GDPR in Recruitment: The Complete Guide to Compliance in the Hiring Process

GDPR and recruitment: what personal data you process and under what legal basis

The General Data Protection Regulation (GDPR), in force since May 2018, has fundamentally transformed how companies collect, store and use personal data - including in the recruitment process. In Romania, GDPR is enforced through the National Supervisory Authority for Personal Data Processing (ANSPDCP), which can impose significant fines for non-compliance.

In the context of recruitment, the volume of personal data you process is substantial. A typical hiring process involves collecting and processing the following categories of data:

• Identification data - first name, last name, email address, phone number, physical address, photograph (if included in the CV).
• Professional data - full CV with work history, degrees, certifications, skills, achievements, projects.
• Educational data - institutions attended, specialisations, grades, bachelor's or master's theses.
• Assessment data - interview notes, evaluation scores, interviewer feedback, technical test results.
• Sensitive data (special categories) - if collected: ethnic origin, religious beliefs, health status, sexual orientation. These require additional protection and, in general, should not be collected in the recruitment process unless there is a specific legal basis.

The legal basis for processing this data in recruitment can be:

Explicit consent of the candidate. The candidate clearly and informedly expresses agreement to the processing of their data for recruitment purposes. Consent must be freely given, specific, informed and unambiguous. A pre-ticked checkbox is not sufficient - the candidate must perform an active action (tick the box themselves).

Legitimate interest of the employer. The company has a legitimate interest in evaluating candidates for open positions. This legal basis is more flexible than consent, but requires a proportionality analysis: the company's interest must prevail over the candidate's rights. In practice, legitimate interest typically covers processing data from CVs and evaluating applications, but does not cover long-term retention or using data for other purposes.

Performance of pre-contractual measures. When the recruitment process is a step towards concluding an employment contract, data processing may be justified as a pre-contractual measure at the candidate's request.

Candidate data retention: how long you can keep a CV in your database

One of the most frequently asked questions by HR departments is: "How long can we keep a candidate's data after the recruitment process ends?" GDPR imposes the principle of storage minimisation - data should not be kept longer than necessary for the original purpose of collection.

In practice, the generally accepted recommendation from EU data protection authorities is:

• During the active recruitment process - data may be processed without additional restrictions, based on consent or legitimate interest.
• 6-12 months after the position closes - this is the recommended retention period for rejected candidates, justified by the possibility of challenging the hiring decision or for similar future positions. After this period, data must be deleted or anonymised.
• Extended retention with explicit consent - if you want to keep a promising candidate's CV for more than 12 months (e.g., for future position openings), you need the candidate's explicit and separate consent for this specific purpose.

Beware of the common practice of "keeping all CVs forever." Many HR professionals have a habit of accumulating massive databases with CVs that are years old, with no legal basis. This practice violates the data minimisation principle and exposes the company to significant fine risks. ANSPDCP has already imposed fines in Romania for excessive data retention in recruitment processes.

Candidate rights under GDPR and how to respect them in practice

GDPR grants candidates a set of specific rights that your company must respect and actively facilitate. In the context of recruitment, the most relevant are:

Right to information (Art. 13-14). The candidate must be informed, at the time of data collection, about: who processes the data (the company's identity), the purpose of processing (recruitment), the legal basis, the retention period, their rights and the possibility of lodging a complaint with the ANSPDCP. This information is usually provided through a privacy notice displayed on the career page and on the application form.

Right of access (Art. 15). The candidate can request to see all the data you hold about them, including interview notes, evaluation scores and internal correspondence. You are obliged to respond within a maximum of 30 days.

Right to rectification (Art. 16). The candidate can request the correction of incorrect or incomplete data. For example, if they have obtained a new certification or changed their phone number.

Right to erasure - "right to be forgotten" (Art. 17). The candidate can request the deletion of all their data from the company's systems. With some exceptions (legal retention obligations), the company must comply within a maximum of 30 days. This includes: the CV, emails, interview notes, evaluation scores, all copies across all systems.

Right to data portability (Art. 20). The candidate can request to receive their data in a structured, commonly used and machine-readable format (e.g., JSON or CSV). This right applies to data processed based on consent or contract.

Right to object (Art. 21). The candidate can object to the processing of their data in certain circumstances, for example if the data is used for a different purpose than the original one (recruitment).

How GDPR applies to specific recruitment activities

Each activity in the recruitment process raises specific GDPR compliance questions. Let's analyse them one by one:

Career page and application form. The career page must include a clear privacy notice and a consent checkbox (unchecked by default) through which the candidate expresses agreement to data processing. Treegarden automatically integrates GDPR cookie consent on the career page, ensuring that visitors are informed about the cookies used and can choose what they accept.

CV database (Candidate DB). Maintaining a database of CVs received over time is a common but risky practice from a GDPR perspective. You must have a legal basis (usually explicit consent) for each CV kept, a defined retention period and a deletion mechanism upon expiry or at the candidate's request.

Email communication. Every email sent to a candidate (confirmation, invitation, rejection) is processing of personal data. Emails must only be sent for the communicated purpose (recruitment) and cannot be used for marketing or other purposes without separate consent. Treegarden records every email sent in the candidate's timeline, creating the necessary traceability.

Sharing candidates with external reviewers. When you share a candidate's profile with a manager or external consultant, you are transferring personal data to a third party. Treegarden handles this situation through sharing links with automatic expiration - the external reviewer can only access the profile for a limited period, and access is automatically revoked upon expiry.

References and background checks. Contacting former employers or verifying information from the CV generally requires the candidate's explicit consent. Do not contact references without the candidate's prior consent - this is a direct violation of GDPR.

The most common GDPR violations in recruitment and how to avoid them

Based on ANSPDCP decisions and similar EU authorities, here are the most common GDPR violations in recruitment processes:

1. Lack of consent or invalid consent. Pre-ticked checkbox on the application form, vague consent text ("I agree with everything"), lack of information about what data is processed and for what purpose. Solution: a clear, unticked checkbox with specific text mentioning the purpose (recruitment), the retention period and the candidate's rights.

2. Excessive data retention. CVs kept for years with no legal basis, "inherited" databases with candidate data from previous recruitment processes. Solution: define a clear retention policy (6-12 months after the position closes) and implement automatic deletion mechanisms.

3. Failure to respond to candidate requests. The candidate requests data deletion and receives no response, or receives a response after more than 30 days. Solution: implement a clear internal process for handling GDPR requests, with defined responsibilities and deadlines.

4. Excessive data collection. Application forms requesting information irrelevant to recruitment: marital status, number of children, political beliefs, religion. Solution: apply the data minimisation principle - collect only what is strictly necessary for evaluating the application.

5. Lack of adequate security measures. CVs stored in unprotected shared folders, weak passwords, unlimited access by all employees to candidate data. Solution: use an ATS with role-based access control, encryption and access logs.

EU AI Act and implications for AI-assisted recruitment

Beyond GDPR, companies using AI in the recruitment process need to be aware of the EU AI Act (EU Regulation on Artificial Intelligence), adopted in 2024 and progressively applicable from 2025-2027. This regulation classifies AI systems used in recruitment as high-risk, which implies additional requirements:

• Transparency - candidates must be informed that AI is being used in their evaluation.
• Human oversight - automatic AI decisions must be validated by a human operator before producing legal effects (hiring or rejection).
• Non-discrimination - the AI system must be tested and monitored to ensure it does not introduce discriminatory bias based on gender, age, ethnic origin or other protected criteria.
• Technical documentation - the company must be able to document how the algorithm works, what data it uses and how it was evaluated.
• Risk assessment - the use of AI in recruitment requires a formal impact assessment on fundamental rights.

Treegarden was designed with these requirements in mind. AI Match Score is a decision-support tool, not an automated decision tool - scores are indicative, and the final decision always belongs to the human recruiter. The AI Bias Detection module actively checks job descriptions for discriminatory language, contributing to compliance with the non-discrimination requirement.

Checklist: GDPR compliance in recruitment

To ensure your recruitment process is GDPR compliant, verify the following points:

1. Privacy notice - The career page and application form include a clear notice about data processing: who processes, what data, for what purpose, for how long and what rights candidates have.
2. Explicit consent - The application form includes an unchecked checkbox by default through which the candidate expresses agreement to data processing for recruitment purposes.
3. Data minimisation - You only collect data strictly necessary for evaluating the application. You do not request information about marital status, religion, ethnic origin or other irrelevant data.
4. Retention policy - You have a clear retention policy (recommended: 6-12 months after the position closes) and automatic or manual deletion mechanisms.
5. Process for candidate requests - You have a clear internal process for handling access, rectification, deletion and portability requests, with a response deadline of maximum 30 days.
6. Data security - Candidate data is stored in a secure system with role-based access control, encryption and access logs.
7. Team training - All HR team members and managers involved in recruitment have been trained on GDPR obligations and internal procedures.
8. Audit trail - You can demonstrate, for each candidate, what data was collected, when, on what legal basis, who had access and what communications were sent.
9. Controlled sharing - When sharing data with external reviewers, you use mechanisms with automatic expiration and controlled access (such as Treegarden's sharing links).
10. AI transparency - If you use AI in evaluating candidates, candidates are informed about this, and AI decisions are validated by a human operator.

GDPR compliance in recruitment is not a one-time project - it is an ongoing process that requires constant attention, clear procedures and adequate tools. A modern ATS like Treegarden does not eliminate the company's legal responsibility, but provides the necessary technical infrastructure: consent managed on the career page, complete audit trail for each candidate, controlled sharing with expiration, deletion mechanisms and complete communication traceability.

Investing in GDPR compliance is not just a legal obligation - it is a demonstration of respect for your candidates and an important element of employer branding. Companies that treat candidate data seriously build trust, and trust is the foundation of any successful professional relationship.