Candidate Data in Recruitment Processes: What the GDPR Requires

·

Every time a company posts a job vacancy, receives a CV or accesses a candidate's professional profile on a social network, it is processing personal data within the meaning of Article 4(2) of Regulation (EU) 2016/679 (GDPR). Yet many organisations are unaware of the specific obligations this entails: which legal basis covers the processing of candidate data, how long CVs of unsuccessful candidates may be retained, what information must be provided before collecting a CV, and what limits the GDPR imposes when viewing social-media profiles. This article addresses each of these questions with regulatory rigour and without unnecessary jargon.

What Personal Data Are Processed in a Recruitment Process?

A recruitment process involves, at a minimum, the processing of the following personal data about candidates:

In regulated sectors—private security, transport, financial services, healthcare—the process may extend to health data, criminal-record certificates or psychometric tests, categories subject to stricter rules that are analysed in the section on special categories of data.

Legal Basis for Processing Candidate Data (Article 6 GDPR)

Article 6(1) GDPR requires that every processing of personal data have a legitimate legal basis. In recruitment, the two most relevant bases are pre-contractual measures and legitimate interest.

Pre-contractual Measures: Article 6(1)(b) GDPR

When a candidate actively applies to participate in a selection process—submitting a CV in response to a published vacancy—the processing of their data is covered by Article 6(1)(b) GDPR. This provision enables processing where it «is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract». In this scenario, it is not necessary to obtain the candidate's consent to process their data for the specific purpose of the recruitment process: the application itself constitutes sufficient grounds.

Legitimate Interest: Article 6(1)(f) GDPR

When the company receives an unsolicited CV—without a published vacancy to which the candidate is responding—or when it wishes to retain the data of unsuccessful candidates for future vacancies, the most appropriate legal basis is the legitimate interest of the controller (art. 6(1)(f) GDPR). Applying this basis requires that the interest be specific and real, and that it not be overridden by the rights and interests of the candidates, which in turn requires a reasoned balancing exercise—the so-called balancing test.

Some organisations choose to obtain the candidate's explicit consent to retain their CV in a talent pool. This is a valid solution, but it has the disadvantage that consent can be withdrawn at any time, requiring deletion of the data if the candidate revokes it. For this reason, a properly documented legitimate interest is in many cases more robust for unsolicited applications.

If you are unsure which legal basis to apply to your recruitment process, or how to document the balancing test, the GDPR compliance team at Summum Consultoría can support you through the analysis and the preparation of the necessary documentation.

Information to Candidates: Obligations Under Article 13 GDPR

Article 13 GDPR sets out the information that the controller must provide to the data subject at the time their personal data are collected. In the recruitment context, this means the company must inform the candidate—before they submit their CV or complete the application form—of the following:

This information must be drafted in clear, plain language. The most common practice is to include it in the data-protection clause attached to the application form or on the careers page of the corporate website. Failing to include it—or doing so incompletely—constitutes an infringement of Article 83 GDPR.

Active Application vs. Unsolicited Application: Comparison Table

Aspect Active application (responding to a published vacancy) Unsolicited application (no published vacancy)
Main legal basis Art. 6(1)(b) GDPR (pre-contractual measures) Art. 6(1)(f) GDPR (legitimate interest) or explicit consent
Consent required? No, for the specific recruitment process No, if legitimate interest is justified; yes, if consent is chosen
Recommended retention period Up to 1 year after the process ends Up to 1 year from receipt of the CV
Duty to inform Art. 13 GDPR, at the time the CV is submitted Art. 13 GDPR, at the time the CV is submitted
Use for future vacancies Yes, on the basis of legitimate interest or additional consent Yes, on the basis of legitimate interest or consent
Withdrawal by the candidate Right to object (art. 21 GDPR) Right to object or withdrawal of consent

Retention Period for Unsuccessful Applications

One of the most frequent questions in data protection in recruitment is how long a company may retain the CV of an unsuccessful candidate. The GDPR does not set a specific period: it establishes the principle of storage limitation (Article 5(1)(e)), which requires that data be kept for no longer than is necessary for the purposes of the processing.

The AEPD has indicated, as a guiding criterion, that one year is a reasonable period for retaining data of unsuccessful candidates when the company wishes to keep them in its talent pool for future vacancies. This criterion does not operate as an immovable statutory maximum, but it functions as a best-practice reference that the AEPD itself may consider in the event of an investigation.

Once that period has elapsed, the company must erase or anonymise the data. Erasure must be effective and extend to all systems where the data are stored: the ATS, e-mails, local folders and any accessible backup. It is not sufficient to archive CVs in a “past candidates” folder.

In practice, many organisations implement automated alerts in their applicant tracking system to receive a notification when the erasure deadline is approaching, or to ask the candidate to renew their consent before the data are deleted. This measure is straightforward to configure in most market ATS solutions and significantly reduces the risk of unlawful retention.

Social Media and Candidate Data: When Is It Lawful to View Profiles?

Viewing candidate profiles on LinkedIn, Twitter/X, Instagram or other social networks during a recruitment process is subject to the GDPR when the recruiter collects, notes or processes in any way the information thus obtained. The fact that data are publicly accessible does not make them freely usable for any purpose: the principle of purpose limitation (art. 5(1)(b) GDPR) requires that data only be used for the purposes for which they were originally collected. A candidate who publishes their professional history on LinkedIn does so to connect in a professional environment, not necessarily to be assessed in every recruitment process.

The criteria that should guide the use of social media in recruitment are as follows:

Special Categories of Data and Non-Discrimination (Article 9 GDPR)

Article 9 GDPR affords enhanced protection to certain categories of personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed for unique identification purposes, health data, and data concerning sex life or sexual orientation. The processing of these categories is prohibited in principle, unless one of the exceptions in Article 9(2) GDPR applies.

In the recruitment context, this has direct and unavoidable implications:

Furthermore, Article 64(4)(d) of the Workers' Statute (Estatuto de los Trabajadores), introduced by Law 12/2021 of 28 September, provides that workers' representatives must be informed of the profiles drawn up using workers' data, as well as of any artificial intelligence system that may affect them, including those used in staff selection. This disclosure obligation is triggered before the system is deployed, not once it is already in use.

Candidate Rights During the Recruitment Process

Candidates are data subjects within the meaning of the GDPR and may exercise their rights at any point in the process. The company must have a clear, accessible channel for handling these requests and must respond within the deadlines set by the GDPR: one month as a general rule, extendable to three months in cases of complexity or a high volume of requests.

The most relevant rights in the area of staff recruitment are:

If your organisation has implemented or is implementing a candidate management system, we recommend reviewing whether the procedures for handling data-subject requests are correctly documented. The GDPR compliance service at Summum Consultoría includes the review and implementation of these procedures, tailored to the size and sector of each company.

Data Processing Agreements: Temporary Staffing Agencies, Headhunters and ATS Platforms

When recruitment is outsourced to a temporary staffing agency (TSA), an HR consultancy or an applicant tracking platform (ATS in SaaS mode), the question arises of who is the controller and in what capacity the provider acts.

In general, the external provider acts as a data processor when it processes candidate data on behalf of the client company and following its instructions. In that case, it is mandatory to conclude a data processing agreement in accordance with Article 28 GDPR, regulating the controller's instructions, applicable security measures, subcontracting, and the return or deletion of data upon termination of the service. Without this agreement, the client company commits an infringement that may fall within the sanctioning regime of Article 83 GDPR.

In certain scenarios—for example, where a headhunter has their own candidate database and acts with full autonomy to source candidates—they may be regarded as an independent controller. The boundaries are not always clear and must be assessed on a case-by-case basis, paying particular attention to who decides on the purposes and means of the processing.

Enforcement: Article 83 GDPR and LOPDGDD

Non-compliance with GDPR obligations in the recruitment context may result in administrative penalties. Article 83 GDPR distinguishes two tiers:

The LOPDGDD (Organic Law 3/2018) calibrates and refines these penalties within the Spanish legal order and may additionally entail the imposition of corrective measures—such as suspension of processing or erasure of data—independently of the fines. In addition to administrative sanctions, discriminatory processing of candidate data may give rise to liability in the employment and civil law spheres.

Frequently Asked Questions

Can we ask the candidate to authorise us to keep their CV for future vacancies?

Yes. This is a common and valid practice, provided that consent is freely given, specific, informed and unambiguous (art. 4(11) GDPR). The company must clearly explain for what purpose the data will be retained, for how long, and how the candidate can withdraw consent. Tacit consent and pre-ticked boxes are not valid. Remember that the candidate may withdraw consent at any time, requiring deletion of their data from all systems where it is stored.

How long may the CV of an unsuccessful candidate be retained?

The GDPR does not set a specific period, but the AEPD's guiding criterion points to one year as a reasonable retention period for unsuccessful candidates held in a talent pool. Once that period has elapsed, the data must be erased or anonymised. If the legal basis is consent, the retention period will be the one communicated to the candidate when consent was obtained. In both cases, erasure must be effective and extend to all systems where the data are stored.

Is it lawful to search for candidates on Google or their social-media profiles?

Viewing a candidate's professional profile on LinkedIn during a recruitment process may fall within the employer's legitimate interest, provided it is limited to professional information relevant to the role and the candidate is informed of this practice in the data-protection clause. Viewing profiles on predominantly personal social networks—Instagram, Facebook, TikTok—to obtain information about private life has no lawful legal basis and may entail the unlawful capture of special categories of data (health, ideology, sexual orientation), the processing of which is prohibited by Article 9 GDPR except in enumerated cases.

What happens if a candidate exercises their right to erasure while the process is active?

If the candidate requests erasure of their data during the recruitment process, the company must assess whether any of the grounds in Article 17 GDPR applies. In general, if processing is based on pre-contractual measures (active application for a vacancy), the company may refuse erasure while the process is ongoing, but must communicate this to the candidate with the corresponding justification. If the candidate withdraws their application, there is no longer a basis for continuing the processing and the data must be erased. If processing is based on legitimate interest, the candidate may object under Article 21 GDPR, and the company must cease processing unless it demonstrates compelling legitimate grounds.

If your organisation is reviewing its recruitment processes to verify that candidate data processing complies with the GDPR and the LOPDGDD, the data protection team at Summum Consultoría, with offices in Castile and León (Valladolid, Burgos, Palencia and Aranda de Duero) and in Las Palmas de Gran Canaria, can guide you through the compliance process. Explore our GDPR compliance service and request a no-obligation initial assessment.