GDPR Candidate Consent Form Template
Four variants: pre-application consent for EU GDPR, post-application consent for EU GDPR, pre-application for UK GDPR, and post-application for UK GDPR. Replace highlighted placeholders with your company details.
Candidate Privacy Notice & Data Processing Statement
To be displayed on the job application form / career page. EU GDPR — Active Recruitment.
Who We Are (Data Controller)
[Company Full Legal Name], registered at [Registered Address], company registration number [Number], is the data controller responsible for the personal data you provide during this application process. Our Data Protection Officer can be contacted at: [DPO Name / [email protected]].
What Data We Collect
As part of this application, we will collect and process the following categories of personal data:
- Contact information (name, email address, phone number, postal address)
- CV, covering letter, and work samples submitted by you
- Employment history, qualifications, and professional certifications
- Interview notes, assessments, and evaluation records generated during the process
- Reference information provided by third parties with your consent
- Right-to-work documentation (if required at offer stage)
We do not knowingly collect special categories of personal data (health, racial or ethnic origin, religion, political opinions, trade union membership, biometric data) as part of the standard recruitment process. If such data is voluntarily disclosed, it will be processed under Article 9(2)(b) GDPR where necessary for obligations in the field of employment law, or with your explicit consent.
Legal Basis for Processing
We process your personal data on the following legal bases:
- Legitimate interests (Article 6(1)(f) GDPR): Processing your application data to evaluate your suitability for the role you have applied for. Our legitimate interest is to recruit qualified candidates for our open positions. This interest is not overridden by your rights, as the processing is expected when applying for employment.
- Legal obligation (Article 6(1)(c) GDPR): Where we are required by law to collect and retain certain data (e.g., right-to-work checks).
- Pre-contractual steps (Article 6(1)(b) GDPR): Where processing is necessary to take steps at your request prior to entering into an employment contract.
How We Use Your Data
Your data will be used exclusively for the purposes of evaluating your application for the role(s) you have applied for at [Company Name]. We will not use your data for any other purpose without your explicit consent.
Who Receives Your Data
Your application data will be accessible to members of the recruitment team, the relevant hiring manager, and any panel interviewers involved in the selection process. We use the following third-party processors who may access your data:
- Applicant Tracking System: [ATS Name, e.g., Treegarden] — [EU/EEA data residency / SCCs in place]
- Background check provider (if applicable): [Provider Name]
- Video interview platform (if applicable): [Provider Name]
We do not sell, rent, or share your personal data with third parties for marketing purposes.
Retention Period
If your application is unsuccessful, we will retain your data for a period of [6 / 12] months from the date the position is filled or the process is closed, unless you request earlier deletion. This retention period allows us to respond to any complaints or legal claims related to the recruitment process. After this period, your data will be securely deleted.
If you are offered and accept employment, your application data will be transferred to your employee personnel file and retained in accordance with our employment data retention policy.
Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access: To request a copy of all personal data we hold about you
- Right to rectification: To request correction of inaccurate data
- Right to erasure: To request deletion of your data (subject to our legal obligations)
- Right to restriction: To request that we limit processing of your data
- Right to data portability: To receive your data in a machine-readable format
- Right to object: To object to processing based on legitimate interests
To exercise any of these rights, contact: [[email protected] or postal address]. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority: [e.g., CNIL (France), BfDI (Germany), Garante (Italy), AEPD (Spain)].
By submitting your application, you acknowledge that you have read and understood this Privacy Notice. Processing your application does not require your consent under the above legal bases; however, we will seek your explicit consent if we wish to retain your data beyond the active recruitment cycle for future opportunities.
Talent Pool Consent Form
To be sent to unsuccessful candidates whose data you wish to retain for future roles. EU GDPR.
Request to Retain Your Data for Future Opportunities
Dear [Candidate First Name],
Thank you for your application for the [Job Title] position at [Company Name]. Although we have proceeded with another candidate for this particular role, we were impressed with your background and would like to keep your details on file to consider you for future opportunities that may match your skills and experience.
Under the General Data Protection Regulation (EU) 2016/679, we are required to obtain your explicit consent before retaining your personal data beyond the conclusion of the active recruitment process. This form explains how your data will be used if you consent, and what rights you have.
Data We Will Retain (with Your Consent)
- Your name and contact information
- Your CV and covering letter
- Interview notes and evaluation records from your recent application
Purpose of Retention
Your data will be retained solely to consider you for future relevant roles at [Company Name]. We will contact you when a suitable opportunity arises. We will not share your data with third parties outside of our recruitment team and ATS provider for this purpose.
Retention Period
If you consent, we will retain your data for [12 / 24] months from the date of this request. At the end of this period, your data will be securely deleted unless you renew your consent. You may withdraw your consent and request deletion at any time by contacting [[email protected]].
Name:
Signature:
Date:
Data Controller: [Company Full Legal Name], [Registered Address]. DPO contact: [[email protected]]. You have the right to lodge a complaint with your national data protection authority.
Candidate Privacy Notice — Active Recruitment
To be displayed on the job application form / career page. UK GDPR (post-Brexit).
Data Controller
[Company Full Legal Name], registered in England and Wales, company number [Number], registered office at [Address], is the controller of your personal data. Contact: [[email protected]]. [If applicable: Our Data Protection Officer is [Name], contactable at [email].]
Data Collected
We collect: contact details, CV and application documents, employment history, qualifications, interview assessments, reference information, and right-to-work documentation at offer stage. We do not request special category data (health, ethnicity, religion, disability) as part of the standard process. Any voluntary disclosure is processed under UK GDPR Article 9(2)(b).
Lawful Basis (UK GDPR Article 6)
- Legitimate interests: Evaluating applications for advertised vacancies. We have completed a Legitimate Interests Assessment (LIA) and determined that your reasonable expectation when applying for employment means our interests are not overridden by your rights.
- Legal obligation: Right-to-work checks under the Immigration, Asylum and Nationality Act 2006.
- Pre-contractual steps: Where you have requested that we take steps prior to entering into a contract.
Recipients
Accessible to our internal recruitment team and hiring panel. Third-party processors include: [ATS — e.g., Treegarden, UK data residency], [background check provider], [video interview platform if used]. We do not transfer your data outside the UK without appropriate safeguards (UK Standard Contractual Clauses or adequacy decisions).
Retention
Unsuccessful applicants: data retained for [6/12] months from process close, then securely deleted. Successful applicants: data transferred to employee file. Extended retention requires your explicit consent.
Your Rights (UK GDPR)
You have rights of access, rectification, erasure, restriction, objection, and data portability. To exercise rights, contact [[email protected]]. You may also complain to the Information Commissioner’s Office (ICO): ico.org.uk, 0303 123 1113.
By submitting your application, you confirm you have read this notice. This notice does not constitute consent — processing is based on legitimate interests and pre-contractual steps as described above.
Talent Pool Consent — UK GDPR
To be sent to unsuccessful candidates whose data you wish to retain. UK GDPR.
Dear [Candidate Name],
Thank you for your application for the role of [Job Title]. We have decided to proceed with another candidate on this occasion, but we were impressed with your profile and would like your permission to retain your details for future opportunities.
Under the UK General Data Protection Regulation (UK GDPR), we need your explicit consent to hold your personal data beyond the conclusion of the active recruitment process for this role.
What We Will Retain
- Name, contact information, and location preferences
- CV, covering letter, and application documents
- Notes and assessments from your application and interview
How It Will Be Used
We will hold your data solely to consider you for future relevant vacancies. We will contact you by email if a suitable opportunity arises. Your data will not be shared with third parties outside of our recruitment team and our ATS provider ([ATS Name]), which stores data in the UK.
Retention Period and Your Rights
If you consent, we will retain your data for [12] months. At the end of this period, we will securely delete your data or contact you to renew consent. You may withdraw consent or request erasure at any time by emailing [[email protected]] — this will not affect any processing already carried out. You have the right to access your data, correct errors, and complain to the ICO (ico.org.uk).
Full Name:
Signature:
Date:
Controller: [Company Name] | Privacy contact: [[email protected]] | ICO Registration No: [ZA######]
Treegarden is GDPR-native
Built-in consent capture, automated data retention policies, candidate deletion workflows, and a full audit trail — all included from day one.
Request a demo →Frequently Asked Questions
Do I need consent to process candidate data under GDPR?
Not always. For active recruitment, legitimate interests typically applies without explicit consent. Explicit consent is required when you want to retain data beyond the active cycle (talent pool). Document your chosen legal basis in your ROPA.
How long can I keep candidate data under GDPR?
No prescribed period — keep only as long as necessary. Best practice: delete unsuccessful applicant data 6–12 months after process close. For talent pool retention, obtain explicit consent and set a 12–24 month retention window with renewal.
What rights do job candidates have under GDPR?
Right of access, rectification, erasure, restriction, data portability, and the right to object. You must respond within 30 days. Candidates can also complain to their national supervisory authority (ICO in the UK).
What should a candidate privacy notice include?
Controller identity, DPO contact, purposes and legal basis for each, data categories, recipients, international transfer safeguards, retention periods, data subject rights, right to complain to supervisory authority, and whether providing data is required.