Data Processing Agreements for HR Tools: What Recruiters Actually Need to Check
You've just signed up for a new applicant tracking system. The vendor sends over a pre-filled Data Processing Agreement (DPA). You sign it because you know you have to — but do you know what should actually be in it? And what happens if something is missing?
This guide breaks down the DPA requirements under GDPR Article 28 specifically for HR tools. You'll learn when a DPA is required, what it must contain, and what to watch out for with US-based vendors and AI-powered tools.
What Is a DPA — and When Do You Need One?
A Data Processing Agreement (DPA) — known in German as an Auftragsverarbeitungsvertrag (AVV) — governs the relationship between you as the data controller and a service provider that processes personal data on your behalf.
When does data processing on behalf occur?
Processing on behalf (or "commissioned processing") happens when an external provider processes data for you and acts under your instructions. Common HR examples include:
- An ATS storing candidate data on the vendor's servers
- An AI tool analysing CVs on your behalf
- A video interview platform recording and evaluating interviews
If the vendor processes data for their own purposes — such as product improvement or sharing with third parties — they act as an independent controller. In that case, you don't need a DPA, but you do need other contractual protections.
Mandatory under GDPR Article 28: As soon as commissioned processing is involved, a written DPA is legally required. Without one, you're in breach of the GDPR — regardless of how privacy-friendly the vendor actually is.
What Must a DPA for HR Tools Include?
Article 28(3) GDPR specifies the minimum content. Here's the checklist for HR tools:
1. Subject Matter, Duration, and Purpose of Processing
The DPA must clearly state what data is processed, for how long, and why. For an ATS, this might look like:
- Subject matter: Processing of candidate data (name, contact details, CVs, cover letters, communications)
- Duration: Duration of the contract plus applicable retention periods
- Purpose: Supporting the recruitment process
Vague language like "provision of software services" isn't sufficient. Insist on specifics.
2. Nature of Personal Data and Categories of Data Subjects
What data categories does the vendor process? For HR tools, typically:
- Candidate personal details (name, address, date of birth)
- Application documents (CV, certificates, photo)
- Communication data (emails, interview notes)
- Potentially special categories: disability, health data (if collected)
Important: Special categories under Article 9 GDPR (health, disability, trade union membership) require additional safeguards. Check whether your tool collects any of these.
3. Rights and Obligations of the Controller
The DPA must confirm that you retain control over the data. The processor may only process it according to your documented instructions.
4. Obligations of the Processor
Under Article 28(3) GDPR, the vendor must commit to:
- Processing data only on your instructions
- Ensuring confidentiality (both staff and sub-processors)
- Implementing appropriate technical and organisational measures (TOMs)
- Assisting you in fulfilling your obligations (subject access requests, erasure, DPIAs)
- Deleting or returning data at the end of the contract
- Making all necessary information available for compliance audits
5. Technical and Organisational Measures (TOMs)
TOMs are concrete security measures. They should be specified in the DPA or an annex. Typical TOMs for HR software:
- Encryption in transit and at rest (TLS, AES-256)
- Access controls and role-based permissions
- Regular backups and restoration testing
- Penetration testing and security audits
- Incident response and data breach notification procedures
Check whether TOMs are described concretely or just in vague terms. "We apply industry-standard security" is not specific enough.
6. Sub-Processors
Almost every SaaS vendor uses sub-processors — cloud hosts (AWS, Azure, Google Cloud), email services, support tools. The DPA must address:
- Which sub-processors are used (an annex or published list)
- That changes are communicated in advance (with your right to object)
- That the vendor imposes equivalent obligations on sub-processors
US Vendors: Schrems II, CLOUD Act, and Standard Contractual Clauses
Many HR tools originate in the US — Greenhouse, Workday, Lever, Avature. Following the CJEU's Schrems II ruling in 2020, transferring data to the US without additional safeguards is unlawful.
What should you check?
Standard Contractual Clauses (SCCs)
Since 2021, the European Commission has issued updated SCCs. Your vendor must use these — or another valid transfer mechanism. For UK-to-third-country transfers post-Brexit, the UK IDTA applies.
Transfer Impact Assessment (TIA)
Since Schrems II, data protection authorities expect you to conduct a Transfer Impact Assessment before transferring data to third countries. You need to evaluate whether SCCs are sufficient in the specific context, or whether additional measures are needed (encryption, pseudonymisation).
CLOUD Act
The US CLOUD Act allows US authorities to compel US companies to hand over data — even when servers are physically located in Europe. This residual risk must be documented in your TIA.
Practical steps:
- Ask your vendor what legal framework governs any international data transfers.
- Request the current SCCs and their TIA documentation.
- Record your own risk assessment.
- Consider EU-based alternatives if the risk is unacceptable.
HireSift hosts all data exclusively within the EU and provides a fully GDPR-compliant DPA with no third-country transfer issues.
AI Recruiting Tools and the EU AI Act
If your HR tool uses AI — for CV parsing, candidate ranking, or automated pre-screening — additional requirements apply under the EU AI Act from 2026.
High-risk AI in recruiting
AI systems used for hiring, assessing, or selecting people fall under the EU AI Act's high-risk category. This means the vendor must:
- Maintain extensive technical documentation
- Conduct bias testing and accuracy assessments
- Enable human oversight and the ability to override AI decisions
- Provide transparency to affected individuals
What you should check:
- Is the AI system classified as high-risk under the EU AI Act?
- What transparency obligations exist towards candidates?
- Can you manually review and override automated decisions?
If your vendor makes AI-assisted decisions, add a clause to your DPA covering EU AI Act compliance and your right to meaningful human review.
What to Do With a Missing or Inadequate DPA
Missing DPA
If you have no DPA in place, act quickly:
- Contact the vendor immediately and request a DPA.
- Most reputable vendors have standard agreements ready — just ask.
- Consider whether you should pause use of the software until it's signed.
- Document your request and the vendor's response.
Inadequate DPA
If the DPA has gaps:
- List the missing mandatory elements using the checklist above.
- Draft specific amendment requests.
- Reputable vendors will negotiate — a flat refusal is a red flag.
Record-Keeping Obligation
Under Article 30 GDPR, you must maintain a Record of Processing Activities (RoPA). The DPA forms part of this documentation. Retain it for the duration of the contract plus at least three years.
Practical Checklist: Reviewing a DPA for HR Tools
Use this when you receive a DPA from an HR software vendor:
- Subject matter, purpose, and duration of processing clearly defined?
- Data categories and categories of data subjects named?
- Processing restricted to controller's documented instructions?
- Confidentiality obligations for staff and sub-processors present?
- TOMs concretely specified in an annex?
- Sub-processor list available with change notification obligation?
- Assistance obligations for data subject requests and authorities covered?
- Deletion or return of data at contract end specified?
- SCCs or other transfer mechanism for third-country transfers in place?
- For AI tools: clauses covering EU AI Act and automated decision-making?
Summary
A DPA is more than administrative paperwork — it protects you legally and gives you control over what happens to candidate data. Many HR tools provide solid standard agreements. Some have gaps. And some vendors — especially those based in the US — bring third-country transfer questions that you need to address proactively.
Set aside 30 minutes, work through the checklist, and document your review. It's the cheapest compliance investment you can make.
HireSift provides a complete, legally robust DPA and hosts all data within the EU — no third-country transfer complications. Try HireSift free and see for yourself.
Less screening. More hiring.
HireSift analyzes 100 CVs in minutes — with two transparent scores, EU AI Act compliant, no credit card required.
Try free for 7 daysRelated Articles
The CLOUD Act and US Recruiting Software: What HR Teams Need to Know
The US CLOUD Act gives American authorities access to data held by US cloud providers – including applicant data in Greenhouse, Workday or Lever. Here's what it means for your hiring process.
Schrems II and Recruiting Software: What You Actually Need to Do
US cloud tools in hiring still carry real risk. Here's how to assess your recruiting software after Schrems II and make your setup defensible.
EU Data Sovereignty in Recruiting: What Every Employer Needs to Know
Storing candidate data in US-based cloud tools? That's a real legal risk. Here's what EU data sovereignty means for your hiring process and how to protect yourself.