The General Data Protection Regulation (GDPR) requires recruiting teams to have a lawful basis for processing every piece of candidate data they collect, store, or share. Violations carry fines up to EUR 20 million or 4% of global annual turnover. If your team sources candidates in the EU, stores resumes from EU applicants, or uses AI tools that process EU candidate profiles, GDPR compliance applies regardless of where your company is headquartered.

Enforcement numbers make the risk concrete. EU regulators have issued 2,781 GDPR fines totaling EUR 6.8 billion since May 2018, with 193 of those fines - worth EUR 360.9 million - targeting the employment sector specifically (GDPR Enforcement Tracker, February 2026). Data breach notifications across Europe hit 443 per day in 2025, a 22% jump from the prior year (DLA Piper, January 2026). Recruiting teams handle some of the most sensitive personal data in any organization, and regulators are paying attention.

TL;DR:

  • GDPR needs a lawful basis for every data touch. Consent, legitimate interest, or contract must justify collecting, storing, or sharing each piece of candidate data.
  • Enforcement is material. EUR 6.8B in cumulative fines since 2018, with 193 employment-sector fines worth EUR 360.9M (GDPR Enforcement Tracker, 2026). Max penalties hit EUR 20M or 4% of global turnover.
  • Seven core rules govern recruiting. Lawful basis, data minimization, transparency, DSAR rights, retention limits, secure cross-border transfers, and automated-decision safeguards.
  • Timelines and retention are strict. Honor data access and deletion requests within 30 days; limit candidate retention to 6-12 months unless you have documented legitimate grounds to keep longer.
  • AI tools require a DPIA. Any automated screening, scoring, or ranking of EU candidates needs a documented Data Protection Impact Assessment before deployment.

What Does GDPR Require From Recruiting Teams?

Any organization that processes personal data of EU residents falls within GDPR’s scope - and recruitment involves enormous volumes of it (GDPR Article 83). Names, email addresses, phone numbers, work history, education, salary expectations, interview notes, assessment scores: all of this qualifies as personal data under the regulation. Some of it - like health information, ethnic origin, or disability status that candidates may disclose - qualifies as special category data with even stricter protections.

Recruiting teams face seven core GDPR compliance obligations:

  • Establish a lawful basis to process candidate data
  • Collect only the minimum data necessary
  • Be transparent about what you collect and why
  • Honor candidates’ rights to access, correct, and delete their data
  • Set strict data retention limits
  • Secure cross-border data transfers with proper legal mechanisms
  • Manage automated decision-making when AI tools are involved

Neither a 10-person startup nor a Fortune 500 company gets an exemption. Operating with EU candidate data puts you in scope. Here’s what each rule means in practice.

What we’re seeing from customers. Teams that struggle most with GDPR compliance often aren’t using the wrong tools. They built their recruiting stacks piece by piece, without ever mapping where candidate data actually sits. When customers bring Pin into their workflow, one of the first exercises is vendor data mapping: what does each tool hold, and how do you delete it? The answers are almost always surprising. Candidate profiles sit in downloaded CSVs, archived accounts that were never properly closed, and email threads from sourcing runs years ago. Building Pin with data-protection-by-default - no candidate names, gender, or protected characteristics ever enter our matching algorithm - was a deliberate architectural choice. It simplifies lawful basis documentation and reduces exposure under Articles 22 and 35. Data minimization extends to every tool in the stack, not just sourcing. The 30-day SAR clock doesn’t care which system the data lives in.

How Should Recruiters Handle Candidate Data Collection?

Recruiters must establish a lawful basis for each type of candidate data, collect only what’s necessary for the hiring decision, disclose their data processing clearly, and honor deletion or access requests within 30 days. All four requirements govern every step of candidate data collection and processing.

Rule 1: Establish a Lawful Basis for Processing

Every piece of candidate data you process needs one of six lawful bases under GDPR Article 6. Two of the six lawful bases matter most for recruiting: legitimate interest and consent.

Legitimate interest is the most common basis for active recruitment. When a recruiter reaches out to a candidate about a specific open role, the company has a legitimate interest in processing that person’s professional data. Legitimate interest requires a three-part balancing test, per the ICO: the interest must be real and present, the processing must be necessary, and the candidate’s rights must not override your interest.

Consent is required when you want to keep candidate data beyond a specific recruitment process - for example, adding someone to a talent pool for future roles. Consent must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox on your careers page doesn’t qualify. Neither does burying consent language in a privacy policy that nobody reads.

Getting this wrong is expensive. The Irish Data Protection Commission fined LinkedIn EUR 310 million in October 2024 for relying on invalid consent and unlawful legitimate interest claims for behavioral profiling of its members (Irish DPC, 2024). That fine didn’t involve recruiting directly, but the principle applies whenever you profile candidates without a proper lawful basis.

Rule 2: Practice Data Minimization

Collect only the data you actually need for the recruitment decision. GDPR Article 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary.” In practice, this means you shouldn’t ask candidates for their date of birth, marital status, nationality, or social security number at the application stage. You don’t need it to evaluate whether they can do the job.

Sourcing operates by the same principle. If your AI sourcing tool pulls in data points that aren’t relevant to the role - social media activity, personal photos, family information - that’s likely excessive processing.

Rule 3: Be Transparent About Data Use

Candidates must know what data you’re collecting, why you need it, how long you’ll keep it, and who you’ll share it with. This information should appear in a clear privacy notice - not hidden in legal boilerplate. Under Articles 13 and 14, you must provide this notice at the point of data collection (for data collected directly from candidates) or within a reasonable period (for data sourced from third parties like LinkedIn profiles or candidate databases).

Screening or ranking candidates with AI tools also requires disclosure. More on this in the AI section below.

Rule 4: Honor Candidate Data Rights

Under GDPR, candidates hold a set of enforceable rights over their personal data. Recruiting teams must respond to these requests within 30 days (ICO, recruitment guidance).

RightWhat It Means for RecruitersDeadline
Subject Access Request / Right of Access (SAR)Candidate can request all data you hold about them30 days
Right to ErasureCandidate can ask you to delete their data30 days
Right to RectificationCandidate can correct inaccurate data30 days
Right to Data PortabilityCandidate can request data in a machine-readable format30 days
Right to ObjectCandidate can object to processing based on legitimate interestMust cease unless compelling grounds exist

Consider the practical challenge: when a candidate sends a Subject Access Request, can your team actually find all the places their data lives? Their resume in your ATS, notes in your CRM, messages in your team inbox, scoring data in your AI screening tool, records in your interview scheduling platform. Many recruiting teams discover their data is scattered across a dozen systems with no single view.

Build a data map before a request comes in, not after. Identify every system where candidate data is stored, who has access, and how to export or delete records from each one. The 30-day clock starts when you receive the request - not when you figure out where the data sits.

What Are the Rules for Data Retention, Transfers, and AI?

Rule 5: Set Strict Data Retention Limits

No exact retention period is named in GDPR for candidate data. Guidance from the European Data Protection Supervisor and the ICO is consistent: retain unsuccessful candidate data no longer than 6 to 12 months, or longer only with explicit consent.

In November 2024, the ICO audited AI recruitment tool providers and found that some were retaining candidate data indefinitely to build large databases - without candidates’ knowledge (ICO, November 2024). That’s a direct GDPR violation. Your retention policy should specify exactly how long you keep data for each purpose: active applications (duration of hiring process plus a reasonable buffer), talent pools (with consent, typically 12-24 months with renewal), and interview records (6 months maximum for unsuccessful candidates).

Rule 6: Secure Cross-Border Data Transfers

If you’re a US company sourcing EU candidates - or if your recruiting tools store data on US servers - you need a legal transfer mechanism. This is where many hiring teams unknowingly fall out of compliance. Uber was fined EUR 290 million by the Dutch Data Protection Authority (DPA) in July 2024 for transferring European drivers’ personal data to US servers without adequate safeguards for over two years (GDPR Enforcement Tracker).

Options for EU-to-US data transfers include:

  • EU-US Data Privacy Framework (DPF) - The primary mechanism for US companies. The European General Court upheld the DPF in September 2025, though a further CJEU challenge is pending (ITIC, September 2025). US companies must self-certify under the DPF through the Department of Commerce.
  • Standard Contractual Clauses (SCCs) - Pre-approved contract templates from the European Commission that bind the data importer to EU-level protections. Required as a fallback or supplement to DPF certification.
  • Binding Corporate Rules (BCRs) - For multinational companies transferring data internally. Complex to set up but durable once approved.

Which mechanism should you use? US companies should start with DPF self-certification - it’s the fastest path. But don’t rely on it alone. The pending CJEU challenge means the DPF could be invalidated (as happened twice before with Safe Harbor and Privacy Shield). Put SCCs in place as a backup so your data flows aren’t disrupted if the legal landscape shifts again.

More detail on building compliant cross-border hiring processes is available in our guide on how to hire EU talent as a US company.

Rule 7: Manage Automated Decision-Making Under Article 22

Article 22 of the GDPR restricts decisions based solely on automated processing that produce legal or similarly significant effects. In recruiting, this means: if your AI tool automatically rejects candidates without any human review, that likely violates Article 22.

Automated resume screeners that auto-reject below a threshold, chatbot screening that eliminates candidates by keyword, and ranking algorithms that hide candidates from recruiters - all fall under this restriction. The key word is “solely” - if a human recruiter reviews and makes the final decision, Article 22 is less likely to apply. But the human review must be meaningful, not a rubber stamp.

Candidates also have the right to request human intervention, express their point of view, and contest the decision. Your AI recruiting workflow needs a clear process for handling these requests.

Which GDPR Fines Should Recruiting Teams Know About?

EU regulators have issued 193 GDPR fines in the employment sector, totaling EUR 360.9 million, with individual penalties reaching EUR 310 million for a single company (GDPR Enforcement Tracker, February 2026). Three recent enforcement actions are directly relevant to how recruiting teams collect, store, and transfer candidate data.

Largest GDPR Fines Relevant to Recruiting
Three largest GDPR fines relevant to recruiting: LinkedIn EUR 310M (October 2024), Uber EUR 290M (July 2024), Clearview AI EUR 30.5M (September 2024). Source: GDPR Enforcement Tracker, Irish DPC, Dutch DPA.

LinkedIn - EUR 310 million (October 2024). The Irish Data Protection Commission found that LinkedIn processed member data for behavioral advertising using invalid consent mechanisms and unlawful reliance on legitimate interest. Recruiters should read this as a warning about how candidate profiling data is collected and used. If your sourcing tool builds behavioral profiles of candidates without proper legal basis, you’re in the same territory.

Uber - EUR 290 million (July 2024). The Dutch DPA found that Uber transferred European drivers’ personal data to US servers for over two years without adequate safeguards after the Privacy Shield framework was invalidated. Any recruiting team using US-based tools to store EU candidate data without DPF certification or SCCs faces the same transfer risk.

Clearview AI - EUR 30.5 million (September 2024). The Dutch DPA fined Clearview AI for scraping facial images from the internet without consent to build a facial recognition database. This directly parallels how some recruiting tools scrape candidate profiles from public sources without a lawful basis - a practice the ICO flagged in its November 2024 audit of AI recruitment tools.

Across all three enforcement actions, a clear pattern emerges: regulators are cracking down on data processing that happens without proper legal basis, adequate transparency, or appropriate transfer mechanisms. None of this is theoretical. These are the exact activities recruiting teams perform daily.

What makes these fines especially notable: they target both the companies that collect data (LinkedIn, Uber) and the companies that build tools with that data (Clearview AI). As a recruiting team, you’re potentially liable for your own data practices and your choice of vendors. Due diligence on the tools in your stack isn’t optional - it’s a compliance obligation.

How Does GDPR Apply to AI Recruiting Tools?

ICO auditors reviewed AI recruitment tool providers in November 2024 and issued nearly 300 recommendations - all of which were accepted or partially accepted (ICO, November 2024). Findings revealed serious gaps in how AI tools handle candidate data.

Among the most alarming findings: some AI recruitment tools allowed recruiters to filter candidates by protected characteristics including gender, ethnicity, and age inferred from names and other data. Others retained candidate data indefinitely to build large databases without candidate knowledge. These practices violate both GDPR’s data minimization and purpose limitation principles.

Three specific GDPR obligations govern teams using AI in recruiting:

  • Transparency - Under Articles 13-14, candidates must be told when AI is being used to process their data and make decisions about them. This includes AI sourcing, screening, matching, and ranking.
  • Automated decision-making limits - Article 22 restricts fully automated decisions with significant effects. AI that auto-rejects candidates needs human oversight.
  • Data Protection Impact Assessments - Under Article 35, DPIAs are required for processing that’s likely to result in high risk to individuals. AI-powered recruitment screening almost always meets this threshold.

Published in December 2024, the European Data Protection Board (EDPB)‘s Opinion 28/2024 added another layer. If an AI model was trained on unlawfully processed personal data, that model’s deployment may itself be unlawful - even if the current processing appears compliant. For recruiting teams, this means asking your AI vendors not just how they process data today, but how they trained their models in the first place.

Those same GDPR obligations overlap significantly with the EU AI Act, which classifies recruiting AI as high-risk under Annex III and adds its own compliance requirements enforceable by August 2, 2026. The Act also bans emotion recognition AI in the workplace entirely - if any of your interview tools analyze facial expressions or voice tone, that’s already illegal. Teams that address both regulations together will avoid duplicating compliance work.

One thing worth noting: GDPR regulates what data you collect and how you process it. The EU AI Act regulates the decisions your tools make with that data. Both apply simultaneously. A recruiting AI tool that processes data lawfully under GDPR can still violate the EU AI Act if it lacks documentation, human oversight, or bias monitoring. Think of them as parallel requirements, not alternatives.

How Do You Run a DPIA for AI Recruiting Tools?

Data Protection Impact Assessments (DPIAs) are structured processes for identifying and minimizing data protection risks before they cause harm. GDPR Article 35 requires one for any processing likely to result in high risk to individuals - and AI-powered candidate screening, matching, and ranking almost always meets that threshold.

Most compliance guides skip the practical steps. Here’s a seven-step checklist for running a DPIA on your recruiting AI.

  1. Describe the processing - Document exactly what candidate data your AI tool collects, how it processes that data (matching algorithms, scoring models, ranking logic), and what outputs it produces. Include data flows between systems.
  2. Identify the lawful basis - For each processing activity, specify whether you rely on legitimate interest, consent, or contractual necessity. Document your legitimate interest assessment if applicable.
  3. Assess necessity and proportionality - Can you achieve the same recruitment outcome with less data? If you’re pulling in 50 data points per candidate but only 10 are relevant to the hiring decision, that’s disproportionate processing.
  4. Identify risks to candidates - Consider: discrimination from biased algorithms, unfair exclusion from automated screening, lack of transparency about how decisions are made, data security risks, and excessive data retention.
  5. Document mitigation measures - For each risk, specify what controls are in place. Bias auditing? Human oversight at decision points? Candidate notification? Data retention limits? Encryption and access controls?
  6. Consult your DPO - If your organization has a Data Protection Officer, they must be consulted during the DPIA. If you don’t have a DPO, work with your legal or privacy team.
  7. Review and update regularly - A DPIA isn’t a one-time exercise. Review it when you change AI tools, modify workflows, or when your vendor pushes significant model updates.

Treat the DPIA as a living document. When the EU AI Act’s high-risk obligations take effect in August 2026, your DPIA can serve as a foundation for the Act’s required risk management system. For more on how data security certifications fit into this picture, see our guide on SOC 2 compliance for recruiting software.

What Should GDPR-Compliant Recruiting Software Include?

Five capabilities define GDPR-compliant recruiting software: consent management, automated data retention, SAR handling, bias-free AI architecture, and a full audit trail. ICO’s November 2024 audit found that most AI recruitment tools failed on at least two of these five areas - particularly around data retention and protected characteristic filtering.

  • Consent management - The tool should make it easy to collect, record, and withdraw consent for talent pool retention. Candidates should be able to opt out with one click, and the system should automatically purge data when consent expires.
  • Automated data retention - Look for tools that enforce retention policies automatically. Manual deletion is error-prone. The system should flag and purge candidate data that exceeds your defined retention period.
  • Subject access request handling - When a candidate asks for their data, can you pull everything from one place? The tool should aggregate all candidate data - profiles, messages, scores, notes - into a single exportable record.
  • Bias-free AI architecture - The ICO’s audit found AI tools filtering candidates by protected characteristics. Your tool’s AI should structurally exclude protected data from decision-making - not just apply a post-processing filter. Pin’s AI scans 850M+ candidate profiles without ever receiving candidate names, gender, or protected characteristics at any step. As Colleen Riccinto, Founder of Cyber Talent Search, puts it: “What I love about Pin is that it takes the critical thinking your brain already does and puts it on steroids. I can target specific company types and industries in my search and let the software handle the kind of strategic thinking I’d normally have to do on my own.”
  • Audit trail and logging - The tool should log every AI-driven decision: which candidates were surfaced, ranked, filtered, and why. These logs are essential for both GDPR accountability and reducing hiring bias.

Pin is SOC 2 Type 2 certified with encryption at rest and in transit, and its public trust center documents compliance certifications transparently. For EU-facing recruiting teams, Pin sets the standard for GDPR-by-default architecture among AI recruiting platforms - the highest-rated on G2 (4.8/5), with zero demographic data fed to the matching algorithm at any step.

Source candidates with GDPR-compliant AI - try Pin free

Evaluating your full recruiting tech stack against these criteria? Our guide to the best AI recruiting tools in 2026 includes compliance as a key evaluation factor.

Frequently Asked Questions

What does GDPR compliant mean?

Being GDPR compliant means an organization lawfully collects, stores, processes, and deletes personal data according to six core principles: lawfulness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality. Practically, this means documenting a lawful basis for each data touch, responding to candidate rights requests within 30 days, and ensuring every tool in the recruiting stack handles EU personal data with the same standards. Every GDPR-compliant recruiting workflow starts with knowing what data you hold and why you hold it.

What are the 7 main principles of GDPR?

Under Article 5, the seven principles are: lawfulness, fairness, and transparency; purpose limitation (collect only for stated purposes); data minimization (only what’s necessary); accuracy (keep data correct and updated); storage limitation (delete when no longer needed); integrity and confidentiality (secure processing); and accountability (document compliance decisions). In recruiting, the three principles that generate the most enforcement risk are data minimization, storage limitation, and accountability - the exact areas the ICO’s November 2024 AI tool audit flagged as most commonly violated.

Does GDPR apply to US companies recruiting EU candidates?

Yes. GDPR has extraterritorial scope - any company that processes personal data of EU residents must comply, regardless of headquarters location. The EU-US Data Privacy Framework (upheld by the European General Court in September 2025) provides a legal transfer mechanism, but you still need to follow GDPR’s core data processing rules. If you source from databases containing EU profiles, you’re in scope.

How long can recruiters keep candidate data under GDPR?

ICO and EDPS guidance recommends retaining unsuccessful candidate data for no longer than 6 to 12 months. Longer retention requires explicit consent - for instance, when adding candidates to a talent pool. The ICO’s November 2024 audit found some AI recruiting tools retaining data indefinitely without candidate knowledge, which regulators flagged as a clear violation.

What GDPR rules apply specifically to AI recruiting tools?

AI recruiting tools must comply with transparency requirements (Articles 13-14), automated decision-making restrictions (Article 22), data minimization principles, and DPIA obligations (Article 35). The EDPB’s Opinion 28/2024 also established that AI models trained on unlawfully processed data may themselves be unlawful to deploy. These obligations layer on top of the EU AI Act’s high-risk requirements.

Not always. Active sourcing for a specific open role can rely on legitimate interest rather than consent. However, you must conduct a legitimate interest assessment, be transparent about your data processing, and respect candidates’ right to object. Storing sourced profiles in a talent pool for future roles does require explicit consent with a clear retention period.

Building GDPR Compliance Into Your Recruiting Process

Treating GDPR as a one-time audit misses the point. Compliance is an ongoing operational requirement that touches every part of how you find, evaluate, and hire candidates. The regulation has generated EUR 6.8 billion in fines since 2018 (GDPR Enforcement Tracker, 2026), and employment-sector enforcement is accelerating. As AI recruiting tools become standard, the overlap between GDPR and the EU AI Act’s recruiting compliance requirements creates a dual challenge that hiring teams need to address now.

Here’s where to start:

  • Audit your lawful basis for every type of candidate data processing
  • Set retention policies that auto-purge data after 6-12 months for unsuccessful candidates
  • Build a process for handling Subject Access Requests within 30 days
  • Run a DPIA for every AI recruiting tool in your stack
  • Verify your cross-border data transfer mechanisms (DPF certification, SCCs)
  • Choose recruiting tools built with data protection by design - not as an add-on

Build a GDPR-compliant recruiting workflow with Pin