Features
StartupsEnterpriseRemote TeamsTech HiringRecruiters
React DevelopersPython DevelopersFull-Stack DevelopersFrontend DevelopersBackend DevelopersData EngineersDevOps EngineersBrowse all roles →
Pricing
HackerRankCodilityTestGorillaLeverGreenhouseCoderPadKarat
Use CasesAssessment TemplatesBlogFAQ
Sign InStart Free Trial
Compliance

GDPR for Hiring: What Candidate Data You Can Keep, For How Long, and What to Delete

ClarityHire Team(Editorial)3 min read

The principle that matters

GDPR's lawful-basis framework asks two questions of every piece of candidate data you hold: why do you have it and for how long do you need it. If you cannot answer both crisply, you should not have it.

Most hiring-data compliance issues are not about exotic edge cases. They are about defaults. A team with sensible defaults rarely has a problem. A team without them collects data forever, for unstated purposes, with no deletion path.

Defensible defaults

Lawful basis

For an active candidate (someone applying for a specific role): legitimate-interest or contract-preparatory. You don't need consent to evaluate them — they applied.

For a passive candidate in a talent-pipeline pool, or for keeping their data after the role closes: consent, with a clear opt-in and a clear retention period.

Don't mix. If you collect under one basis and use under another, you have a problem.

Retention

  • Active candidates: for the duration of the hiring process plus a reasonable defense window for discrimination claims (jurisdiction-dependent — typically 6–12 months after rejection in EU, longer in some US states).
  • Hired candidates: transitions to employee data with HR retention policies.
  • Talent pipeline: only with explicit consent, and with a defined renewal cadence (e.g., re-confirm consent annually).

Anything older than this should be auto-deleted, not "available on request."

Data minimization

Collect what the role evaluation requires, not everything you might want. Photo on resume? Not required. Date of birth? Not required. National ID? Definitely not. The principle: if you don't need it for the decision, don't collect it.

Special-category data

Race, ethnicity, health, sexual orientation, religion, political views, biometric data — special category under GDPR. Stricter lawful-basis requirements. Avoid unless you have a specific compliance use (e.g., voluntary diversity monitoring with explicit consent and processing separation).

Practical compliance checklist

  • Privacy notice on the application page describing what data is collected and why
  • Lawful basis documented for each data category
  • Retention period documented and automatically enforced
  • Data subject access request (DSAR) process documented and tested
  • Right-to-erasure process documented and tested
  • Sub-processors (your ATS, your assessment platform, your background-check vendor) listed in processing register with DPAs in place
  • Cross-border transfer mechanism documented if data leaves the EU/EEA
  • Breach notification process with named owner and 72-hour SLA

Common failure modes

  • Forever retention. Candidate data from 2019 still sitting in the ATS with no purpose. Delete or justify.
  • Unrestricted access. Every recruiter and hiring manager has access to every candidate's data. Apply principle-of-least-privilege.
  • Recordings without retention. Interview recordings stored indefinitely. Pick a retention period (90 days is common) and enforce it.
  • Vendor sprawl. Each new vendor adds a sub-processor with their own data handling. Audit annually.

What ClarityHire does

Configurable retention per data category, automatic deletion at retention end, DSAR export, scoped role-based access to candidate data, and processor documentation for the platform's sub-processors. Compliance is a process, not a product — but the product should make the process tractable.

This post is general guidance, not legal advice. For your specific jurisdiction and risk profile, work with counsel.

gdprcompliancecandidate dataprivacy