US-built ATS tools treat GDPR as a checkbox. European-built platforms treat it as a design principle. For UK HR teams navigating the post-Brexit landscape of UK GDPR — the retained version of the EU regulation as amended by the Data Protection Act 2018 — the distinction matters operationally, not just philosophically. Candidate data is personal data. The recruitment process is a data processing activity. Every stage of hiring, from the moment a CV lands in your inbox to the day you delete a rejected candidate's records, creates obligations under UK data protection law that many HR teams are not fully meeting.

GDPR and Recruitment: The Specific Obligations

The UK GDPR (as implemented through the Data Protection Act 2018) establishes a framework of obligations that applies specifically to how organisations handle candidate data. The core principles that govern recruitment data processing are:

  • Lawfulness, fairness and transparency: You must have a valid lawful basis for processing candidate data, and candidates must be informed of how their data will be used — typically through a privacy notice provided at or before the point of application.
  • Purpose limitation: Data collected for a specific recruitment process cannot be repurposed without a fresh lawful basis. A CV submitted for a Finance Manager role cannot be automatically enrolled into your general talent pool without explicit consent.
  • Data minimisation: You should collect only the data necessary for the recruitment decision. Collecting extensive personal information — nationality, date of birth, marital status — beyond what is required for the role and applicable eligibility checks creates unnecessary compliance risk.
  • Accuracy: Candidate data must be kept accurate and up to date. Stale candidate records with outdated contact information, superseded CVs, or obsolete application statuses create data quality and compliance risks.
  • Storage limitation: Data must not be retained for longer than necessary. Candidate data has defined maximum retention periods beyond which deletion is required.
  • Integrity and confidentiality: Candidate data must be protected against unauthorised access, accidental loss, and destruction. Storing CVs in unprotected shared drives, personal email accounts, or unsecured spreadsheets is a breach risk.

UK GDPR vs EU GDPR: The Key Differences for HR Teams

Since Brexit, the UK operates under UK GDPR (the EU regulation as retained in UK law) alongside the Data Protection Act 2018. For most practical recruitment purposes, UK GDPR and EU GDPR are substantively identical. The key difference is regulatory oversight: the ICO (Information Commissioner's Office) enforces UK GDPR, not the relevant EU supervisory authority. Organisations operating in both the UK and EU must comply with both frameworks separately and may need a legal representative in the EU if they process EU residents' data. UK adequacy decisions — which allow free data transfers between the EU and UK — are subject to periodic review.

Lawful Basis for Processing Candidate Data

Every processing activity involving candidate data requires a valid lawful basis under Article 6 of UK GDPR. In recruitment, three bases are commonly applicable:

Legitimate interests (Article 6(1)(f)): This is the most commonly used basis for recruitment processing. Processing candidate data to evaluate fit for a role, conduct background checks appropriate to the position, and manage the recruitment workflow constitutes a legitimate interest of the employer, provided it does not unduly override the candidate's privacy interests. Legitimate interests requires a balancing test — a Legitimate Interests Assessment (LIA) — to document that the interest is genuine, necessary, and proportionate.

Contractual necessity (Article 6(1)(b)): Where processing is necessary for steps taken at a candidate's request prior to entering a contract, contractual necessity applies. This covers processing required to assess the candidate for the specific role they have applied for. It does not extend to speculative processing (adding the candidate to future talent pools) or processing for roles they have not applied to.

Consent (Article 6(1)(a)): Consent is a valid basis but a problematic one in recruitment contexts. GDPR-standard consent must be freely given, specific, informed, and unambiguous — difficult to achieve when there is an inherent power imbalance between an employer and a job-seeking candidate. The ICO has issued guidance noting that consent in employment contexts is rarely freely given and should not be the primary basis for processing that can be justified on legitimate interests or contractual necessity. Consent is, however, the appropriate basis for adding candidates to opt-in talent pools for future opportunities.

Special Category Data in Recruitment

Special category data — health information, racial or ethnic origin, religious beliefs, sexual orientation, disability status — requires an additional Article 9 condition alongside the Article 6 lawful basis. In recruitment, this typically arises when collecting diversity monitoring data (EEOC equivalents in the UK context), conducting occupational health assessments, or processing criminal conviction information. Diversity monitoring should be separated from selection decision data and processed on explicit consent with clear explanation of how it will and will not be used in hiring decisions. Criminal records checks via the Disclosure and Barring Service (DBS) have their own regulatory framework that must be followed independently.

Candidate Rights: Access, Erasure, and Portability

Candidates have enforceable rights under UK GDPR that HR teams must be operationally capable of fulfilling. Failure to respond appropriately to a Subject Access Request (SAR) or erasure request within the required timeframes is a reportable compliance breach:

Right of access (Article 15): Candidates can request a copy of all personal data held about them, information about how it is processed, and details of any third parties it has been shared with. UK GDPR requires a response within one calendar month. Extension to three months is permitted for complex requests, but the one-month extension must be communicated within the first month. "Complex" means genuinely difficult to compile — not merely inconvenient. HR teams must have a process for locating candidate data across all systems: ATS, email, interview feedback forms, shared drives.

Right to erasure (Article 17): Also known as the "right to be forgotten." Candidates can request deletion of their personal data. This right is not absolute — it does not apply when processing is necessary for legal compliance or the establishment, exercise, or defence of legal claims. However, for standard rejected candidates beyond the retention period, erasure requests must be honoured. ATS platforms must support deletion of individual candidate records without manual workarounds.

Right to data portability (Article 20): Where processing is based on consent or contractual necessity and is carried out by automated means, candidates can request their data in a structured, commonly used, machine-readable format. This is less commonly exercised in recruitment contexts than access and erasure rights.

Right to object (Article 21): Candidates can object to processing based on legitimate interests. The organisation must cease processing unless it can demonstrate compelling legitimate grounds that override the candidate's interests or the processing is for legal claims.

How Long to Retain CV and Application Data

UK GDPR does not specify mandatory retention periods for candidate data — instead, the principle of storage limitation requires organisations to define and enforce appropriate periods. The ICO's guidance and established HR legal advice converge on the following as reasonable practice:

Data Category Recommended Retention Rationale
Unsuccessful applicants (rejected early) 6 months Covers Employment Tribunal claim window (3 months + buffer)
Shortlisted but not appointed 12 months Covers longer-tail legal claims and potential future opportunities
Right to Work check documents 2 years post-employment end Legal requirement under Immigration, Asylum and Nationality Act 2006
Successful applicants (hired) Duration of employment + 6 years Statute of limitations for employment-related claims
Talent pool (consent-based) 12–24 months (or until consent withdrawn) Consent should be refreshed or data deleted periodically
Interview notes and scoring 6–12 months Required to respond to SAR or discrimination claims

These are guidance periods, not legal absolutes. Employment solicitors recommend documenting your retention policy in writing, applying it consistently, and being prepared to justify any deviation from standard periods. The Employment Tribunal's 3-month limitation period for discrimination claims is the minimum floor for rejecting candidate data retention — but longer periods are defensible and commonly adopted.

Automated Deletion vs Manual Deletion: Why It Matters

Many HR teams acknowledge their data retention policies on paper but do not enforce them operationally. If your ATS requires a recruiter to manually delete candidate records against a retention schedule, it will not happen consistently. Effective GDPR compliance for candidate data requires automated retention enforcement — the platform applies the policy without requiring human action. Treegarden's candidate data management includes configurable automatic deletion after defined retention periods, with notifications before deletion to allow exceptions for active legal proceedings.

What Your ATS Must Support for GDPR Compliance

An ATS that does not support basic GDPR operational requirements is a compliance liability, regardless of how capable it is as a recruitment tool. The minimum GDPR requirements for an ATS used by UK employers are:

  • Privacy notice delivery: Automated delivery of a GDPR privacy notice to candidates at the point of application or data collection. The notice must specify the lawful basis, retention period, and candidates' rights.
  • Individual record deletion: The ability to delete individual candidate records completely — including parsed CV data, application history, interview notes, and contact details — without deleting other candidate records or requiring database-level intervention.
  • Data export for SARs: The ability to export all data held about a specific candidate in a structured format to respond to Subject Access Requests.
  • Retention policy automation: Configurable automatic deletion or anonymisation of candidate records after defined periods, applied without manual intervention.
  • Data Processing Agreement: A signed DPA from the ATS vendor confirming their status as a data processor, the security measures applied, and the sub-processors used.
  • UK/EU data residency: For UK employers, candidate data should be stored on servers within the UK or a territory with an ICO adequacy decision. Verify where your ATS stores data — US-headquartered vendors may default to US server regions.
  • Breach notification capability: The vendor must notify you within 72 hours of becoming aware of a data breach affecting your candidate data, per UK GDPR's breach notification requirement (Article 33).

Data Breach Obligations: What to Do When Something Goes Wrong

A personal data breach under UK GDPR is not limited to external cyberattacks. Accidentally sending a candidate's CV to the wrong recruiter, leaving a laptop with candidate data unencrypted and unattended, or deleting candidate records inadvertently when they were required for an active legal claim — all are potential reportable breaches.

The UK GDPR breach response framework requires:

  1. Identify and contain: Determine the scope of the breach as quickly as possible. Who was affected? What data was exposed? Is the breach ongoing?
  2. Assess the risk: Not every breach requires notification to the ICO or to affected individuals. The threshold is "unlikely to result in a risk to the rights and freedoms of individuals." Most accidental data sharing or minor access incidents will not cross this threshold. Breaches involving sensitive data, large volumes of records, or information that could enable identity theft typically do.
  3. Report to the ICO within 72 hours: If the breach is likely to result in a risk, notify the ICO within 72 hours of becoming aware. "Without undue delay" is the standard — the 72-hour window starts from when the organisation becomes aware, not when the breach occurred. If you cannot provide full details within 72 hours, a provisional notification noting what is known and what is still being investigated is acceptable.
  4. Notify affected individuals if high risk: If the breach is likely to result in a high risk to individuals — for example, exposure of financial information or health data — you must notify affected individuals directly "without undue delay."
  5. Document the breach: All breaches must be documented internally, regardless of whether they are reportable. The documentation should include the facts, effects, and remedial action taken.

Practical preparedness means having documented breach response procedures before a breach occurs, not drafting them in the aftermath. Designate a data protection lead, establish contact with your ATS vendor's security team, and ensure your team knows how to identify a potential breach and who to escalate to.

What a GDPR-Compliant ATS Must Provide

A GDPR-compliant ATS must provide: automated privacy notice delivery at the point of application; individual candidate record deletion (not just archiving); Subject Access Request data export in structured format; configurable retention periods with automated enforcement; a signed Data Processing Agreement; breach notification capability within 72 hours; and data residency within the UK or a territory with ICO adequacy status. US-headquartered ATS platforms that default to US server regions may require additional contractual safeguards for UK employers. Verify data residency explicitly during procurement — it is not standard in all vendor contracts.

How Treegarden Handles GDPR for Candidate Data

Treegarden's candidate data management was designed with UK and EU GDPR requirements as first-class design constraints, not compliance additions bolted onto a US-origin system. The practical implications for HR teams:

Privacy notices: Candidate-facing application forms include configurable GDPR privacy notice delivery, ensuring candidates are informed of data processing at the point of application. The privacy notice content is customisable to reflect your organisation's specific data processing purposes and lawful bases.

Data retention automation: Configurable retention periods by application status (rejected early, shortlisted, hired). Treegarden automatically flags records approaching their retention limit and can be configured to anonymise or delete records automatically after the defined period. This enforces policy without relying on recruiter memory.

Individual record management: Full individual candidate record deletion is available to authorised users. All parsed CV data, application history, notes, and communications associated with a candidate can be deleted in a single operation, producing an audit log of the deletion for compliance records.

SAR response support: Candidate data export in structured format for Subject Access Request fulfilment. Treegarden's candidate profiles aggregate all data held about a candidate, making SAR compilation a systematic operation rather than a manual search across systems.

Data Processing Agreement: Treegarden provides a signed DPA confirming their processor status, GDPR-compliant sub-processor list, security measures, and breach notification commitments. This is a prerequisite for any organisation using Treegarden to process candidate personal data.

Right to Work screening: For UK hiring, Treegarden's auto-reject workflow for Right to Work eligibility applies consistent, legally defensible screening criteria before candidates progress to human review — reducing the risk of inadvertently progressing candidates whose eligibility for the role has not been verified.

Free Calculators for This Topic

Save time with these free HR calculators — no sign-up required:

Related Reading Helpful Calculators

Frequently Asked Questions

Does GDPR apply to CV data collected before the role is advertised?

Yes. If you collect CVs speculatively — for example, accepting direct applications or building a talent pool before a specific role is open — GDPR obligations apply from the moment the data is collected. You need a valid lawful basis (typically consent for speculative submissions) and must provide a privacy notice at the point of collection. Talent pools built on consent require refreshed consent or deletion when the retention period expires, typically 12–24 months.

How long can we keep unsuccessful candidate CVs under GDPR?

There is no single mandatory period under UK GDPR — organisations must define a period that is proportionate to the processing purpose. The ICO and employment law practitioners generally recommend 6 months for early-stage rejections (to cover the Employment Tribunal claim window) and up to 12 months for shortlisted candidates. Retention beyond 12 months requires a clear justification. Any retention period must be disclosed in your candidate privacy notice.

What must a candidate privacy notice for recruitment include?

Under UK GDPR Articles 13 and 14, candidate privacy notices must include: the identity and contact details of the data controller; the DPO's contact details if applicable; the purposes and lawful basis for processing; legitimate interests pursued (if used as the basis); recipients or categories of recipients of the data; details of any international transfers; retention periods; and the candidate's rights (access, erasure, rectification, objection, portability, and the right to complain to the ICO). The notice must be provided at or before the point of data collection.

Does AI candidate screening require additional GDPR compliance steps?

Article 22 of UK GDPR gives individuals rights in relation to solely automated decision-making that produces significant effects. Where AI screening makes or substantially influences a hiring decision without human review, candidates have the right to request human intervention, to express their views, and to contest the decision. In practice, most ATS AI is used to rank or flag candidates for human review rather than to make final decisions, which avoids the Article 22 threshold. Your candidate privacy notice should disclose any automated processing used in evaluation, and meaningful human oversight of AI-influenced screening is both legally prudent and operationally sound.

What is a Data Processing Agreement and why does our ATS need one?

A Data Processing Agreement (DPA) is a contract between a data controller (your organisation) and a data processor (your ATS vendor) that sets out the terms under which the processor handles personal data on the controller's behalf. Under UK GDPR Article 28, a DPA is legally required when you use a third-party processor for personal data. The DPA must specify: the subject matter, duration, nature and purpose of processing; the type of data processed; the controller's instructions to the processor; and the processor's obligations including confidentiality, security, assistance with SARs and breaches, and deletion of data at contract end. Operating an ATS without a signed DPA is a UK GDPR compliance failure.

GDPR compliance in recruitment is not a one-time project — it is an ongoing operational discipline. The organisations that manage it successfully are not necessarily those with the largest compliance teams, but those with ATS platforms that embed compliance requirements into the workflow rather than leaving them as manual responsibilities. Treegarden was built to make UK GDPR compliance operationally manageable: automated retention, built-in privacy notices, structured deletion workflows, and a signed DPA from day one. See how it works in practice with a demo.