GDPR And Data Privacy In Global Hiring: A 2026 Compliance Guide

Quick Summary — What This Article Covers

1

GDPR has no geographic boundary. Any company anywhere in the world that collects or processes personal data of EU residents during hiring must comply — from the first CV received.

2

Fines reach €20 million or 4% of global annual turnover, whichever is higher. German, French, and Irish regulators have already issued multi-million euro penalties in HR and employment data contexts.

3

The EU-US Data Privacy Framework launched in July 2023 but remains legally contested. Companies transferring candidate data across the Atlantic should maintain Standard Contractual Clauses as a parallel safeguard.

4

Candidate CVs and application data cannot be held indefinitely. Most supervisory authorities consider 6 to 12 months a reasonable retention window after a recruitment process closes, absent explicit consent for longer storage.

5

In EOR arrangements, responsibility is split — not eliminated. The EOR is typically the data processor; your company remains the data controller and retains full accountability for how candidate data is used.

6

Several EU countries enforce stricter national rules on top of GDPR. Germany’s BDSG, France’s CNIL guidelines, and the Netherlands’ AP each add requirements that directly affect how employers can process candidate and employee data.

Reading time: approximately 22 minutes © EmployerRecords

Most companies still treat GDPR as a cookie banner issue. The real exposure sits inside their hiring process.

Every time a recruiter collects a CV from an EU-based candidate, stores it in an applicant tracking system, shares it with a hiring manager in another country, or runs it through an AI screening tool, they’re handling personal data under GDPR.

And unlike website analytics or marketing data, recruitment data is richer, more sensitive, and often shared across multiple systems and jurisdictions in a very short span of time.

GDPR came into force on May 25, 2018, but its reach goes far beyond Europe. If you’re processing the personal data of someone located in the EU, it applies, regardless of where your company is based. A US company hiring in Germany or a Singapore-based firm recruiting in the Netherlands is subject to the same rules from the moment a candidate applies.

What makes hiring particularly tricky is how fragmented the process is. Candidate data doesn’t sit in one place. It moves through job boards, into your ATS, gets shared with screening vendors, passed between local and central teams, and increasingly flows through AI tools that score or filter applicants.

Each of those touchpoints creates its own set of obligations, and its own risk if something is mishandled.

This guide looks at GDPR from the perspective of how hiring actually works. Not the high-level principles, but the decisions teams deal with every day: what data you collect, how long you keep it, who you share it with, how you manage vendors, and what changes when that data crosses borders.

It also covers where GDPR overlaps with stricter national laws, how Schrems II continues to affect international hiring, and what the rise of AI in recruitment means for automated decision-making and candidate rights.

The 7 Core GDPR Principles Applied to Recruitment

Article 5 of GDPR lays out seven principles that govern how personal data must be handled. In recruitment, these aren’t abstract concepts.

They shape how you design your hiring process, configure your ATS, and work with vendors. When regulators investigate, this is the framework they use.

The 7 GDPR principles — what they mean for your hiring process

Principle 1

Lawfulness, fairness and transparency

You need a valid legal basis before collecting any candidate data. Candidates must be told at the point of application what you collect, why, who sees it, and how long you keep it.

→ Privacy notice required at point of application

Principle 2

Purpose limitation

Data collected for one role cannot be repurposed for a different vacancy without fresh notice. A CV for a marketing role cannot silently be considered for an engineering opening.

→ Talent pool re-use requires explicit opt-in

Principle 3

Data minimisation

Collect only what the hiring decision actually requires. Asking for date of birth, nationality, or marital status at the application stage is rarely justifiable and frequently challenged by DPAs.

→ Application forms need a legal necessity review

Principle 4

Accuracy

Candidate records must stay accurate and current. Application profiles sitting untouched in an ATS for two or three years without review are a compliance liability, not just a housekeeping backlog.

→ ATS audit cycles are a legal requirement

Principle 5

Storage limitation

Data cannot be kept indefinitely because it might prove useful someday. Most DPAs consider 6 to 12 months a reasonable retention window for unsuccessful candidate data after a process closes.

→ Documented retention schedules are mandatory

Principle 6

Integrity and confidentiality

Candidate data must be protected against unauthorised access, loss, and destruction — covering your ATS, email handling, internal sharing practices, and every third-party vendor in the hiring chain.

→ Vendor security clauses are non-negotiable

Principle 7 — The one regulators check first

Accountability

Compliance must be demonstrable, not just claimed. Regulators expect documented processing policies, maintained Records of Processing Activities (RoPA) under Article 30, completed DPIAs for high-risk processes, staff training logs, and signed vendor contracts with appropriate data protection clauses. Verbal assurances carry no weight in an investigation.

RoPA — Article 30 DPIAs for high-risk processing Staff training records Signed DPAs with all vendors

Source: EmployerRecords — GDPR And Data Privacy In Global Hiring © EmployerRecords

Lawfulness, fairness and transparency comes into play the moment a candidate shares their CV. You need a valid legal basis to collect and process that data, and the candidate needs to know exactly what’s happening to it.

What you’re collecting, why you’re collecting it, who it will be shared with, and how long it will be retained should be clearly explained upfront. That belongs in a candidate-facing privacy notice at the point of application, not hidden inside a generic website policy.

Purpose limitation is where teams often slip without realising it. If someone applied for a specific role, that’s the purpose you collected their data for. Reusing that same data later for a different role, or dropping them into a general talent pool, changes the purpose.

At that point, you either need to inform the candidate and reset expectations, or obtain consent, depending on the situation.

Data minimisation forces a hard look at what you’re asking candidates to provide. Details like date of birth, nationality, marital status, or photographs are rarely necessary at the initial screening stage, and in some EU countries, actively discouraged.

The rule is simple: if you can’t justify why a piece of data is needed to make a hiring decision, you shouldn’t be collecting it.

Accuracy isn’t a one-time check. Candidate data goes stale quickly. Profiles sitting in your ATS for years without review create risk, especially if they’re used later in hiring decisions. Teams need a process to periodically review, update, or remove records that are no longer accurate or relevant.

Storage limitation is one of the most common weak spots in recruitment. Keeping CVs indefinitely “just in case” doesn’t hold up under GDPR.

Regulators in countries like Germany, France, and the Netherlands have indicated that 6 to 12 months is generally a reasonable retention window for unsuccessful candidates. Keeping data beyond that typically requires a clear justification, often explicit consent for talent pool inclusion.

Integrity and confidentiality shows up in the day-to-day handling of candidate data. Who has access to your ATS, how interview notes are stored, how CVs are shared internally, and what safeguards your vendors have in place all matter.

Forwarding a CV through a personal email account or working with a screening vendor without proper contractual protections are both clear risk points.

Accountability is what ties everything together. It’s not enough to say you’re compliant. You need to be able to show it. That means documented processes, up-to-date policies, signed agreements with vendors, completed DPIAs where required, and evidence that your team has been trained.

When regulators ask questions, this is what they expect to see.

Legal Bases for Processing Candidate Data

One of the first questions you need to answer in any GDPR-compliant hiring process is straightforward on paper and messy in practice: why are you allowed to process this candidate’s data at all?

Under GDPR, every processing activity needs a valid legal basis. In recruitment, this isn’t just a technical requirement.

It affects how you design your hiring workflow, what you can do with candidate data, and how you respond if a candidate challenges your decisions. It’s also one of the first things regulators look at during an audit.

In reality, only three of the six legal bases come up in most hiring scenarios. The rest are edge cases. Getting clear on which one applies, and where it doesn’t, makes a big difference, because each basis comes with different obligations and gives candidates different rights.

Consent is often the default answer teams reach for, and it’s usually the wrong one. For consent to be valid under GDPR, it has to be freely given, specific, informed, and unambiguous. That’s hard to justify in a hiring context where there’s an obvious power imbalance between employer and candidate. Several EU regulators, along with courts in countries like Germany, have cautioned against relying on consent for standard recruitment processing.

Where consent does make sense, for example, keeping a candidate’s details in a talent pool after a role is closed, it needs to be genuinely optional, easy to withdraw from, and have no negative consequences for the candidate.

Contractual necessity is what most core recruitment activity relies on. Once a candidate applies for a role and you’re actively considering them, you can process the information needed to evaluate that application. CVs, work history, qualifications, all of that fits.

What doesn’t fit are extras that aren’t required to make a hiring decision. Asking for a photograph or pulling in social media data usually goes beyond what’s necessary here.

Legitimate interests gives you more flexibility, but it comes with more scrutiny. It allows you to process data where you have a reasonable business interest, as long as it doesn’t override the candidate’s rights or expectations. Some recruitment activities, like limited reference checks for shortlisted candidates, can fall under this basis. Others clearly don’t.

Using candidate data for broader internal analytics or market insights, for example, is much harder to justify. If you rely on legitimate interests, you need to document your reasoning and be ready to defend it, especially if a candidate objects.

The table below maps common recruitment activities to the most appropriate legal basis, along with the limits that apply and how candidates can respond if they disagree.

Legal bases for processing candidate data — GDPR Article 6

Recruitment activity	Lawful basis	Key limitation	Candidate right
Collecting CV and application form data	Contractual necessity	Only covers data genuinely needed to evaluate the application. Photos, nationality, and marital status fall outside this basis.	Right to access, rectification, and erasure once process ends
Retaining profile in a talent pool after rejection	Consent	Consent must be freely given and easy to withdraw at any time. Withdrawal cannot disadvantage the candidate in future applications.	Right to withdraw consent and demand immediate deletion
Reference checks on shortlisted candidates	Legitimate interests	Requires a documented Legitimate Interests Assessment (LIA). Must not override the candidate’s reasonable privacy expectations.	Right to object — organisation must demonstrate compelling grounds to continue
Criminal record and background screening	Legal obligation / Consent	Governed by Article 10 GDPR and national law. Many countries restrict criminal checks to specific role types. Legal advice required per jurisdiction.	Right to be informed; right to challenge inaccurate records
Sharing candidate data with a third-party recruiter or ATS	Contractual / Leg. interests	A signed Data Processing Agreement (DPA) is mandatory before sharing data with any vendor. The vendor must meet GDPR security standards contractually.	Right to know who data is shared with; right to object to onward transfers
AI-based CV screening and automated candidate scoring	Leg. interests / Consent	If decisions are made solely by automated means with significant effect, Article 22 applies. Candidates must be informed and have the right to human review.	Right not to be subject to solely automated decisions; right to human review

Source: gdpr-info.eu — Articles 6, 10, and 22 © EmployerRecords

Candidate Rights HR Teams Must Operationalize

GDPR gives candidates a set of enforceable rights over their personal data, and they can exercise those rights at any point during or after the hiring process. When they do, the clock starts. You have fixed timelines to respond, and missing them is a compliance failure in itself.

The difficulty isn’t understanding the rights. It’s handling them in practice. A single request can mean pulling data from your ATS, digging through recruiter emails, reviewing interview notes, checking vendor reports, and making sure nothing is missed. In a global hiring setup, that quickly turns into a coordination problem if you don’t have a clear process in place.

Here’s how these rights typically show up in recruitment.

GDPR candidate rights — what HR must be ready to action

Right of access

1 month

Subject Access Request (SAR)

Candidate can request all data held about them across every system — ATS, email, interview notes, screening reports. No specific wording required. A plain email asking “what do you have on me?” is a valid SAR.

HR action: Designate a SAR owner. Build a data map so every system holding candidate data can be searched within the deadline.

Right to erasure

1 month

Right to be forgotten

Once the recruitment purpose ends and no other lawful basis applies, candidates can demand full deletion of their data. Unsuccessful candidates who did not consent to talent pool retention have a strong claim to erasure.

HR action: Automate deletion triggers in your ATS at the end of defined retention windows.

Right to rectification

1 month

Correction of inaccurate data

Candidates can require correction of any inaccurate data held across your systems — including errors in interview notes, incorrectly recorded qualifications, or wrong contact details in your ATS.

HR action: Corrections must cascade across all systems, not just the primary ATS record.

Right to object

Immediate

Objection to legitimate interests processing

Where you rely on legitimate interests as your lawful basis — such as reference checks — candidates can object. You must stop processing unless you can demonstrate compelling grounds that override their interests.

HR action: Your Legitimate Interests Assessment must be documented and defensible before processing begins.

Right vs. automation

Article 22

Right against solely automated decisions

If an AI tool auto-rejects a candidate with no human in the loop, Article 22 is engaged. Candidates must be informed, given the right to request human review, and allowed to contest the outcome.

HR action: Ensure a human reviewer is always in the decision loop when AI screening tools are used.

Right to portability

1 month

Machine-readable data export

Where processing is based on consent or contract, candidates can request their data in a structured, commonly used, machine-readable format such as JSON or CSV to transfer to another organisation.

HR action: Confirm your ATS can export candidate data in a machine-readable format on request.

Source: gdpr-info.eu — Articles 15, 16, 17, 18, 20, 21, and 22 © EmployerRecords

Access requests (SARs) are the most common. A candidate can ask what data you hold about them, how you’re using it, and who you’ve shared it with. They don’t need to use legal terminology, a simple email asking for their data qualifies. You have one month to respond, and that response needs to include everything, not just what’s sitting in your ATS.

Erasure requests usually come after a process ends. If a candidate was not selected and hasn’t agreed to stay in a talent pool, there’s generally no basis to keep their data beyond a reasonable retention period. At that point, a deletion request isn’t optional, you’re expected to act on it.

Rectification tends to come up less often, but it’s straightforward. If a candidate spots incorrect information — for example, an inaccurate note about their experience — they can ask for it to be corrected. That applies even to internal records like interview feedback if they contain factual errors.

Objections matter when you’re relying on legitimate interests. A candidate can push back on that processing, and unless you can justify why your interest overrides theirs, you need to stop. This is where weak or undocumented legitimate interest assessments tend to fall apart.

Automated decision-making becomes relevant if you’re using AI tools to filter or reject candidates without human involvement. If a system is making decisions that significantly affect someone, Article 22 applies. Candidates need to be informed, and they must have a way to request human review and challenge the outcome.

Data portability is less common in hiring but still applies in specific cases, mainly where processing is based on consent or contract. If requested, you need to provide the candidate’s data in a structured, machine-readable format so it can be transferred elsewhere.

Data Retention: What to Keep and For How Long

Retention is where a lot of GDPR risk builds up quietly. In most hiring teams, the default is to keep everything. CVs sit in shared drives, interview notes live in inboxes, and ATS profiles stay active long after a role is closed.

None of that holds up under scrutiny, and regulators across the EU have been consistently flagging this in audits.

At the centre of this is the storage limitation principle: personal data can only be kept for as long as it’s needed for the purpose it was collected. In practice, that means you need to make clear decisions about each type of data in your hiring process. Not everything can be treated the same way.

Start with the obvious split: hired candidates vs unsuccessful ones.

When a candidate is hired, their application data becomes part of their employment record. CVs, applications, references, background checks — all of it moves into a different regulatory framework.

From that point on, retention is driven by employment law, and that varies by country. In Germany, some payroll-related records need to be kept for up to ten years. In the UK, many employment records are kept for six. The hiring data doesn’t disappear, it just changes category.

For unsuccessful candidates, the position is much tighter. Once the process ends and no offer is made, the original purpose for collecting that data is over. Keeping it beyond that point requires a new justification or explicit consent, typically for a talent pool.

Most EU regulators consider six to twelve months a reasonable retention window, enough to deal with any legal challenge, but not long enough to justify open-ended storage.

Some data types need stricter handling.

Background checks and criminal record data fall under additional restrictions. GDPR limits how this data can be processed, and in many cases, national law sets even tighter rules. Keeping this information beyond the immediate hiring decision is rarely justified, and in some jurisdictions, not allowed at all.

Interview notes are another weak spot. They’re often treated as informal, but they’re still personal data. That means they need to be stored securely, access needs to be controlled, and they should be deleted in line with your overall retention policy. It doesn’t matter whether they sit in your ATS, a notebook, or someone’s inbox, the obligation is the same.

The table below breaks this down by data type, showing how long different categories can be retained, what legal basis supports that retention, and what should happen when the period expires.

Candidate data retention schedule — what to keep, for how long, and what to do when it expires

Category key: Unsuccessful candidate Hired candidate High-risk / restricted data Consent-based retention

Data type	Retention period	Legal basis for retention	On expiry	Risk level
CV and application form Unsuccessful candidate	6 – 12 months	Legitimate interests — potential employment dispute window	Delete or anonymise	Medium
CV and application form Hired candidate	Employment + 6 yrs	Contractual necessity and legal obligation under employment law	Transfer to employee file	Low
Interview notes Unsuccessful candidate	6 – 12 months	Legitimate interests — defence of potential discrimination claims	Delete securely	Medium
Interview notes Hired candidate	Employment + 6 yrs	Contractual necessity and legal obligation	Transfer to employee file	Low
Background check results All candidates	30 – 90 days	Contractual necessity — limited to completion of hiring decision only	Delete immediately	High
Criminal record check data Restricted — Article 10	Decision only	Governed by Article 10 GDPR and national law. Cannot be retained after hiring decision in most EU jurisdictions.	Immediate deletion	Very high
Talent pool profiles Consent-based only	Up to 24 months	Explicit consent — annual re-confirmation recommended. Delete immediately on withdrawal.	Delete on withdrawal	Medium
Recruitment emails and correspondence All candidates	Mirrors application	Same basis as primary application data. Treat as part of the candidate record, not separate correspondence.	Apply same rules	Medium

Source: EmployerRecords — GDPR And Data Privacy In Global Hiring © EmployerRecords

Every time candidate data leaves the EU, a cross-border transfer is happening. That includes sending a CV to a hiring manager in the US, using an ATS hosted in another region, or running background checks through an external vendor. Under GDPR, you need a valid transfer mechanism in place before any of that happens.

This is where compliance gets complicated, especially after the Schrems II ruling in 2020. That decision invalidated the EU–US Privacy Shield and raised the bar for how companies handle international data transfers.

It also changed how Standard Contractual Clauses are used, they’re no longer enough on their own. You now have to assess whether the destination country’s legal system actually allows those protections to work in practice.

Things shifted again in 2023 with the introduction of the EU–US Data Privacy Framework. US companies that self-certify can receive EU data without additional safeguards. But given what happened to Safe Harbor and Privacy Shield, most organisations aren’t relying on it alone.

If you’re moving candidate data to the US at scale, it’s safer to treat the framework as one layer, not the only one.

In practice, Standard Contractual Clauses are still the default. The updated versions introduced in 2021 cover different types of transfers, depending on who is sharing data with whom.

For most hiring setups, where you’re working with an ATS, screening vendor, or external recruiter outside the EU — you’re typically in a controller-to-processor scenario.

What’s changed is how they’re used. After Schrems II, SCCs come with an extra step: the Transfer Impact Assessment.

You need to look at the laws in the destination country and decide whether they undermine the protections the clauses are supposed to provide. If they do, you either add safeguards like encryption or you don’t proceed with the transfer.

For larger organisations, Binding Corporate Rules are another option. These are internal policies that govern how data moves within a corporate group. They’re more robust, but also much harder to implement.

Approval can take over a year and requires detailed documentation across every entity involved. For companies that move data internally at scale, they’re worth it. For most others, they’re not practical.

Some countries are simpler. Where the European Commission has issued an adequacy decision, data can move without additional safeguards. That currently includes places like the UK, Japan, and Switzerland, along with the US under the Data Privacy Framework. Even here, it’s worth keeping an eye on changes, adequacy decisions have been overturned before.

Cross-border data transfers — legal mechanisms and adequacy decisions

Every transfer of EU candidate data to a country outside the EU requires one of the following legal mechanisms to be in place before the transfer happens. No mechanism means no lawful transfer.

Standard Contractual Clauses

Most common

Pre-approved contractual clauses published by the European Commission. The 2021 modernised SCCs replaced all prior versions and introduced four modules based on the relationship between exporter and importer.

Module 1: Controller to controller

Module 2: Controller to processor (most common in recruitment)

Module 3: Processor to controller

Module 4: Processor to processor

Requires a Transfer Impact Assessment (TIA) for each non-adequate destination country. Must be documented and reviewed annually.

Binding Corporate Rules

Intra-group

Legally binding internal data protection policies approved by a lead EU supervisory authority. Cover all entities within the same corporate group and are the most robust long-term solution for multinationals.

12–18

months to approval

1

lead DPA approval needed

Best suited to organisations with 3 or more entities regularly transferring HR and candidate data across borders.

EU-US Data Privacy Framework

Use with caution

Adopted by the European Commission in July 2023 as the successor to Privacy Shield. US companies that self-certify with the US Department of Commerce can receive EU personal data without additional mechanisms.

Safe Harbor invalidated — October 2015

Privacy Shield invalidated — July 2020 (Schrems II)

DPF adopted — July 2023, legal challenge ongoing

Maintain SCCs as a parallel safeguard. Do not rely on DPF certification alone given the track record of predecessor frameworks.

Adequacy decisions

No extra steps

Countries formally recognised by the European Commission as providing equivalent data protection. No additional transfer mechanism required — but monitor for changes.

United Kingdom Switzerland Japan South Korea New Zealand Canada (partial) Israel Uruguay US — DPF only ⚠

Adequacy status can be withdrawn. Review the European Commission’s adequacy list annually and update your transfer mechanisms accordingly.

Transfer Impact Assessment — required steps for non-adequate countries

1 Identify destination country and its data protection laws

2 Assess whether government surveillance laws undermine SCC protections

3 Implement supplementary measures if gaps identified

4 Document the assessment and review annually

Source: European Commission — ec.europa.eu/info/law/law-topic/data-protection © EmployerRecords

For everything else, the work is operational:

• Map where candidate data is going
• Identify every vendor handling EU data
• Confirm where that data is stored and processed
• Put the correct SCCs in place
• Run and document a Transfer Impact Assessment
• Review the setup regularly

This is where most organisations fall short, not in understanding the rules, but in consistently applying them across all systems and vendors involved in hiring.

A common mistake in global hiring is assuming that using an Employer of Record shifts GDPR responsibility to the EOR. It doesn’t.

Under GDPR, responsibility depends on who decides why and how personal data is processed. In most EOR setups, that’s still the client company.

GDPR in EOR arrangements — who is the controller and who is the processor

Client company

Data controller

The client company decides why candidate data is being collected and how it will be used. That decision makes it the data controller — regardless of who the legal employer on the contract is.

Controller obligations include:

Issuing a candidate-facing privacy notice at point of application

Establishing and documenting the lawful basis for each processing activity

Responding to candidate Subject Access Requests within one month

Maintaining Records of Processing Activities (RoPA) under Article 30

Auditing the EOR’s data protection practices and performance

Notifying the supervisory authority of breaches within 72 hours

Accountability cannot be outsourced to the EOR. The client company remains liable for GDPR compliance even when it does not directly hold the data.

Employer of Record

Data processor

The EOR processes personal data on behalf of the client company and strictly under its instructions. It handles payroll, contracts, and statutory filings — but does not independently determine why that data exists.

Processor obligations include:

Processing data only on documented instructions from the client company

Signing a compliant Article 28 Data Processing Agreement

Ensuring sub-processors meet equivalent GDPR standards

Implementing appropriate technical and organisational security measures

Assisting the controller with candidate rights requests and breach notifications

Deleting or returning all data on termination of the agreement

A processor that acts outside the controller’s instructions on processing purposes becomes a controller itself — and takes on full GDPR liability for that processing.

Joint controller scenario — when it applies

Article 26

In certain situations the EOR independently determines its own processing purposes — for example, maintaining its own regulatory employment records required by local law in the country of hire. When that happens, both parties are determining processing purposes and a joint controller agreement under Article 26 GDPR is required.

When joint control applies

EOR maintains independent HR or payroll records for local regulatory compliance in the country of employment

What Article 26 requires

A written arrangement specifying each party’s responsibilities for GDPR obligations — especially candidate rights responses and breach notification

Practical implication

Candidates must be told the essence of the joint controller arrangement and can exercise their rights against either party

Article 28 DPA checklist — what your EOR contract must contain

Subject matter and duration of processing

Nature and purpose of the processing

Type of personal data and categories of data subjects

Confidentiality obligations on authorised personnel

Sub-processor approval requirements

Assistance with SARs, DPIAs, and breach notifications

Data deletion or return on contract termination

Right of the controller to audit the processor

Source: gdpr-info.eu — Articles 26, 28, and 29 © EmployerRecords

You decide who to hire, what data to collect, and how it’s used during recruitment and onboarding. That makes you the data controller. The EOR, which handles payroll, contracts, and compliance tasks on your behalf, is typically acting as a data processor.

This distinction has practical implications:

• You remain accountable
  If a candidate submits a data request, the obligation to respond sits with you, even if the data is held by the EOR.
• A Data Processing Agreement is mandatory
  Before sharing any data, you need a contract that clearly defines roles, scope, and safeguards.
• Vendor oversight doesn’t go away
  You’re responsible for ensuring the EOR actually meets GDPR standards in practice — not just on paper.

There are exceptions. In some cases, the EOR may act as a joint controller, particularly when it determines certain processing purposes independently, such as meeting local legal requirements. In those situations, responsibilities need to be clearly defined between both parties.

The key takeaway: an EOR helps you hire globally, but it doesn’t take GDPR compliance off your plate. You’re still responsible for how candidate data is handled end to end.

GDPR sets the baseline, but it’s not the full picture. Several EU countries impose additional rules on how candidate and employee data can be handled, especially in hiring.

For global teams, that means there isn’t a single “EU standard.” The requirements shift depending on where you’re hiring.

National rules that go beyond GDPR — key EU hiring markets

GDPR compliance alone is not sufficient in these markets. Each country below adds obligations that require separate legal review.

🇩🇪

Germany

BDSG + Works Councils

Section 26 BDSG governs all employment data — stricter than GDPR Article 6 for HR contexts

Works councils must be consulted before any ATS, AI screening, or HR monitoring tool is deployed

Applicants cannot be asked about salary history, pregnancy, or religion

Social media screening is generally prohibited without explicit consent

Supervisory authority: BfDI + 16 state-level DPAs (Landesbeauftragte)

🇫🇷

France

CNIL + Loi Informatique

CNIL guidance restricts use of psychometric tests — results cannot be stored beyond the immediate recruitment decision

Automated hiring tools must be disclosed to candidates with an explanation of how decisions are made

Comité Social et Économique must be informed about data processing tools used in hiring

Fines issued by CNIL exceeded €100 million across sectors in 2023

Supervisory authority: CNIL — cnil.fr

🇳🇱

Netherlands

AP + WOR

AP prohibits recruitment profiling without explicit legal basis and documented necessity

WOR requires employer to consult works council before implementing any system that monitors or evaluates candidates

Criminal record checks (VOG) are only permissible for specific role categories

Supervisory authority: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl

🇪🇸

Spain

LOPDGDD + AEPD

LOPDGDD adds digital disconnection rights and employee monitoring rules, relevant from point of hire

Biometric data use in employment requires explicit consent and a DPIA — no exceptions

AEPD is one of the most active DPAs in the EU by volume of fines issued

Supervisory authority: AEPD — aepd.es

🇮🇹

Italy

Codice Privacy + Garante

Codice restricts health data processing in employment — no collection during recruitment unless strictly necessary

Remote work monitoring is strictly regulated from point of offer acceptance

Garante can block processing activities independently of GDPR enforcement

Supervisory authority: Garante — garanteprivacy.it

🇵🇱

Poland

UODO + Labour Code

Labour Code Article 22(1) limits candidate data collection to name, DOB, address, education, and prior employment only

UODO has issued fines specifically for unlawful retention of candidate data since 2022

Consent is not a valid basis for processing data candidates are required to provide under the Labour Code

Supervisory authority: UODO — uodo.gov.pl

Source: National DPA websites and EmployerRecords — GDPR And Data Privacy In Global Hiring © EmployerRecords

A few patterns stand out across these markets:

• Germany and the Netherlands place heavy emphasis on works council involvement before deploying hiring technology
• France and Spain focus more on transparency and restrictions around automated decision-making
• Italy and Poland impose stricter limits on what data can be collected and how it’s used

The key takeaway is straightforward: GDPR compliance alone isn’t enough. Local rules can change what data you collect, how tools are deployed, and what approvals are required before hiring even begins.

AI and Automated Recruitment Under GDPR and the EU AI Act

AI tools are now part of most hiring workflows — screening CVs, ranking candidates, analysing interviews. That means personal data is being processed at scale, and in some cases, decisions are being made with little or no human involvement.

That’s where GDPR starts to matter.

Under Article 22, candidates have the right not to be subject to decisions made solely by automated means if those decisions have a significant impact, and rejection from a role qualifies. If an AI system is making that call on its own, candidates must be able to request human review and challenge the outcome.

The distinction is important. A real human review breaks the automation. A recruiter simply approving whatever the system recommends does not.

On top of this, the EU AI Act, in force since 2024, adds a second layer. AI systems used in hiring are classified as high-risk. That brings additional requirements around transparency, human oversight, data quality, and system reliability before these tools can be used.

In practice, GDPR and the AI Act now work together. Before deploying any AI tool in recruitment, you need to understand what decisions it makes, how those decisions are reviewed, and whether the system meets both data protection and AI-specific requirements.

The visual below maps what that looks like in practice.

AI in recruitment — GDPR and EU AI Act obligations before you deploy

AI recruitment tools classified as high-risk under the EU AI Act. Both GDPR and AI Act obligations apply simultaneously.

GDPR Article 22 — automated decisions

Candidate right

What triggers Article 22

A decision made solely by automated means that produces a significant effect — including rejection from a role, shortlisting, or scoring that determines access to the next stage

What “solely” means

A human reviewer must genuinely engage with the AI output before a decision is finalised. A rubber-stamp review with no independent assessment does not satisfy the requirement

Candidate rights triggered

Right to be informed that automated processing is occurring, right to human review of the decision, and right to contest the outcome with reasons provided

EU AI Act — high-risk classification

In force Aug 2024

AI systems used in recruitment, candidate selection, promotion decisions, and performance evaluation are classified as high-risk under Annex III of the EU AI Act. High-risk systems carry mandatory pre-deployment obligations.

Transparency documentation — technical and user-facing

Human oversight mechanisms built into the system

Accuracy, robustness, and bias testing before deployment

Registration in the EU AI Act database

Post-market monitoring and incident reporting

Data governance requirements for training data quality

DPIA — mandatory for AI screening

AI tools that systematically screen large volumes of candidates trigger a mandatory DPIA under GDPR Article 35 before any processing begins.

Description of the processing and its purposes

Assessment of necessity and proportionality

Identification of risks to candidate rights and freedoms

Measures to address identified risks

Bias and accuracy obligations

Biased AI outputs based on protected characteristics create simultaneous GDPR accuracy violations and discrimination law liability.

Audit training data for demographic bias before deployment

Test outputs across protected characteristic groups regularly

Document accuracy benchmarks and retest after any model update

AI vendor due diligence

Before any third-party AI recruitment tool processes candidate data, the vendor must be assessed across three compliance dimensions.

GDPR compliance — signed DPA, sub-processor list, security certifications

Article 22 compatibility — does the system support human review workflows?

EU AI Act conformity — is the system registered, tested, and documented for high-risk classification?

AI recruitment tools that trigger both GDPR and EU AI Act obligations

CV screening and ranking tools Video interview analysis Predictive candidate scoring Automated shortlisting Psychometric assessment platforms Chatbot-led initial screening

Source: gdpr-info.eu — Articles 22 and 35 · EUR-Lex — EU AI Act 2024/1689 © EmployerRecords

GDPR Enforcement: Real Fines in Hiring and Employment Contexts

Enforcement over the past few years has made one thing clear: recruitment and employment data are not a low-risk area. Regulators across the EU have issued fines for issues that show up in everyday hiring workflows, retaining candidate data too long, weak access controls, ignoring subject access requests, or using monitoring tools without a legal basis.

The patterns are consistent. Storage limitations, security, and transparency failures come up repeatedly, and they’re being enforced.

The size of fines varies by country, but the direction is the same. German authorities have issued some of the largest employment-related penalties. In the Netherlands, regulators have taken action against unlawful processing of employee data. Sweden has fined companies specifically for holding candidate data beyond acceptable retention periods, a clear signal that these rules are being actively checked.

What stands out is who gets hit hardest. It’s often not large enterprises, but mid-sized companies with informal processes, shared inboxes, unclear ownership of data, no defined retention policy, and limited training. For these organisations, even a moderate fine can have a serious financial impact.

The cases below reflect common failure points in hiring. None of them are edge cases, they’re the kind of issues that show up when processes aren’t clearly defined or consistently followed.

GDPR enforcement in hiring — real fines, real failures, real lessons

€35.3M

largest HR-related fine

6 countries

with HR-context fines below

2018–2025

enforcement period covered

🇩🇪

H&M — Hamburg DPA, Germany — 2020

€35.3 million

Violation

Systematic employee monitoring and profiling. Personal details from return-to-work and holiday conversations recorded and stored without lawful basis.

GDPR breach

Articles 5, 6, and 9 — unlawful processing of special category data including health and family situation information

Hiring lesson

Any notes taken about candidates or employees — including informal verbal conversations — constitute personal data subject to GDPR

🇬🇷

Teleperformance — HDPA, Greece — 2021

€150,000

Violation

Unlawful employee monitoring via webcam during remote work with no transparency, consent, or legal basis communicated to workers.

GDPR breach

Articles 5, 6, and 13 — failure to inform employees and absence of lawful basis for continuous video monitoring

Hiring lesson

Remote monitoring tools must have a documented lawful basis and be disclosed in employment documentation from day one

🇸🇪

Swedish employer — IMY, Sweden — Retention fine

Confidential

Violation

Retention of unsuccessful candidate application data significantly beyond any reasonable or documented retention period.

GDPR breach

Article 5(1)(e) — storage limitation. Data held for longer than necessary for its stated purpose.

Hiring lesson

ATS auto-deletion triggers are the only reliable operational safeguard. Retention policies must be enforced, not just documented.

🇳🇱

Employer — Autoriteit Persoonsgegevens, Netherlands

Undisclosed

Violation

Requesting and recording medical information from candidates during recruitment and onboarding without lawful basis.

GDPR breach

Article 9 — special category data. Health information cannot be processed during recruitment without explicit consent or a specific legal obligation.

Hiring lesson

Medical questionnaires and disability disclosures cannot be requested at application stage unless a specific legal exemption applies.

🇵🇱

Multiple employers — UODO, Poland — SAR failures

Multiple fines

Violation

Failure to respond to Subject Access Requests from former candidates within the statutory one-month deadline.

GDPR breach

Article 15 — right of access. Failure to respond within one month is a standalone enforceable violation regardless of other compliance status.

Hiring lesson

A SAR process must exist before a request arrives. Designate a SAR owner and document the response workflow in advance.

The five failure patterns behind every HR enforcement action

No lawful basis documented before processing begins

Candidate data retained past the permissible window

Special category data collected without explicit consent

SAR responses missed or delayed beyond one month

Monitoring tools deployed without transparency or legal basis

Source: enforcementtracker.com · National DPA records · EmployerRecords — GDPR And Data Privacy In Global Hiring © EmployerRecords

GDPR Compliance Checklist for Global Hiring

The sections above cover the legal framework in depth. This checklist translates that framework into the operational steps a global hiring team needs to complete before running a compliant recruitment process. It is structured in the order these steps should be completed, from pre-process setup through to post-process data handling.

GDPR compliance checklist — global hiring, phase by phase

1

Before the process opens

Setup phase

Identify and document the lawful basis for each processing activity in the hiring process

Draft or update the candidate-facing privacy notice — available at point of application

Audit the application form — remove fields not strictly necessary for the hiring decision

Conduct a DPIA if the process involves AI screening, large-scale profiling, or special category data

Sign a compliant Article 28 DPA with every vendor that will receive candidate data

Confirm the cross-border transfer mechanism for any non-EU destination country

2

During recruitment

Active phase

Confirm privacy notice is visible and accessible at every application entry point

Store interview notes in the ATS or a controlled location — not personal email or shared drives

Verify AI screening tools have a genuine human review step before any rejection is finalised

Log all instances of candidate data shared with third parties — recruiters, screeners, panel interviewers

Do not request special category data unless a specific legal exemption applies and is documented

3

After a hiring decision

Closure phase

Trigger deletion of unsuccessful candidate data at the end of your documented retention window

If retaining in a talent pool, issue a specific consent request — separate from the original application

Transfer hired candidate’s pre-employment data to their employment file with employment-law retention periods applied

Update your Records of Processing Activities to reflect the completed recruitment cycle

4

Ongoing obligations

Always on

Respond to all Subject Access Requests within one calendar month — designate a named owner

Review and update retention schedules annually — confirm ATS auto-deletion is functioning

Audit all vendors annually — re-confirm DPAs are current and review sub-processor changes

Train all HR staff and hiring managers on GDPR obligations — document training completion

Review cross-border transfer mechanisms annually and update SCCs if new versions are issued

+

EOR-specific steps

If using an EOR

Confirm a compliant Article 28 DPA is signed with the EOR before any candidate data is shared

Document the controller-processor split in writing — confirm your organisation is the data controller

Confirm the EOR can support Subject Access Request responses within the one-month deadline

Review the EOR’s sub-processor list — confirm sub-processors meet GDPR standards

Assess whether any EOR processing creates a joint controller scenario — if so, execute an Article 26 agreement

Source: EmployerRecords — GDPR And Data Privacy In Global Hiring © EmployerRecords

Conclusion

GDPR compliance in global hiring isn’t a one-time fix. It’s something that shows up in everyday decisions, what data you collect, where it’s stored, who has access to it, and how consistently your team follows the process.

The risk isn’t theoretical. Enforcement has made that clear. Most fines don’t come from edge cases; they come from routine gaps: keeping data too long, weak vendor controls, missed data requests, or relying on tools that no one is properly overseeing.

Using an EOR doesn’t remove that responsibility. You’re still accountable for how candidate data is handled, and that means treating the EOR like any other critical data vendor, with clear roles, contracts, and oversight.

If there’s one takeaway, it’s this: compliance comes from execution, not documentation. The teams that get this right build simple, repeatable processes and stick to them. Everything else, policies, frameworks, tooling, only works if those processes are actually followed.