The GDPR (General Data Protection Regulation), in force since May 2018, applies to any organisation processing personal data of EU/EEA residents — including candidates applying for roles based in or related to EU/EEA operations. For recruiting, this means every stage of the process involves personal data processing that must have a lawful basis, be transparent to candidates, and be managed in accordance with data subject rights.
The lawful bases most relevant to recruiting are: legitimate interest (the organisation has a genuine business need to process the data — collecting a CV to evaluate a candidate for a role); consent (the candidate explicitly agrees to data retention for purposes beyond the immediate application, such as talent pool inclusion for future roles); and legal obligation (retaining certain records for compliance purposes). The appropriate basis depends on the specific processing activity.
Candidate rights under GDPR include: the right to be informed (a clear privacy notice explaining what data is collected, how it is used, and how long it is retained), the right of access (candidates can request a copy of all personal data held about them), the right to rectification (candidates can request correction of inaccurate data), the right to erasure ('right to be forgotten' — candidates can request deletion of their data), and the right to data portability.
Practical GDPR compliance in recruiting requires: a clear candidate privacy notice on the careers page and application form, an explicit consent mechanism for talent pool retention beyond the immediate application, a defined data retention policy with automated deletion at the end of the retention period, a process for handling data subject access and deletion requests, and evidence of compliance that can be produced in the event of a regulatory inquiry.
Key Points: GDPR Recruiting
- Lawful basis requirement: Every data processing activity must have an identified lawful basis — legitimate interest for the immediate application, consent for talent pool retention.
- Privacy notice: Candidates must be clearly informed of what data is collected, why, how long it will be kept, and their rights.
- Retention limits: Candidate data cannot be kept indefinitely — a defined retention period (typically 12-24 months) must be established and enforced.
- Data subject rights: Candidates can request access, correction, deletion, or portability of their personal data — responses must be provided within 30 days.
- Third-party obligations: Any service provider processing candidate data on your behalf (ATS vendor, background check provider) must have a Data Processing Agreement in place.
How GDPR Recruiting Works in Treegarden
GDPR Recruiting in Treegarden
Treegarden is built with GDPR compliance as a core feature. The platform includes configurable candidate privacy notices, explicit consent collection for talent pool retention, automated data retention schedules with deletion triggers, and data subject request management workflows. The Data Processing Agreement with Treegarden covers the platform's role as a data processor. Audit logs of all data access and processing activities provide the evidence of compliance required for regulatory inquiries.
Related HR Glossary Terms
Frequently Asked Questions About GDPR Recruiting
GDPR applies based on the location of the data subject (the candidate), not the location of the employer. If your organisation is recruiting for roles in the EU/EEA and collecting personal data from EU/EEA residents, GDPR applies regardless of where the employer is based. A US company recruiting for a Dublin office must comply with GDPR for the data it collects from Irish candidates. Conversely, if a UK-based company is recruiting for a US role and only collects data from US residents, GDPR does not apply to those candidates (though UK GDPR, which mirrors EU GDPR post-Brexit, may apply to the employer's other data processing activities). The practical test is: are any of the candidates whose data you are processing based in the EU/EEA? If yes, GDPR compliance is required for those individuals.
GDPR does not specify a mandatory retention period for candidate CVs — it requires that personal data be kept for no longer than necessary for the purpose for which it was collected. The appropriate retention period depends on context. For unsuccessful candidates who did not consent to talent pool inclusion, a retention period of 6-12 months after the application process concludes is generally considered proportionate — long enough to allow for appeals or questions about the decision, short enough not to retain data longer than the candidate could reasonably expect. For candidates who have explicitly consented to talent pool inclusion for future roles, 12-24 months is commonly used, with periodic re-consent requests. Whatever retention period is chosen, it must be documented in the privacy notice, communicated to candidates, and enforced through automated deletion.
A candidate privacy notice (or recruiting privacy notice) is a document that explains how an employer handles candidates' personal data. Under GDPR, it must include: the identity and contact details of the data controller (the employer); the contact details of the Data Protection Officer if one is appointed; the categories of personal data collected (CV, contact details, interview notes, assessment results, etc.); the purposes and lawful basis for each processing activity; where data is shared (other group companies, ATS vendor, background check provider); retention periods for each category of data; candidate rights (access, rectification, erasure, portability, objection, restriction) and how to exercise them; and the right to lodge a complaint with the relevant supervisory authority. The notice must be provided at the time data is collected — typically embedded in the application form or linked prominently on the careers page.
A Data Processing Agreement (DPA) is a contract between a data controller (the employer) and a data processor (a third-party service provider that processes personal data on the controller's behalf). Under GDPR Article 28, a DPA is legally required whenever an employer engages a third party to process candidate or employee personal data. In the recruiting context, this means a DPA is required with the ATS vendor (which stores candidate data on the employer's behalf), background check providers, assessment tool vendors, and any other service provider that handles personal data as part of the recruiting process. The DPA must specify the nature, purpose, and duration of the processing; the types of personal data involved; the security measures the processor implements; and the processor's obligations regarding data subject requests and breach notification. Reputable ATS vendors provide standard DPAs that can be reviewed and executed as part of the contract process.