.
Cross-border transfer requirements
If EU candidate data flows from your ATS to a US-based server, you are making a restricted international transfer under Chapter V of GDPR. This requires either a valid transfer mechanism (EU-US Data Privacy Framework adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules) or EU data residency that keeps the data in the EU entirely. Many US ATS vendors rely on SCCs documented in their DPA (Data Processing Agreement). The quality of these DPAs varies significantly — some are comprehensive, some are boilerplate. EU data residency is the cleaner option.
ATS features you need for GDPR compliance
Given these requirements, here's the specific feature set your ATS must provide:
- Consent capture on application forms. Configurable consent and privacy notice display at the point of application — not a generic footer link, but a specific checkbox or acknowledgment that records candidate consent with a timestamp.
- Automated data retention policies. Configurable retention periods by applicant status (rejected, hired, talent pool), with automated flagging and deletion capability at period end.
- DSAR fulfillment workflow. The ability to export all data associated with a named individual — including notes, communication history, assessments, and any integrated tool data — in a portable format, within the 30-day response window.
- Right to erasure execution. A deletion workflow that removes all records of an individual across the platform, with confirmation and an audit log of the deletion.
- EU data residency option. The ability to specify that EU candidate data is stored and processed on EU-based infrastructure, not transmitted to US servers.
- Data Processing Agreement. A DPA that documents the vendor's obligations as a data processor, the sub-processors they use, and the transfer mechanisms in place. This document must be available and reviewable before you sign a contract.
- Audit trail. A complete log of who accessed what data, when, and what actions were taken — necessary for demonstrating compliance in any regulatory review.
6 ATS platforms assessed for GDPR capability
1. Treegarden — GDPR-native design from day one
Treegarden was designed with GDPR compliance as a structural requirement, not a retrofit. The platform offers EU data residency, meaning candidate data for EU applicants can be stored and processed entirely within EU infrastructure. Consent capture is built into the application form builder — the privacy notice field is a required configuration step, not an optional extra. Automated retention policies allow HR teams to set retention windows by candidate status, with automated deletion execution at period end.
The DSAR workflow allows HR teams to export a complete data package for any named individual across all linked records — application data, notes, communication history, and assessment data — in a single operation. The deletion workflow cascades across all linked records with a full audit trail. The DPA available to customers covers sub-processor disclosure and SCCs.
The honest assessment: Treegarden's GDPR feature set is strong precisely because it wasn't built as a US product later adapted for European markets. The compliance workflows are first-class features rather than compliance-checkbox afterthoughts.
Best for: US companies with significant EU hiring volume who want clean GDPR compliance without ongoing legal complexity around data transfers.
2. Teamtailor — Swedish origin, genuine GDPR depth
Teamtailor is a Swedish-founded platform that predates GDPR but was built in a market where data privacy regulation was already strong. Its GDPR compliance tooling is among the most complete in the mid-market ATS category. The platform includes automated candidate data retention management, consent-based talent pool features (candidates are automatically prompted to renew consent before their data expires), DSAR support, and EU data residency as standard.
Teamtailor's approach to candidate privacy is also a product differentiator rather than a compliance burden — the platform's candidate experience design reflects strong privacy principles throughout. For US companies hiring substantially in Scandinavia, Germany, or the Netherlands, Teamtailor's GDPR depth is a genuine advantage.
3. Pinpoint — UK-founded, strong GDPR framework
Pinpoint was founded in the UK and has operated under GDPR since launch. Its compliance features are comprehensive: configurable consent on application forms, automated data retention with deletion workflows, DSAR export functionality, and a robust DPA. EU data residency options are available. Pinpoint's approach to GDPR is particularly strong on the candidate communication side — rejection emails, GDPR notices, and data retention communications are configurable and documented.
4. Greenhouse — has GDPR tools, but US-first design shows
Greenhouse has added substantial GDPR compliance tooling over the years, and for enterprise customers, the feature set covers the main requirements: data retention policies, DSAR workflows, consent management, and DPA availability. The complication is that Greenhouse's default configuration is optimised for US hiring workflows, and GDPR-specific features often require deliberate configuration rather than being active by default.
EU data residency options exist in Greenhouse but require enterprise tier access and explicit configuration. The platform's default data flow routes through US infrastructure unless specifically changed. For a US company doing occasional EU hiring, Greenhouse's GDPR features are adequate with proper setup. For a company where EU hiring is a significant operational volume, the configuration overhead is meaningful.
5. Workable — basic GDPR features, adequate for light EU exposure
Workable provides baseline GDPR compliance features: candidate data deletion, privacy policy links on application forms, and a DPA. The feature set is functional for US companies with limited EU hiring activity — occasional European hires, a small EU office team. For more substantial EU hiring volume, Workable's GDPR tooling is thin: automated retention policies are limited, DSAR workflows require manual work, and EU data residency is not a standard feature.
6. iCIMS — enterprise compliance available, but GDPR is add-on complexity
iCIMS has comprehensive compliance capabilities at the enterprise tier — it's used by large organisations with complex regulatory environments globally. The challenge for most companies evaluating iCIMS for GDPR purposes is that the GDPR toolset is part of a broader compliance module that adds cost and implementation complexity. The platform's base tier doesn't include the full GDPR feature set; it's layered in through additional configuration and enterprise agreements. For a large organisation with a dedicated compliance team and an existing iCIMS implementation, this is manageable. For a mid-market company evaluating ATS options, the GDPR features shouldn't be treated as included by default.
GDPR capability comparison
| Platform | GDPR Design | EU Data Residency | Auto Retention | DSAR Workflow | DPA Quality |
|---|---|---|---|---|---|
| Treegarden | Native | Yes (standard) | Yes | Yes | Strong |
| Teamtailor | Native | Yes (standard) | Yes | Yes | Strong |
| Pinpoint | Native | Yes | Yes | Yes | Strong |
| Greenhouse | US-first, adapted | Enterprise only | Yes (config needed) | Yes (enterprise) | Adequate |
| Workable | US-first, basic GDPR | Limited | Limited | Manual | Basic |
| iCIMS | Enterprise compliance | Yes (enterprise) | Yes (enterprise) | Yes (enterprise) | Strong (enterprise) |
Questions to ask any ATS vendor about GDPR
Generic sales demos will not surface the specifics that matter for GDPR compliance. These are the questions to ask directly, with the expectation of demonstrated answers rather than verbal assurances.
GDPR vendor evaluation questions
- Data residency: "Where specifically is EU candidate data stored? Which AWS or Azure region? Is EU data residency a standard feature or an enterprise add-on?"
- Retention policies: "Show me how automated data retention works. If I set a 12-month retention period for rejected candidates, what exactly happens at month 12 — is deletion automatic, or does it require manual action?"
- DSAR fulfillment: "Walk me through fulfilling a DSAR for a rejected candidate from 6 months ago. How do I export all their data — including notes written by three different interviewers — in a single operation?"
- Consent capture: "Show me how the privacy notice appears to a candidate on the application form. Is it configurable per job posting? Is consent recorded with a timestamp?"
- DPA: "Can I see your standard Data Processing Agreement? Which sub-processors are listed, and what transfer mechanisms do you rely on for international data flows?"
- Deletion cascade: "If I delete a candidate record, what exactly is deleted? Are interview notes, communication history, and integration data all removed, or are there records that survive deletion?"
Built with compliance in mind from day one
GDPR-native data privacy. All compliance features included in every plan. Startup: $299/mo · Growth: $499/mo · Scale: $899/mo.
See full pricing →Practical steps to audit your current GDPR compliance in hiring
If you're a US company that has been hiring in the EU without having deliberately addressed GDPR compliance, the right approach is not to panic but to systematically close the gaps. Here's the sequence that matters most.
Step 1: Audit your current candidate data. How long have you been retaining EU candidate data? Is there a defined retention policy, and is it being enforced? If you have a backlog of candidate data from EU applicants that is beyond a reasonable retention period, developing a plan to delete it is a first priority — not just prospectively, but retrospectively.
Step 2: Review your application form privacy notice. Does your current application form show EU candidates a GDPR-compliant privacy notice that specifies the lawful basis for processing, retention period, and their rights? If not, this is a straightforward fix that should happen immediately.
Step 3: Evaluate your ATS vendor's DPA. Request your ATS vendor's Data Processing Agreement and review it against the minimum requirements: sub-processor list, transfer mechanisms for EU-US data flows, deletion obligations, and audit right provisions. If your vendor doesn't have a DPA or won't provide one, that is a compliance exposure that needs to be resolved.
Step 4: Configure retention policies. Once you've confirmed your ATS supports automated retention, configure it with the periods appropriate for your jurisdiction and document the rationale for those periods.
Step 5: Test your DSAR fulfillment capability. Create a test candidate record and try to fulfill a DSAR against it. See whether you can compile all associated data — including notes written by multiple users — in a single export. If you can't do this cleanly, you have a gap to address before the first real DSAR arrives.
Frequently asked questions
Does GDPR apply to US companies hiring in Europe?
Yes. GDPR applies to any organisation processing personal data of EU-located individuals, regardless of the organisation's location. A US company hiring in Germany, France, or any EU country is subject to GDPR for that hiring process. The regulation doesn't require a physical EU presence to apply — the data subject's location determines applicability.
What happens if our ATS isn't GDPR compliant?
Enforcement consequences include fines up to 4% of global annual turnover or €20 million (whichever is higher), supervisory authority investigations, and mandatory remediation orders. Practically, an unhandled DSAR or an inadequate deletion request is the most common trigger for regulatory scrutiny. Supervisory authorities in Germany, France, and the Netherlands have been active in recruitment data enforcement.
How long can we keep candidate data under GDPR?
GDPR requires data to be kept only as long as necessary for its purpose. Standard practice for rejected candidates is 6–12 months post-rejection. For hired employees, the full employment period plus typically 5–7 years post-employment. Consent-based talent pool extensions are a valid mechanism for retaining data beyond standard retention periods with explicit candidate permission. Your ATS should enforce these periods automatically.
Does an ATS need EU data residency to be GDPR compliant?
Not strictly — international data transfers to the US are permissible under the EU-US Data Privacy Framework and Standard Contractual Clauses. However, EU data residency eliminates the cross-border transfer complexity entirely and is the cleanest approach. If your ATS stores EU candidate data on US servers, confirm the transfer mechanism in your vendor's DPA and understand the ongoing monitoring obligations this creates.