GDPR-Compliant Recruiting: The Checklist for HR Teams

GDPR has been in effect since 2018. Yet 67% of SMEs in Germany still have gaps in their recruiting data protection practices. Fines for GDPR violations in hiring reached 14.2 million EUR across the EU in 2025 alone.

The rules are not optional. Every CV you receive is personal data. Every screening decision is data processing. Every rejection email triggers retention obligations.

This checklist covers the 12 points every HR team needs to get right.

Why Recruiting Is a GDPR Hotspot

Recruiting involves some of the most sensitive personal data a company handles:

• Names, addresses, contact details
• Employment history and salary expectations
• Education and certifications
• Photos (common on CVs in DACH)
• Health information (disability status, if disclosed)
• Nationality and language skills

Under GDPR, processing this data requires a legal basis, clear purpose limitation, and strict data minimization. Most companies get the basics right. The details are where problems start.

The 12-Point Checklist

1. Establish Your Legal Basis

You need a legal basis before processing any applicant data. For recruiting, two options apply:

Option A: Legitimate interest (Art. 6(1)(f) GDPR) Processing is necessary to evaluate candidates for a specific position. This is the most common basis.

Option B: Consent (Art. 6(1)(a) GDPR) Required for anything beyond the specific application — talent pools, future opportunities, newsletter subscriptions.

Action item: Document which legal basis you use. Put it in your privacy policy.

2. Publish a Recruiting Privacy Notice

Every job posting must link to a privacy notice specific to recruiting. Generic website privacy policies are not sufficient.

The notice must include:

• Who is the data controller (company name, address, contact)
• What data you collect and why
• Legal basis for processing
• Who receives the data (internal teams, tools, processors)
• Retention periods
• Candidate rights (access, deletion, portability)
• Contact for data protection inquiries

Action item: Create a standalone recruiting privacy notice. Link it in every job posting and on your careers page.

3. Collect Only What You Need

Data minimization is not a suggestion. Only collect data that is relevant to evaluating the candidate for the specific role.

Do not collect:

• Marital status (unless legally required)
• Religion
• Political affiliation
• Union membership
• Biometric data

Common violation: Application forms that require date of birth, nationality, or photo uploads. In most cases, none of these are necessary for evaluating job fit.

Action item: Audit your application forms. Remove every field that is not directly relevant to the hiring decision.

4. Secure Consent for Talent Pools

Keeping candidate data after a position is filled requires explicit consent. "We may contact you about future opportunities" in the privacy notice is not enough.

Requirements for valid consent:

• Freely given (not a condition of applying)
• Specific (name the purpose: talent pool)
• Informed (explain how long data is kept)
• Unambiguous (active opt-in, not pre-checked box)
• Withdrawable (easy to revoke at any time)

Action item: Add a separate, optional checkbox to your application form for talent pool inclusion. Store the consent with a timestamp.

5. Set Data Retention Deadlines

This is where most SMEs fail. Applicant data cannot be kept indefinitely.

Standard retention periods in DACH:

• Germany: 6 months after the position is filled (to defend against AGG claims). Some legal opinions support 3 months.
• Austria: 7 months is the commonly accepted maximum.
• Switzerland: 3 months under the revised FADP.

After these periods, data must be deleted unless the candidate consented to talent pool storage.

Action item: Configure automatic deletion reminders. Do not rely on manual processes — they fail at scale.

6. Secure Data Transmission

CVs sent by email travel unencrypted by default. This is a GDPR risk.

Minimum requirements:

• HTTPS on your careers page and application forms
• TLS encryption for email servers
• Encrypted storage for CV files
• Access controls (only hiring team members access CVs)

Common violation: Forwarding CVs via unencrypted email to hiring managers. Every forward is a data transfer that must be secured.

Action item: Use an application portal or ATS instead of email-based applications. If you use email, ensure TLS is enforced.

7. Document All Data Processors

Every tool that touches applicant data is a data processor under GDPR. You need a Data Processing Agreement (DPA) with each one.

Common processors in recruiting:

• ATS platforms (Personio, Recruitee, JOIN)
• AI screening tools (HireSift, Brainner)
• Email services (Outlook, Gmail)
• Video interview platforms (Teams, Zoom)
• Assessment tools
• Background check providers

Critical check: Where does each processor store data? EU-only processing reduces risk significantly. US-based processors require additional safeguards (Standard Contractual Clauses).

Action item: Create a list of all recruiting tools. Verify each has a signed DPA. Check data processing locations.

8. Handle Access Requests Within 30 Days

Candidates have the right to request all data you hold about them. You must respond within 30 calendar days.

Your response must include:

• What data you store
• Why you process it
• Who has access
• How long you will keep it
• Their right to deletion, correction, and portability

Action item: Prepare a template response. Know where all candidate data lives in your systems before a request arrives.

9. Enable Data Deletion on Request

Candidates can request deletion of their data at any time. You must comply unless you have a legal obligation to retain it.

Deletion must be complete:

• Application files (CVs, cover letters)
• Email correspondence
• Notes and evaluations
• Data in all tools and systems (ATS, screening tools, spreadsheets)
• Backups (within a reasonable timeframe)

Common violation: Deleting the CV from the ATS but forgetting the copy in a hiring manager's email inbox or a shared drive.

Action item: Map every location where candidate data exists. Create a deletion checklist.

10. Document AI-Assisted Decisions

If you use AI to screen, score, or rank candidates, GDPR Article 22 applies. Candidates have the right not to be subject to solely automated decisions.

Requirements when using AI screening:

• Inform candidates that AI is used in the evaluation.
• Ensure meaningful human oversight of AI recommendations.
• Enable candidates to contest AI-assisted decisions.
• Document the logic involved in the scoring.

This is also where the EU AI Act intersects. Recruiting AI is classified as "high-risk." Tools must provide transparency, bias testing, and human oversight. AI screening tools like HireSift address this with two separate, explainable scores.

Action item: Add AI disclosure to your recruiting privacy notice. Ensure your screening tool provides explainable results.

11. Train Your Hiring Team

GDPR compliance is only as strong as the people handling the data. Every person involved in hiring needs to understand the basics.

Training should cover:

• What constitutes personal data
• How to handle CVs securely
• When to delete data
• How to respond to candidate inquiries
• What not to do (forwarding CVs via WhatsApp, storing them on personal devices)

Common violation: Hiring managers storing CVs in personal Dropbox folders or sharing them via messaging apps.

Action item: Conduct a 30-minute training session for everyone involved in hiring. Repeat annually.

12. Audit Annually

GDPR compliance is not a one-time setup. Processes change. Tools change. People change. Annual audits catch drift before regulators do.

Annual audit checklist:

• Review all data processors and DPAs
• Check retention periods are being enforced
• Verify access controls (who can see candidate data?)
• Test deletion processes
• Update the recruiting privacy notice
• Review AI tools for EU AI Act compliance

Action item: Schedule a recurring annual review. Document findings and actions taken.

Common Mistakes HR Teams Make

Even well-intentioned teams make these errors:

1. Using ChatGPT to evaluate CVs. Pasting candidate data into ChatGPT means transferring personal data to OpenAI's servers (US-based). Without explicit consent and a DPA, this violates GDPR. Use a compliant AI screening tool instead.

2. Keeping CVs "just in case." Without consent for talent pool storage, data must be deleted after the retention period. "We might hire for a similar role" is not a legal basis.

3. No privacy notice on job postings. Every job posting is a data collection point. No privacy notice means no informed consent.

4. Forwarding CVs by email without controls. Every recipient is a data accessor. Uncontrolled forwarding makes deletion impossible.

5. Ignoring the AI disclosure requirement. If AI touches candidate data, candidates must be informed. Omitting this from your privacy notice is a violation.

What Good Tools Handle Automatically

The right recruiting tools reduce your GDPR burden significantly:

• Automatic data retention — Delete candidate data after configured periods.
• Built-in DPA — Signed as part of the service agreement.
• EU data processing — No transatlantic data transfers.
• Access controls — Role-based permissions for candidate data.
• Audit trails — Documented processing history for compliance checks.
• AI transparency — Explainable scoring that satisfies Article 22 and the EU AI Act.

You cannot automate GDPR compliance entirely. But you can choose tools that handle 80% of the technical requirements by default. This frees your team to focus on the 20% that requires human judgment: training, process design, and candidate communication.

The Bottom Line

GDPR compliance in recruiting is not about avoiding fines. It is about treating candidate data with the same care you would want for your own. The 12 points in this checklist are not optional extras. They are legal requirements.

Start with the highest-risk items: retention deadlines, processor agreements, and AI disclosure. Then work through the rest. One point per week gets you compliant in 3 months.

The companies that get this right do not just avoid penalties. They build trust with every applicant — and trust is the foundation of a strong candidate experience.

---

Less screening. More hiring.

HireSift analyzes 100 CVs in minutes — with two transparent scores, EU AI Act compliant, no credit card required.

→ Start your 7-day free trial