GDPR in recruiting
Also called: GDPR for hiring, DSGVO for recruiting
The four rules that matter most in recruiting
GDPR is wide. The parts that touch recruiting day-to-day:
- Lawful basis: every candidate’s data has a documented basis for processing. For applicants, it’s “necessary for steps before entering a contract.” For talent pool members, it’s explicit consent.
- Data minimization: collect only what the role requires. No date of birth on an application form unless the role legally requires it.
- Retention limits: candidate data has a stated retention period (typically 6-12 months after the search closes for rejected candidates, longer with consent).
- Candidate rights: right to access, right to delete, right to rectify. Build the workflow for these requests, don’t improvise on first contact.
Where SMBs commonly trip
The frequent failures:
- Pool members with no consent. Sourcing someone, having a call, putting them in the talent pool — without a recorded “may I keep your data for X months” consent. Technically a breach.
- Indefinite retention. “We keep all applications forever in case a future role opens.” Not GDPR-compliant.
- Required fields with no purpose. Date of birth, marital status, photo (in some markets) collected by default. Each requires a justified purpose.
What “consent” actually requires
Consent in GDPR is specific, informed, freely given, and withdrawable. A pre-ticked checkbox is not consent. A clause in a 30-page T&C is not consent. The clean pattern: a clear, short, separate consent at the moment data leaves the immediate hiring use case.
Where Join fits
Join records consent timestamp and basis per candidate, applies retention windows by configuration, and surfaces deletion-request workflows. See the privacy policy for how Join handles candidate data.
