GDPR Right to Erasure: Managing Candidate Data Deletion Requests in Your ATS

What GDPR Article 17 (right to erasure) requires

GDPR Article 17 establishes the right to erasure — commonly referred to as the "right to be forgotten" — as one of the fundamental data subject rights under the Regulation. Under Article 17, data subjects have the right to obtain the erasure of their personal data without undue delay where one of several specified grounds applies. Organisations receiving valid erasure requests are obligated to act on them promptly and to communicate the outcome to the individual.

The grounds for erasure under Article 17(1) are: the personal data is no longer necessary in relation to the purpose for which it was collected; the data subject withdraws consent where consent was the lawful basis for processing and there is no other lawful basis; the data subject objects to processing under Article 21 and there are no overriding legitimate grounds; the personal data has been unlawfully processed; the personal data must be erased to comply with a legal obligation; or the personal data was collected in relation to the offer of information society services to a child.

In the recruitment context, the most common applicable ground is the first: personal data that is no longer necessary for the purpose for which it was collected. A candidate who applied for a role that has since been filled, whose data has been retained in the talent pool for a period beyond what is necessary for legitimate re-engagement purposes, or who simply wishes to withdraw from all future consideration, has a strong basis for an erasure request under Article 17(1)(a).

The second most common ground in recruitment is withdrawal of consent. Where an organisation relies on candidate consent as the lawful basis for retaining candidate data in a talent pool or for future opportunities — which GDPR permits but constrains — withdrawal of that consent by the candidate removes the lawful basis for processing and triggers the erasure obligation.

When the right to erasure applies to recruitment data

The right to erasure applies most directly in the recruitment context in three scenarios: where a candidate's application has been rejected and the retention period specified in the organisation's privacy notice has elapsed; where a candidate has consented to talent pool retention and subsequently withdraws that consent; and where a candidate requests removal from the employer's systems for any reason once the immediate recruitment process for which their data was collected has concluded.

The temporal dimension matters considerably. A candidate's personal data is unambiguously necessary while their application is being actively considered. Once the process is concluded — whether they are hired, rejected or withdraw — the necessity for the original purpose is satisfied, and ongoing retention requires a separate lawful basis. Legitimate interests in retaining candidate data for future similar roles is the most commonly invoked basis, but it must be genuinely assessed and documented, not assumed.

Where retention after rejection is based on legitimate interests, the data subject's right to object under Article 21 operates alongside the right to erasure. A candidate who objects to their data being retained in a talent pool must be removed from that pool even if the full erasure conditions under Article 17 are not technically met — the practical effect is the same. Building your erasure workflow to handle both Article 17 requests and Article 21 objections under a single process simplifies compliance management.

International talent pool practices create additional complexity. Candidates sourced or employed across different jurisdictions may have data rights under GDPR (for EU/EEA candidates), UK GDPR (for UK candidates), or equivalent legislation in other countries. The substantive rules are similar but not identical, and the response timeline and notification requirements vary. Organisations operating internationally should ensure their erasure workflow accommodates the most stringent applicable requirements rather than applying a single lowest-common-denominator approach.

Legitimate exceptions: when you can refuse an erasure request

Article 17(3) sets out the circumstances in which the right to erasure does not apply — meaning the organisation may legitimately refuse an erasure request or limit the erasure to specific data elements. Understanding these exceptions is as important as understanding the right itself, both to avoid over-deletion that destroys legitimately retained information and to avoid under-deletion that leaves you in breach.

The most relevant exception in employment contexts is the legal obligation and legal claim exception under Article 17(3)(b) and (e): erasure is not required where the data is necessary for compliance with a legal obligation, or for the establishment, exercise or defence of legal claims. In the recruitment context, this means that where a candidate has filed or threatened a discrimination complaint, or where a regulatory investigation is underway, the candidate's application data may need to be retained as evidence — and the erasure request may be declined on that basis, with an explanation to the data subject.

The important limitation on this exception is that it covers only the data necessary for the legal purpose — not the entirety of the candidate record. If a candidate whose data is subject to a discrimination investigation requests erasure, the organisation may retain the specific documents relevant to the investigation but is not permitted to retain all personal data on the basis that legal proceedings are possible. Proportionality is required: retain what is necessary, delete what is not.

Statistical purposes and archiving in the public interest are also listed exceptions, but they are unlikely to be applicable in standard commercial recruitment contexts. Employers who attempt to rely on statistical or archiving exceptions to refuse erasure requests from rejected candidates are unlikely to satisfy the substantiality requirement these exceptions impose.

The 30-day response requirement and what it means in practice

Article 12(3) requires controllers to respond to data subject rights requests without undue delay and in any event within one month of receiving the request. For erasure requests in particular, "respond" means communicating the outcome — whether the request has been complied with or refused, and if refused, on what grounds — not merely acknowledging receipt. An acknowledgement sent on day 1 and a substantive response sent on day 31 does not satisfy the one-month requirement.

The practical implications of the 30-day deadline for recruitment HR teams are significant. Erasure requests arrive through multiple channels: email to a general HR address, direct message through a job application portal, postal letter, or telephone call. Without a centralised logging system, requests can be missed entirely — a particularly common failure where a candidate sends an erasure request to a recruiter directly, and the recruiter treats it as a general enquiry rather than a formal GDPR request.

All staff who may receive candidate communications — recruiters, HR business partners, executive assistants who manage inboxes — should be trained to recognise erasure requests and to log them immediately in the central tracking system, regardless of how the request is phrased. A candidate who writes "please remove all my details from your records" is making an erasure request even if they do not reference Article 17 or GDPR explicitly. The test is the substance of the request, not its formal language.

Where additional time is needed — because the request involves large volumes of data, complex technical processes or a need to assess applicable exceptions — GDPR permits a two-month extension of the deadline, provided the data subject is informed of the extension and the reasons for it within the original one-month period. The extension must be genuine; using it as a default delay for all requests rather than as a response to genuine complexity is a GDPR compliance failure.

What data must be deleted — and what can be retained

A valid, uncontested erasure request requires deletion of all personal data held about the candidate across all systems — not just the main ATS record. This includes: the candidate profile and all fields in the ATS; attached CV, cover letter and portfolio documents; interview notes and evaluation records; email correspondence if stored in the ATS or linked CRM; background check authorisations and results (subject to legal claim exceptions); reference check records; and any data transferred to third-party systems during the recruitment process, such as calendar scheduling platforms or video interview tools.

The scope of the deletion obligation extends to all places where the candidate's personal data appears, including fields populated by the data in other records (a hiring decision record that contains the candidate's name, for example), audit logs that contain personal data, and derived data generated from the candidate's information such as AI assessment scores that are stored as personal data associated with the candidate's record.

Anonymised aggregate data derived from the candidate's application does not need to be deleted if it is genuinely anonymised — meaning it cannot be re-linked to the individual directly or by combining with other available data. Reporting metrics such as "35 candidates applied for this role in Q4 2025" do not become subject to erasure because one of those candidates submits an erasure request, provided the metric is stored as an aggregate count with no candidate-identifying information.

The documentation of the erasure itself — a record that a request was received on a specified date, that it was assessed and found valid, and that deletion was completed on a specified date — may be retained even after the substantive personal data is deleted. Retaining this record without the underlying personal data does not violate the erasure obligation; it satisfies the accountability principle under Article 5(2) by enabling the organisation to demonstrate compliance.

Partial erasure: retaining anonymised records while deleting personal data

In many recruitment contexts, the complete deletion of a candidate record destroys information that has legitimate ongoing value for analytics, process improvement and compliance auditing. The total count of applications for a role, the pipeline stage progression data for a hiring process, the time-to-hire record — these aggregate insights are valuable without requiring retention of any personal data about individual candidates.

Partial erasure through anonymisation allows organisations to satisfy the erasure obligation while preserving aggregate data. The approach requires that: all personal data fields (name, contact details, CV content, any field that could identify the individual) are deleted; the remaining record contains only non-personal data (role applied for, application date, pipeline stages reached, final outcome status); and the anonymisation is technically irreversible — it is not merely a display mask that hides personal data still stored in the underlying database.

The technical robustness of anonymisation is a critical GDPR requirement. Pseudonymisation — replacing personal data with a pseudonym that could be re-linked to the individual using a separate key — is not anonymisation for GDPR purposes and does not satisfy the erasure obligation. True anonymisation means that even the data controller cannot re-identify the individual from the remaining data, using any reasonably likely method. Where anonymisation is offered as an alternative to full deletion, the technical implementation must meet this standard.

Communicating to the data subject that anonymisation has been performed rather than full deletion, and explaining why, is important for transparency. The response to the erasure request should specify whether full deletion or anonymisation was performed, describe what data was retained and in what form, and confirm that no retained data can be used to identify the individual.

Implementing an erasure workflow in your ATS

An effective erasure workflow in the ATS must cover five elements: request logging, deadline management, assessment against the applicable exceptions, execution of the deletion or anonymisation, and confirmation to the data subject with audit documentation. Each element must be systematised rather than ad hoc — the volume of recruitment activity at most organisations means that manual management of individual erasure requests is both operationally burdensome and error-prone.

Request logging should be centralised and accessible to all staff who may receive candidate data requests, with a clear intake process that captures the date received, the channel through which it arrived, the identity of the requester (verified appropriately) and the nature of the request. The intake record starts the clock on the 30-day deadline and should generate an automatic notification to the HR compliance team member responsible for responding.

Assessment against exceptions should follow a documented decision tree: Is this a valid erasure request? Does the data fall within any Article 17(3) exception? If exceptions apply, do they cover all data or only specific elements? What deletion or anonymisation approach is appropriate? The decision should be documented in the case record, with the reasoning that supports it — this documentation is the organisation's defence if the decision is later challenged.

Execution of deletion across all systems where the candidate's data appears requires a complete data map: every system, database and service that receives candidate data during the recruitment process must be identified, and the erasure process must address all of them. An ATS that integrates with a video interview platform, a reference check service and a calendar scheduling tool must extend its erasure process to all three. Data processor agreements with these services should specify their obligations when an erasure instruction is received from the controller.

Frequently asked questions about the GDPR right to erasure in recruitment

Do candidates have the right to erasure if their application is still being considered?

A candidate may submit an erasure request at any point, including while their application is being actively considered. If the erasure request is valid and no legitimate grounds for retention apply, the employer must comply — which will necessarily end the candidacy, since the application cannot be progressed without the candidate's personal data. The employer should respond to the erasure request, confirm that the data has been deleted, and note that the deletion means the application can no longer be processed. Attempting to continue processing the application after confirming erasure would be a GDPR violation.

What is the difference between the right to erasure and the right to object?

The right to erasure under Article 17 is a right to have personal data deleted, subject to specific grounds and exceptions. The right to object under Article 21 is a right to object to processing carried out under the legitimate interests lawful basis, and requires the controller to stop processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests. In recruitment, a candidate who objects to their data being retained in a talent pool is exercising the right to object; the practical effect is often the same as an erasure request, but the legal basis and the employer's obligations differ depending on which right the candidate is invoking.

Must we delete data from backup systems too?

GDPR requires deletion of personal data from all systems, including backups, but regulators and courts have recognised the practical difficulty of immediately purging data from backup archives. The generally accepted approach is to ensure that the data is not accessible or used from backup systems, that backup retention schedules are configured to overwrite or delete the data within a defined period, and that the erasure request is flagged so that if a backup is ever restored, the relevant data is identified for deletion at that point. Documenting this approach as part of your erasure procedure reduces regulatory risk.

Can we charge a fee for responding to erasure requests?

No. Under GDPR Article 12, responses to data subject rights requests, including erasure requests, must be provided free of charge. The only exception is where requests are "manifestly unfounded or excessive" — particularly where they are repetitive — in which case the controller may charge a reasonable fee or refuse to act. However, regulators apply this exception narrowly, and a single erasure request from a candidate cannot be considered manifestly unfounded or excessive, regardless of the volume of data involved or the operational effort required to comply.