GDPR in Recruiting

Data collected during recruiting (CVs, cover letters, audio recordings, psychometric assessments) is personal data under GDPR. It often includes special categories (ethnic origin visible from photos, sexual orientation or religion inferable from cover letters, health data for roles requiring medicals), which require an enhanced legal basis.

Typical lawful bases for an ATS are: - Pre-contractual measures (art. 6(1)(b)): covers the active application of a candidate to a specific role. - Legitimate interest (art. 6(1)(f)): can cover retention of the CV in a talent pool after rejection, with documented balancing. - Consent (art. 6(1)(a)): required for specific uses (e.g. future marketing communications, sharing with affiliated group companies).

Retention periods recommended by European DPAs are: 12 months from application for unhired candidates, unless explicit consent for longer retention; for hired candidates, the standard timeframes of the employment relationship.

Candidate rights (arts. 15-22 GDPR) that an ATS must be able to exercise are: access to collected data, rectification, erasure (right to be forgotten), portability in structured format, objection to processing, and not being subject to automated decisions with significant effects (art. 22) — so the right to request human review if the ATS rejected the application based on AI matching alone.

For systems that include algorithmic profiling (intelligent matching, scoring) a DPIA — Data Protection Impact Assessment is mandatory and must be reviewed periodically.

The most frequent error is excessive retention: many legacy ATS keep CVs for 5+ years with no legal basis. The risk is twofold: GDPR fines (up to 4% of global turnover) and loss of asset value, since old applications are obsolete anyway.

Cumino ships configurable retention policies per customer, native consent audit logging, GDPR-compliant export and a one-click erasure flow.