Schrems II and Recruiting Software: What You Actually Need to Do

If you use recruiting software, you are processing candidate data. That sounds routine. Legally, it is not. Many tools rely on US vendors, US subprocessors, or US support structures. That is where the risk starts.

Schrems II is not a theoretical ruling for privacy lawyers. It is a practical stress test for your HR technology stack. As soon as personal data moves to a third country, you need a proper assessment. Otherwise, a convenient tool becomes a compliance problem.

This article shows you what matters. You will get a clear explanation, practical checks, and actions you can start today.

Why Schrems II Directly Affects Recruiting

Schrems II is the Court of Justice of the EU ruling that invalidated Privacy Shield. Since then, it is no longer enough to say a cloud service is secure because it sounds secure. You have to test whether the transfer is actually protected.

Recruiting is especially exposed because you collect a lot of data quickly.

CVs
contact details
salary expectations
interview notes
scores from screening tools

If that data goes to a US vendor, you need more than a polished product page. You need a defensible legal basis, the right contracts, and a technical setup that really reduces risk.

Practical tip: Review each application separately. A single vendor check for the whole stack is not enough.

What the Ruling Changed in Practice

Before Schrems II, many teams thought too simply. If a vendor had EU servers, the problem seemed solved. The ruling ended that comfort.

Today, server location is only one part of the picture. You also need to know who can legally access the data.

A US company may be subject to the CLOUD Act. That can allow authorities to request access even if the data is physically stored in Europe. That is why US tools in recruiting remain sensitive.

For you, that means:

Frankfurt servers are not a free pass
a DPA alone is often not enough
Standard Contractual Clauses must be reviewed
extra technical safeguards are required

That sounds demanding. It is. But if you take candidate data seriously, this level of care is necessary.

Which Tools You Should Treat as High Risk

Not every tool carries the same level of risk. Start with the systems that process actual candidate data.

applicant tracking systems
CV parsing tools
AI screening software
video interview platforms
email and calendar integrations
background check services
analytics and tracking tools

Integrations are often forgotten. Your ATS may be European. But if your video interview tool sits in the US, you still have a transfer.

Practical tip: Map the full data flow once, from first click to rejection. Only then do the real risks become visible.

The Most Important Question: Where Is the Vendor Legally Based?

Many teams only look at the brand. That is not enough.

You need to know:

where the parent company is based
who runs the infrastructure
who acts as subprocessor
which support teams can access data
which cloud provider is used

A vendor with a German sales office is not automatically a German vendor. If the group is based in the US, the CLOUD Act risk may still apply.

That is why the legal structure matters more than the marketing.

Practical tip: Ask the vendor for a written overview of group structure, subprocessors, and data locations.

What a Good DPA Must Contain

A Data Processing Agreement is mandatory. But not every DPA protects you equally.

Make sure the agreement clearly states:

which data is processed
why the data is processed
where the data is stored
which subprocessors are involved
how deletion works
how the vendor supports data subject rights
how security incidents are reported

If the DPA is vague, that is a warning sign. US vendors in particular often use broad wording.

Practical tip: Do not stop at the DPA. Read the annexes, subprocessor lists, and the vendor’s privacy documentation too.

Technical Measures That Actually Help

Legal documents matter. But they are not enough on their own. You also need technical controls.

The most effective ones are:

data minimisation
encryption in transit and at rest
strict role-based access control
logging and monitoring
short retention periods
pseudonymisation where possible
separation of test and production data

In recruiting, data minimisation is often the biggest lever. If you collect only what you truly need, your risk drops immediately.

That is also a useful test for any tool. If a feature asks for irrelevant data, be sceptical.

Schrems II Also Means Transfer Impact Assessments

If data goes to third countries, you often need a transfer assessment. In practice, this is usually called a Transfer Impact Assessment.

You assess:

which data is transferred
where it goes
who can access it there
which safeguards exist
whether those safeguards actually hold in the destination country

For many companies, this is new. For you, it should become standard.

Without this review, you are buying blind. With it, you make decisions based on facts.

Practical tip: Document the assessment. It will save you arguments later with DPOs, auditors, or regulators.

When You Should Prefer EU-Native Software

Sometimes the best solution is not the most complicated one. It is the cleanest one.

EU-native software is often the better choice when:

you recruit across multiple countries
you store a lot of candidate data
you use AI features
you need to prove data locations quickly
your internal compliance capacity is limited

EU-native does not mean perfect. But it cuts down the number of open questions substantially.

HireSift is built for exactly this: European infrastructure, clear contracts, and a setup that makes compliance easier.

How to Make Your Recruiting Software Audit-Ready

If you want to start today, follow this order:

1. Build a tool list

Collect every system that touches candidate data.

2. Map the flows

Document which data goes where.

3. Review the vendors

Check legal seat, subprocessors, and cloud geography.

4. Check the contracts

Review the DPA, SCCs, and annexes.

5. Assess the risk

Ask whether the transfer is actually necessary.

6. Look for alternatives

Could an EU-native tool work instead?

7. Set deletion rules

Define when data disappears automatically.

8. Assign ownership

A named owner prevents many avoidable gaps.

Practical tip: Turn this into a recurring quarterly review.

What You Should Tell Your Team Today

You do not need panic. You need clarity.

Tell your team:

we review each tool separately
we store only what we need
we avoid unnecessary third-country transfers
we document our decisions
we prefer EU-native solutions when they fit

That is not a brake on recruiting. It is a working standard. Good teams move faster when the rules are clear.

Conclusion: Schrems II Is a Procurement Filter

The ruling is not just a legal question. It is also a buying criterion.

When you choose recruiting software, you are not only buying features. You are also buying data routes, responsibilities, and risk.

So ask yourself: do you really need a tool anchored in the US? Or is there a European alternative that gives you the same value with less risk?

If you want your recruiting stack to be defensible, start with an honest review. HireSift helps with EU infrastructure, clear contracts, and transparent processes.

Next step: Check which of your recruiting tools create a third-country risk today. If you want a simpler route, try HireSift free.

Frequently Asked Questions

Does an EU server make a US vendor GDPR-compliant? No. Server location is only one part of the assessment. The legal access powers of the vendor also matter.

Do I always need Standard Contractual Clauses? Not always. But for third-country transfers, they are often an important building block. They still need to be assessed together with other measures.

Is a US vendor always forbidden? No. But you must assess the risk, document it, and support the transfer with suitable safeguards.