GDPR in recruitment: what employers need to know in 2026

Last updated: 29 June 2026
17 min read
GDPR in recruitment
Table of contents
Explore topics

Privacy regulations, pay transparency rules, and AI governance are all moving at once. For employers in 2026, that means keeping up with a set of overlapping legal requirements that directly affect how you hire — and how you handle the data of every candidate who applies.

The General Data Protection Regulation (GDPR) has always set the baseline. But now the EU Pay Transparency Directive and the EU AI Act sit alongside it, each with their own obligations for recruiting teams.

Because you probably don't have time to read three pieces of legislation cover to cover, this practical guide pulls together what you need to know and how to prepare.

The stakes are real. European data protection authorities have made clear they are moving from education toward active enforcement, and the number of reported data breaches continues to rise year over year — a sign that more organizations are aware of their reporting obligations, but also that the risk environment is growing.

Some of these rules are already in force. Others are still being implemented across EU member states. Either way, now is the right time to check whether your processes and tools are ready.

 

What does GDPR say about processing candidate personal data?

GDPR is built on one foundational idea: you can only process personal data when you have a lawful reason to do so. In recruitment, that means you can only use candidate data to the extent it's necessary to assess and potentially hire someone.

"Processing" covers a wide range of activities — storing a CV, reviewing interview notes, sharing an application with a hiring manager. All of it falls within scope.

The types of data you'll typically handle in recruitment include:

  • CVs and cover letters
  • Interview notes
  • Assessment results
  • Reference feedback

You can use and share this data internally with colleagues directly involved in the selection process. The key principle is minimization: collect what you need, nothing more.

Make your privacy notice easy to find from the start

You don't usually need a candidate's explicit consent to process their data for standard recruitment purposes. Legitimate interest or steps taken before entering into an employment contract are generally more appropriate legal bases for core recruitment processing

That transparency lives in your privacy notice. It should explain which data you collect, why, how long you retain it, who you share it with, and what rights candidates have. Make it easy to find at the point of application — via your application form, your job posting, or your careers page.

What candidate data can you not collect?

During recruitment, you can only collect data that's relevant to assessing a candidate's suitability for the role. Some data simply doesn't meet that bar at the application stage:

  • Bank account details
  • Copies of identity documents
  • Family or household situation

None of these are usually needed to evaluate someone's fit for a position, so they shouldn't be collected unless there is a clear legal requirement or a later-stage hiring need.

Special category data

Certain types of data carry additional protection under GDPR. Health information, including pregnancy-related health data, religious beliefs, racial or ethnic origin, trade union membership, and sexual orientation are all classified as special category data, and the bar for processing them is much higher.

There are narrow exceptions — some roles may have legal requirements that justify processing specific special category data — but the default is not to collect it.

Be careful, too, about indirect collection. You can inadvertently gather special category data through:

  • Asking for someone's country of birth
  • Requiring a video application
  • Requesting a photo with an application

Unless there's a clear, justifiable reason for any of these, leave them out.

 

Can you check a candidate's social media during the recruitment process?

You can't freely browse a candidate's social media profiles during recruitment, even if those profiles are public. GDPR requires you to have a clear, role-relevant reason for looking.

Reviewing a LinkedIn profile to verify professional experience or skills is different from searching someone's private Instagram. The former has an obvious connection to the role; the latter doesn't.

If you do review social media as part of your process, be upfront about it — include it in your privacy notice or job posting — and only use information that's actually relevant to assessing the candidate.

You should also document why a social media check is necessary for the role and avoid using intrusive or irrelevant information in the selection process.

What rights do candidates have under GDPR?

Candidates have several rights over their personal data during the recruitment process:

  • Right of access: Candidates can ask what personal data you hold about them and how you use it.
  • Right to rectification: If their data is inaccurate or incomplete, candidates can request a correction.
  • Right to erasure: Candidates can ask you to delete their data — for example, after they've been rejected and you no longer need it.

You must usually respond to any of these requests within one month. In complex cases, this period may be extended, but you need a clear process for tracking and responding to requests on time.

 

The right not to be assessed solely by automated means

Candidates also have the right not to have their application decided entirely by an automated system. If you use software or AI to sort, screen, or rank candidates, a human must remain involved in the process. Automated systems can support recruiters — they can't replace them when it comes to making actual decisions about people.

Tools like the Matching Assistant in Tellent Recruitee can help recruiters surface candidates who match pre-set criteria, while keeping the final assessment with the hiring team

Candidates should not be automatically excluded, and no hiring decision should be made without human review.

If a candidate believes an automated system has played an outsized role in their rejection, they have the right to request human intervention and a fresh review of their application.

The EU AI Act (discussed below) adds further requirements on top of this.

What are your obligations as an employer under GDPR?

GDPR places the responsibility for compliant data handling firmly with your organization. That means not just thinking about what you collect, but how you store it, who can access it, and how you protect it.

Here are the core things to have in place:

  • A clear, accessible privacy notice. Candidates must know what data you collect, why, how long you keep it, and who you share it with. Make it easy to find at every point in the application journey.
  • Access controls. Not everyone in your organization needs access to candidate data. Restrict access to the people directly involved in the hiring process. In Tellent Recruitee, you can manage this through user roles and permissions.
  • A data processing agreement with your ATS vendor. If you use an applicant tracking system or any recruitment software, you're processing personal data through a third party. You need a data processing agreement (DPA) in place that sets out how that data is secured and handled.

Ultimately, your organization remains responsible for candidate data — even when parts of the process run through external tools or vendors.

Why good data practices also protect your employer brand

Non-compliance with GDPR carries significant financial risk. Under the EU AI Act, the €35 million or 7% global turnover ceiling applies to prohibited AI practices. Non-compliance with many other AI Act obligations can carry penalties of up to €15 million or 3%. GDPR penalties may also apply separately where personal data is processed unlawfully.

But the business case for getting this right goes beyond avoiding penalties. How you handle candidate data says something about what kind of employer you are. Candidates increasingly expect their personal information to be treated with care — and in a competitive talent market, that expectation matters. GDPR compliance isn't separate from your employer brand. It's part of it.

How long can you keep CVs and candidate data?

GDPR does not impose one EU-wide CV retention period. You should define a documented, purpose-based retention period and delete or anonymize candidate data once that period expires. Local guidance varies: in the Netherlands, unsuccessful applicant data is typically deleted within about four weeks, while French CNIL guidance allows candidate-pool retention for up to two years in specific circumstances.

If you want to keep a candidate in a talent pool for future roles, you need their active, informed consent to do so. That consent must be freely given — which means asking for it separately from the core application process and not making it a condition of applying.

Pre-ticked boxes or implied consent don't meet the standard. Consent must be explicit, active, and documented.

Automatically extending talent pool consent is not allowed

If you want to retain someone in your talent pool beyond the initial consent period, you need to ask again. Silence or non-response from a candidate means you delete or anonymize their data, not that they've agreed to stay on file.

Build this renewal step into your process and automate it where possible.

In Tellent Recruitee, you can manage candidate GDPR statuses and automate consent requests and candidate deletions, helping teams keep retention periods and candidate consent visible.

Data from candidates who are hired transitions into HR records and is subject to different retention rules.

Why a well-configured ATS matters for compliance

A good applicant tracking system (ATS) does more than accelerate hiring. It gives you the infrastructure to handle compliance tasks consistently:

  • Automated data retention and deletion
  • Consent management for talent pools
  • Role-based access controls
  • Centralized storage of all candidate records
  • Processing of erasure requests
  • Secure collaboration across hiring teams

When all candidate data lives in one place — CVs, interview notes, assessment results, hiring team feedback — you're far less likely to lose track of it or fail to delete it on time.

Compliance breaks down outside your ATS

That said, a well-configured ATS alone doesn't guarantee compliance. In practice, GDPR problems often happen in the gaps:

  • CVs forwarded and sitting in email inboxes
  • Interview notes saved in personal documents
  • Candidate feedback shared over WhatsApp
  • Exported spreadsheets that never get deleted
  • Shared drives with candidate data no one has audited

All of that data falls under the same GDPR rules and retention timelines as what's in your ATS.

Clear working practices are just as important as good software. Make sure everyone involved in recruitment knows that candidate data belongs in the ATS — and understands what to do with it. Schedule regular checks to catch data that's ended up somewhere it shouldn't be.

What does the EU Pay Transparency Directive mean for employers in 2026?

The EU Pay Transparency Directive requires employers to give job applicants information about the initial pay level or pay range for a role either in the vacancy notice or ahead of the interview. Including a salary figure or range directly in the job ad is the clearest and lowest-friction approach, but the Directive's wording allows this information to be provided before the interview instead.

Employers should also check national implementation rules, because member states may introduce stricter or more specific requirements.

Beyond pay disclosure in recruitment, the Directive also prohibits asking candidates about their current or previous pay, and requires employers to be able to demonstrate that employees are paid equally for work of equal value.

Employees also gain new rights under the Directive: they can request information about their own pay level and the average pay of colleagues doing equivalent work, broken down by gender.

Additional obligations for organizations with 100+ employees

Larger organizations face further requirements. Employers with 100 or more employees will have pay-gap reporting obligations, with reporting frequency and timing depending on organization size and national implementation.

Where a gender pay gap of at least 5% exists in a category of workers and cannot be justified by objective, gender-neutral factors, the organization may need to carry out a joint pay assessment and take corrective action.

What you need to update in your recruitment process

The EU's original implementation deadline for the Pay Transparency Directive was June 2026. Check the current status for your country, as implementation timelines vary across member states.

Regardless of timeline, now is a good time to review:

  • Whether job postings routinely include a salary or salary range. In Tellent Recruitee, you can add this through custom fields.
  • Whether salary banding is clearly documented internally
  • Whether recruiters or hiring managers are still asking about current salary (they shouldn't be)
  • How salary data flows through your ATS
  • Whether hiring managers are briefed on the new requirements

It's also worth reframing this. Pay transparency isn't just a compliance task — it builds candidate trust and reduces drop-off during the hiring process. According to our State of Hiring report, being upfront about salary early reduces candidate attrition through the funnel.

What does the EU AI Act mean for recruitment software?

The EU AI Act establishes a risk-based framework for artificial intelligence. Many AI applications used in recruitment — CV screening, candidate matching, interview transcript analysis, assessment support — are classified as high-risk under the Act.

For high-risk AI tools used in recruitment, the obligations include:

  • Transparency about how AI is used in the hiring process
  • Maintaining meaningful human oversight at every decision point
  • Actively monitoring for and mitigating discrimination or bias risks

The core principle is that AI can support recruiters, but it cannot make autonomous decisions about candidates. Every significant recruitment decision must involve a human review.

That means a candidate cannot be automatically rejected without a recruiter or hiring manager reviewing the decision first. It also applies to candidate-facing communications: if AI generates rejection messages or other outreach, a recruiter must review that content before it's sent.

The question regulators and candidates will ask is: how was this decision made, and who was responsible for it? AI can make processes faster and more efficient — but human accountability must remain intact throughout.

Candidates must also be clearly informed that AI is being used in the recruitment process and how their personal data is being handled in connection with it.

Data protection authorities are watching AI closely

European data protection authorities have identified AI as a priority area for oversight. The risks they're tracking include algorithmic discrimination, inadequate data protection, and opaque decision-making. Organizations may face significant penalties for non-compliance. Under the EU AI Act, prohibited AI practices can carry penalties of up to €35 million or 7% of global annual turnover, while GDPR penalties may apply separately where personal data is processed unlawfully.

There is also growing scrutiny of recruitment technology sourced from outside the EU. When AI is embedded in tools built on non-European infrastructure, additional requirements around international data transfers apply. European data storage makes it significantly easier to maintain control over how personal data is processed and to demonstrate compliance with GDPR.

European software gives you a stronger compliance foundation

Software built with European privacy law as a design requirement — not a retrofitted feature — helps reduce the compliance overhead you'd otherwise carry. Fewer complexities around international data transfers, clearer data sovereignty, and stronger alignment with GDPR from the ground up.

At Tellent Recruitee, privacy and security are built into how the product is developed and operated:

  • Data stored within Europe
  • Personal data processed in accordance with GDPR
  • Compliance with key security standards, including SOC 2 and ISO 27001
 

Implementation timelines may shift — but don't wait

The EU AI Act implementation timeline has changed since the original Act was adopted. Current European Commission guidance states that rules for high-risk AI systems in certain areas, including employment, apply from 2 December 2027. For high-risk AI systems integrated into products covered by EU harmonisation legislation, the rules apply from 2 August 2028.

Regardless of timing, reviewing your AI tools and workflows now is the right call. Many organizations treat the EU AI Act as a compliance exercise to avoid fines. But transparent, human-led AI use also builds candidate trust — and in a tight labor market, that's a genuine competitive advantage.

GDPR compliance checklist for recruiters in 2026

Use this checklist to verify that your processes and tools are ready for the key requirements around privacy, pay transparency, and AI in recruitment:

  • Publish a clear privacy notice that meets GDPR requirements, and make it accessible at the point of application
  • Restrict access to candidate data to the hiring team members who need it
  • Automate data retention timelines and the deletion or anonymization of candidate records
  • Obtain active, documented consent before adding candidates to a talent pool — and re-obtain it periodically
  • Provide a salary figure or range in the vacancy notice or ahead of the interview, and check whether your country requires disclosure directly in job ads
  • Stop asking candidates about salary history
  • Use gender-neutral job titles and job descriptions
  • Ensure your ATS has European data storage and a signed data processing agreement with your vendor
  • Verify that any AI tools in your recruitment workflow comply with the EU AI Act: candidates must not be automatically rejected without human review, AI use must be disclosed, and personal data must be handled securely

Want the full checklist?

 

A well-configured ATS is your compliance foundation in 2026

In 2026, a properly set-up ATS is one of the most practical tools you have for staying GDPR-compliant. It helps you organize your hiring process, and it makes managing retention timelines, candidate consent, and data access significantly more straightforward.

That said, not every ATS is built with compliance in mind. Look for:

  • European data storage
  • Support for GDPR obligations
  • Automated data retention and anonymization
  • Secure personal data processing
  • Security certifications (SOC 2, ISO 27001)
  • Features that map to how European hiring teams actually work

Tellent Recruitee is built with these requirements as a starting point — so organizations can run their recruitment processes in a way that supports their compliance obligations.

Find out how Tellent Recruitee supports GDPR compliance, or book a free demo to see how the platform helps you handle candidate data securely and in line with current regulations.

Frequently asked questions on GDPR

What is GDPR and what does it mean for recruitment?

GDPR is the EU's data protection regulation, governing how organizations collect, store, and use personal data. In recruitment, it means handling candidate data carefully, applying appropriate retention periods, keeping candidates informed about how their data is used, and processing it securely.

How long can I keep CVs and application data?

You should retain candidate data only as long as necessary for the recruitment purpose it was collected for, then delete it. If you want to keep someone in a talent pool for future roles, you need their active consent — and you need to renew that consent periodically.

Do I need consent from candidates to process their data?

Not for standard recruitment activities. Legitimate interest or the performance of a (pre-)contract are typically more appropriate legal bases than consent for core recruitment processing. You do need explicit consent to add candidates to a talent pool for future roles.

What candidate data can and can't I collect?

You can collect data relevant to assessing a candidate's suitability: CVs, cover letters, interview notes, assessment results. Special category data — including health information, ethnicity, religion, and sexual orientation — cannot generally be collected during recruitment. Collect only what you genuinely need.

What changes does the EU Pay Transparency Directive bring?

Employers must give applicants information about the initial pay level or pay range either in the vacancy notice or ahead of the interview. They must also stop asking candidates about pay history and demonstrate equal pay for equal work. For organizations with 100 or more employees, there are also pay-gap reporting obligations, phased by company size and national implementation. Check the status in your jurisdiction.

Can I check a candidate's social media?

You can, but only with a clear, role-relevant reason. Reviewing a LinkedIn profile to assess professional experience is generally acceptable. Browsing private social media profiles is not. Whatever you do, be transparent about it in your privacy notice.

 

What does the EU AI Act mean for my recruitment process?

If you use AI tools for screening, matching, or assessing candidates, those applications are likely classified as high-risk under the EU AI Act. That means maintaining human oversight at every decision point, being transparent with candidates about AI use where required, documenting how the system is used, and actively monitoring for bias. Candidates should not be automatically rejected without human review.

Does my ATS need to be GDPR-compliant?

Yes. Your ATS processes candidate personal data, which means it must support GDPR-compliant processing. Look for appropriate data hosting, automated retention controls, role-based access, audit logs, candidate deletion or anonymization, and a data processing agreement with the vendor. Tellent Recruitee is built with features that support these requirements — but your organization remains responsible for how you configure and use it.

Why does European data storage matter?

When your candidate data is hosted in Europe, it can help simplify governance, reduce complications around international data transfers, and support GDPR alignment. Tools built or hosted outside the EU can still be used, but they typically require additional compliance checks around data transfers, subprocessors, and safeguards.

Written by
Martina is the Global Content Strategist at Tellent, with over five years of experience researching and writing about recruitment and HR. She partners closely with subject matter experts to produce content that helps educate recruiters and HR managers and make better hiring and talent decisions.

Tellent Recruitee Newsletter

Sign up for our newsletter and get practical hiring advice, fresh recruiting ideas, and product updates you’ll actually want to read.

 

Join 7,000+ companies growing their organizations today.

Create an account in just 3 minutes and try our software for free.
Get a demo
30-minute software demo
Try for free
No credit card required
big-cta-image