GDPR-Compliant CV Processing for EU Recruitment Agencies
Lawful basis, retention windows, processor agreements, candidate rights. A practical GDPR primer for EU agencies handling CVs in 2026.
GDPR-Compliant CV Processing for EU Recruitment Agencies
A CV is a dossier of personal data: name, contact details, employment history, sometimes nationality or date of birth. Under GDPR every one of these fields needs a lawful basis and a retention policy. The 2024 EDPB guidelines clarified this specifically for recruitment, and most agencies are still catching up.
Here's what your processing needs to look like in 2026.
Lawful basis: it's not "legitimate interest"
The default many agencies fall back to — "we have a legitimate interest in matching candidates to roles" — is increasingly being rejected by EU DPAs when challenged. The current consensus:
- Active applications (candidate applied to a specific role): lawful basis is contract (Art. 6(1)(b)) — processing is necessary to take steps at the candidate's request.
- Talent-pool retention (CV kept on file for future roles): lawful basis is consent (Art. 6(1)(a)) — must be explicit, opt-in, time-bounded.
- Internal records (e.g. who you rejected, why): lawful basis is legitimate interest (Art. 6(1)(f)) — but only the minimum necessary, with a balancing test on file.
If you're using one consent text for all three, fix that first.
Retention windows
The defensible defaults, based on DPA decisions in DE/FR/IE 2024–2025:
| Data | Default retention | Trigger to delete |
|---|---|---|
| Active application CV | Until role closes + 6 months | Role closed |
| Talent pool CV | 24 months from upload | Consent expiry |
| Rejection records | 12 months | Statute of limitations on discrimination claims |
| Interview notes | 6 months after role closes | Role closed |
| Anonymized analytics | Indefinite | n/a |
The "12 months for rejection records" is counterintuitive — agencies often delete immediately on rejection. Don't. You may need them if a rejected candidate alleges discrimination.
Candidate rights, in agency terms
The four rights candidates exercise most often:
- Right of access (Art. 15) — must respond within 30 days. Export every CV version, every internal note, every shared submission. Have a workflow for this; you'll get one per quarter at minimum.
- Right to erasure (Art. 17) — must comply unless you have a competing legal basis (e.g. ongoing rejection record). Crucially: must propagate to your processors (your CV-cleaning tool, your AI vendor).
- Right to rectification (Art. 16) — candidate can request corrections. Update both the CV record and any derived data (skill tags, scores).
- Right to object to automated decision-making (Art. 22) — if you use AI to score candidates, this matters. You need a human-in-the-loop path.
Processor agreements: what to ask your CV-cleaning vendor
If you use any tool that processes CVs (cleaner, AI parser, ATS), you need a Data Processing Agreement (DPA) under Art. 28. Key clauses to negotiate:
- Sub-processors: closed list, 30-day notice for changes
- Data location: EU-only or with SCCs + transfer impact assessment
- Retention: vendor must delete on instruction and on contract end
- Audit rights: at minimum, an annual SOC 2 / ISO 27001 report
- Breach notification: ≤ 24 hours to controller (you), so you can meet the 72-hour DPA notification
Where most agencies fail
The single most common GDPR finding against EU recruitment agencies in 2024–2025 decisions: CVs retained indefinitely in shared drives. The fix is procedural, not technical — give every CV a retention timer at the moment of upload.
CV Cleaner Pro applies configurable retention windows per upload, with automated purge. Read our GDPR notes →