Every time a company posts a job vacancy, receives a CV or accesses a candidate's professional profile on a social network, it is processing personal data within the meaning of Article 4(2) of Regulation (EU) 2016/679 (GDPR). Yet many organisations are unaware of the specific obligations this entails: which legal basis covers the processing of candidate data, how long CVs of unsuccessful candidates may be retained, what information must be provided before collecting a CV, and what limits the GDPR imposes when viewing social-media profiles. This article addresses each of these questions with regulatory rigour and without unnecessary jargon.
What Personal Data Are Processed in a Recruitment Process?
A recruitment process involves, at a minimum, the processing of the following personal data about candidates:
- Identification data: name, surname, postal address, telephone number, e-mail address.
- Education and professional experience data: academic qualifications, employment history, languages, skills, certifications.
- Photograph, when the candidate includes it in the CV.
- Notes and assessments generated by the interviewer during or after the interview.
- References from previous employers, if requested and verified.
- Data obtained from social networks or public sources, such as LinkedIn profiles, online portfolios or internet publications.
In regulated sectors—private security, transport, financial services, healthcare—the process may extend to health data, criminal-record certificates or psychometric tests, categories subject to stricter rules that are analysed in the section on special categories of data.
Legal Basis for Processing Candidate Data (Article 6 GDPR)
Article 6(1) GDPR requires that every processing of personal data have a legitimate legal basis. In recruitment, the two most relevant bases are pre-contractual measures and legitimate interest.
Pre-contractual Measures: Article 6(1)(b) GDPR
When a candidate actively applies to participate in a selection process—submitting a CV in response to a published vacancy—the processing of their data is covered by Article 6(1)(b) GDPR. This provision enables processing where it «is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract». In this scenario, it is not necessary to obtain the candidate's consent to process their data for the specific purpose of the recruitment process: the application itself constitutes sufficient grounds.
Legitimate Interest: Article 6(1)(f) GDPR
When the company receives an unsolicited CV—without a published vacancy to which the candidate is responding—or when it wishes to retain the data of unsuccessful candidates for future vacancies, the most appropriate legal basis is the legitimate interest of the controller (art. 6(1)(f) GDPR). Applying this basis requires that the interest be specific and real, and that it not be overridden by the rights and interests of the candidates, which in turn requires a reasoned balancing exercise—the so-called balancing test.
Some organisations choose to obtain the candidate's explicit consent to retain their CV in a talent pool. This is a valid solution, but it has the disadvantage that consent can be withdrawn at any time, requiring deletion of the data if the candidate revokes it. For this reason, a properly documented legitimate interest is in many cases more robust for unsolicited applications.
If you are unsure which legal basis to apply to your recruitment process, or how to document the balancing test, the GDPR compliance team at Summum Consultoría can support you through the analysis and the preparation of the necessary documentation.
Information to Candidates: Obligations Under Article 13 GDPR
Article 13 GDPR sets out the information that the controller must provide to the data subject at the time their personal data are collected. In the recruitment context, this means the company must inform the candidate—before they submit their CV or complete the application form—of the following:
- Identity and contact details of the controller.
- Contact details of the Data Protection Officer (DPO), where one exists.
- Purposes of the processing and legal basis (selection process for position X; pre-contractual measures or legitimate interest).
- Whether data will be retained for future vacancies and for how long.
- Whether data will be shared with third parties: group companies, external recruitment consultants, applicant tracking systems (ATS).
- Candidate rights: access, rectification, erasure, restriction of processing, portability and objection.
- Right to lodge a complaint with the Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos).
This information must be drafted in clear, plain language. The most common practice is to include it in the data-protection clause attached to the application form or on the careers page of the corporate website. Failing to include it—or doing so incompletely—constitutes an infringement of Article 83 GDPR.
Active Application vs. Unsolicited Application: Comparison Table
| Aspect | Active application (responding to a published vacancy) | Unsolicited application (no published vacancy) |
|---|---|---|
| Main legal basis | Art. 6(1)(b) GDPR (pre-contractual measures) | Art. 6(1)(f) GDPR (legitimate interest) or explicit consent |
| Consent required? | No, for the specific recruitment process | No, if legitimate interest is justified; yes, if consent is chosen |
| Recommended retention period | Up to 1 year after the process ends | Up to 1 year from receipt of the CV |
| Duty to inform | Art. 13 GDPR, at the time the CV is submitted | Art. 13 GDPR, at the time the CV is submitted |
| Use for future vacancies | Yes, on the basis of legitimate interest or additional consent | Yes, on the basis of legitimate interest or consent |
| Withdrawal by the candidate | Right to object (art. 21 GDPR) | Right to object or withdrawal of consent |
Retention Period for Unsuccessful Applications
One of the most frequent questions in data protection in recruitment is how long a company may retain the CV of an unsuccessful candidate. The GDPR does not set a specific period: it establishes the principle of storage limitation (Article 5(1)(e)), which requires that data be kept for no longer than is necessary for the purposes of the processing.
The AEPD has indicated, as a guiding criterion, that one year is a reasonable period for retaining data of unsuccessful candidates when the company wishes to keep them in its talent pool for future vacancies. This criterion does not operate as an immovable statutory maximum, but it functions as a best-practice reference that the AEPD itself may consider in the event of an investigation.
Once that period has elapsed, the company must erase or anonymise the data. Erasure must be effective and extend to all systems where the data are stored: the ATS, e-mails, local folders and any accessible backup. It is not sufficient to archive CVs in a “past candidates” folder.
In practice, many organisations implement automated alerts in their applicant tracking system to receive a notification when the erasure deadline is approaching, or to ask the candidate to renew their consent before the data are deleted. This measure is straightforward to configure in most market ATS solutions and significantly reduces the risk of unlawful retention.
Social Media and Candidate Data: When Is It Lawful to View Profiles?
Viewing candidate profiles on LinkedIn, Twitter/X, Instagram or other social networks during a recruitment process is subject to the GDPR when the recruiter collects, notes or processes in any way the information thus obtained. The fact that data are publicly accessible does not make them freely usable for any purpose: the principle of purpose limitation (art. 5(1)(b) GDPR) requires that data only be used for the purposes for which they were originally collected. A candidate who publishes their professional history on LinkedIn does so to connect in a professional environment, not necessarily to be assessed in every recruitment process.
The criteria that should guide the use of social media in recruitment are as follows:
- Relevance and proportionality: only professional information directly relevant to the vacant position should be consulted and noted. Viewing a candidate's Instagram profile to look for information about their personal life—political affiliation, sexual orientation, health, activism—has no lawful legal basis and may constitute discrimination.
- Transparency: the candidate must be informed that their profiles on professional social networks will be consulted. This information must be included in the data-protection clause of the recruitment process.
- Documentation: if the recruiter notes information obtained from a social network, that note forms part of the candidacy file and is subject to the candidate's right of access. The candidate may request what information has been collected about them and from which sources.
- Limit on personal social networks: viewing profiles on predominantly personal social networks—Facebook in private mode, TikTok, Snapchat—to obtain intimate or ideological information about the candidate has no lawful legal basis and may involve the unlawful capture of special categories of data.
Special Categories of Data and Non-Discrimination (Article 9 GDPR)
Article 9 GDPR affords enhanced protection to certain categories of personal data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed for unique identification purposes, health data, and data concerning sex life or sexual orientation. The processing of these categories is prohibited in principle, unless one of the exceptions in Article 9(2) GDPR applies.
In the recruitment context, this has direct and unavoidable implications:
- A company may not ask candidates for information about their health, pregnancy, disability, trade-union membership or sexual orientation, except in cases expressly provided for by law (for example, health data relevant to professional fitness in sectors such as transport or medicine, regulated by specific sectoral legislation).
- If a candidate voluntarily includes special-category information in their CV—such as a disability—the company must not process it beyond what is strictly necessary to adapt the process if the candidate so requests, and must document the legal basis for the processing.
- The use of artificial intelligence or screening algorithms must be carefully assessed to detect potential biases that may indirectly generate discrimination on grounds of origin, sex or other protected characteristics.
Furthermore, Article 64(4)(d) of the Workers' Statute (Estatuto de los Trabajadores), introduced by Law 12/2021 of 28 September, provides that workers' representatives must be informed of the profiles drawn up using workers' data, as well as of any artificial intelligence system that may affect them, including those used in staff selection. This disclosure obligation is triggered before the system is deployed, not once it is already in use.
Candidate Rights During the Recruitment Process
Candidates are data subjects within the meaning of the GDPR and may exercise their rights at any point in the process. The company must have a clear, accessible channel for handling these requests and must respond within the deadlines set by the GDPR: one month as a general rule, extendable to three months in cases of complexity or a high volume of requests.
The most relevant rights in the area of staff recruitment are:
- Right of access (art. 15 GDPR): the candidate may request what data the company holds about them, for what purpose, for how long and whether they have been shared with third parties.
- Right to rectification (art. 16 GDPR): if any data are inaccurate or incomplete, the candidate may request their correction.
- Right to erasure (art. 17 GDPR): the candidate may request deletion of their data when, for example, they no longer wish to participate in the process or do not want their CV to remain in the talent pool.
- Right to object (art. 21 GDPR): where processing is based on the legitimate interest of the controller, the candidate may object to the processing at any time. The company must cease processing unless it demonstrates compelling legitimate grounds that override the interests of the candidate.
- Right not to be subject to automated decisions (art. 22 GDPR): if the company uses automated screening systems that produce decisions with legal effects or that significantly affect the candidate, the candidate has the right to request human intervention, express their view and contest the decision.
If your organisation has implemented or is implementing a candidate management system, we recommend reviewing whether the procedures for handling data-subject requests are correctly documented. The GDPR compliance service at Summum Consultoría includes the review and implementation of these procedures, tailored to the size and sector of each company.
Data Processing Agreements: Temporary Staffing Agencies, Headhunters and ATS Platforms
When recruitment is outsourced to a temporary staffing agency (TSA), an HR consultancy or an applicant tracking platform (ATS in SaaS mode), the question arises of who is the controller and in what capacity the provider acts.
In general, the external provider acts as a data processor when it processes candidate data on behalf of the client company and following its instructions. In that case, it is mandatory to conclude a data processing agreement in accordance with Article 28 GDPR, regulating the controller's instructions, applicable security measures, subcontracting, and the return or deletion of data upon termination of the service. Without this agreement, the client company commits an infringement that may fall within the sanctioning regime of Article 83 GDPR.
In certain scenarios—for example, where a headhunter has their own candidate database and acts with full autonomy to source candidates—they may be regarded as an independent controller. The boundaries are not always clear and must be assessed on a case-by-case basis, paying particular attention to who decides on the purposes and means of the processing.
Enforcement: Article 83 GDPR and LOPDGDD
Non-compliance with GDPR obligations in the recruitment context may result in administrative penalties. Article 83 GDPR distinguishes two tiers:
- Less serious infringements (art. 83(4) GDPR): fines of up to €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. These include, among others, failure to fulfil the obligations of the processor, the absence of a processing agreement, or non-compliance with the conditions applicable to consent.
- More serious infringements (art. 83(5) GDPR): fines of up to €20,000,000 or 4% of total worldwide annual turnover, again whichever is higher. These include infringements of the basic principles of processing (including purpose limitation and storage limitation), processing without a legal basis, or failure to comply with the duty to inform.
The LOPDGDD (Organic Law 3/2018) calibrates and refines these penalties within the Spanish legal order and may additionally entail the imposition of corrective measures—such as suspension of processing or erasure of data—independently of the fines. In addition to administrative sanctions, discriminatory processing of candidate data may give rise to liability in the employment and civil law spheres.
Frequently Asked Questions
Can we ask the candidate to authorise us to keep their CV for future vacancies?
Yes. This is a common and valid practice, provided that consent is freely given, specific, informed and unambiguous (art. 4(11) GDPR). The company must clearly explain for what purpose the data will be retained, for how long, and how the candidate can withdraw consent. Tacit consent and pre-ticked boxes are not valid. Remember that the candidate may withdraw consent at any time, requiring deletion of their data from all systems where it is stored.
How long may the CV of an unsuccessful candidate be retained?
The GDPR does not set a specific period, but the AEPD's guiding criterion points to one year as a reasonable retention period for unsuccessful candidates held in a talent pool. Once that period has elapsed, the data must be erased or anonymised. If the legal basis is consent, the retention period will be the one communicated to the candidate when consent was obtained. In both cases, erasure must be effective and extend to all systems where the data are stored.
Is it lawful to search for candidates on Google or their social-media profiles?
Viewing a candidate's professional profile on LinkedIn during a recruitment process may fall within the employer's legitimate interest, provided it is limited to professional information relevant to the role and the candidate is informed of this practice in the data-protection clause. Viewing profiles on predominantly personal social networks—Instagram, Facebook, TikTok—to obtain information about private life has no lawful legal basis and may entail the unlawful capture of special categories of data (health, ideology, sexual orientation), the processing of which is prohibited by Article 9 GDPR except in enumerated cases.
What happens if a candidate exercises their right to erasure while the process is active?
If the candidate requests erasure of their data during the recruitment process, the company must assess whether any of the grounds in Article 17 GDPR applies. In general, if processing is based on pre-contractual measures (active application for a vacancy), the company may refuse erasure while the process is ongoing, but must communicate this to the candidate with the corresponding justification. If the candidate withdraws their application, there is no longer a basis for continuing the processing and the data must be erased. If processing is based on legitimate interest, the candidate may object under Article 21 GDPR, and the company must cease processing unless it demonstrates compelling legitimate grounds.
If your organisation is reviewing its recruitment processes to verify that candidate data processing complies with the GDPR and the LOPDGDD, the data protection team at Summum Consultoría, with offices in Castile and León (Valladolid, Burgos, Palencia and Aranda de Duero) and in Las Palmas de Gran Canaria, can guide you through the compliance process. Explore our GDPR compliance service and request a no-obligation initial assessment.