Every resume you collect, every video response you store, every interview note you save, all of it is personal data under the General Data Protection Regulation. GDPR in hiring is not a back-office legal formality. It is a live obligation that shapes how your team sources candidates, stores applications, runs assessments, and manages rejections. Get it wrong, and you face fines of up to €20 million.
Get it right, and you build the kind of candidate trust that strengthens your employer brand. This guide explains what GDPR requires of HR and recruitment teams, what the risks of non-compliance look like, and how AI video interviewing platforms fit into a compliant hiring workflow.
What Is GDPR in the Context of Hiring?
The General Data Protection Regulation (GDPR) is a European Union law that governs how organisations collect, store, process, and delete the personal data of EU residents. It came into force in May 2018 and applies to every company that handles EU candidate or employee data, regardless of where that company is based.
In hiring, GDPR is relevant from the moment a candidate submits an application. Their name, email address, CV, assessment results, interview recordings, and even your internal evaluation notes are all personal data under the regulation.
The Core Principle: Candidates Own Their Data
GDPR places data ownership firmly with the individual. Candidates are data subjects they have legal rights over the information you collect about them. Your organisation is the data controller responsible for ensuring that data is used lawfully, transparently, and only for its stated purpose. Your ATS, video interviewing platform, or any HR tech vendor that processes that data on your behalf is a data processor bound by your instructions and their own compliance obligations.
Who Does GDPR Apply To, Including Non-EU Employers?
GDPR applies to any organisation that processes the personal data of individuals located in the EU, regardless of where the organisation is headquartered. A US-based company hiring remotely for a role open to EU candidates must comply with GDPR. A Singapore-based firm with EU applicants in its talent pool is in scope. The geography of the company does not determine the applicability; the geography of the candidate does.
What Candidate Data Does GDPR Cover?
GDPR covers a wide range of information collected during recruitment. Understanding exactly what falls within scope is essential to building a compliant process.
Personal Data Collected During the Recruitment Process
Standard personal data includes names, email addresses, phone numbers, home addresses, CV content, employment history, and educational background. It also includes less obvious data points: IP addresses, browser metadata collected through application portals, interview recordings, and internal recruiter notes about a candidate’s performance or suitability.
Sensitive Data Categories That Require Explicit Consent
GDPR draws a stricter line around special category data information that could expose candidates to discrimination or harm if mishandled. This includes racial or ethnic origin, religious beliefs, health information, disability status, and biometric data. You cannot collect or process special category data without explicit, specific consent from the candidate. This has direct implications for diversity monitoring forms, background checks, and AI tools that analyse facial or vocal characteristics.
How Long Can You Retain Candidate Data Under GDPR?
GDPR requires that personal data be kept only for as long as necessary for its original purpose. For unsuccessful candidates, the general recommendation is to delete or anonymise their data within six months of the end of the recruitment process unless you have obtained explicit consent to retain it for a longer period for future opportunities. Retention policies should be documented, communicated to candidates upfront, and consistently enforced.
What Are Your Key GDPR Obligations as an Employer?
GDPR compliance in recruitment is not a one-time action. It requires ongoing attention across your entire hiring workflow.
Lawful Basis for Processing Legitimate Interest vs. Consent
You need a lawful basis to process candidate data. For active applicants, legitimate interest typically applies when you collect their data because they applied for a role, and processing it to evaluate their application is a reasonable expectation. For sourced candidates you approach proactively, the basis is narrower: you must contact them promptly and within a 30-day window, and your outreach must be for a genuinely relevant role. Where sensitive data is involved, only explicit consent will suffice.
Transparency Informing Candidates What You Collect and Why
Candidates must know, before or at the point of data collection, what information you are gathering, why they need it, how long they will keep it, and who will have access to it. This typically means including a clear privacy notice in your job postings and application forms. The notice should be written in plain language, not buried in a terms-and-conditions wall of text.
The Right to Be Forgotten: Responding to Deletion Requests
Candidates have the right to request that you delete their personal data. You must comply within one month of receiving a verifiable request, unless a legal obligation requires you to retain certain information. Build a documented process for handling these requests before they arrive not in response to one.
Data Processor Agreements with Your HR Tech Vendors
Every platform that handles candidate data on your behalf, your ATS, your video interviewing tool, your assessment provider, is a data processor. GDPR requires you to have a written Data Processing Agreement (DPA) with each of them. This agreement must specify how the processor handles data, what security measures are in place, and what happens to the data when the relationship ends. Choosing vendors who take this seriously and who can provide their DPA without a fight is a meaningful compliance signal.
What Does GDPR Non-Compliance Actually Risk?
The consequences of GDPR violations in recruitment are real and documented across European jurisdictions.
Financial Penalties Up to €20M or 4% of Global Revenue
GDPR penalties are tiered. Serious violations, including unlawful processing of special category data or failure to respect candidates’ rights, can attract fines of up to €20 million or 4% of global annual revenue, whichever is higher. Lower-tier violations, such as inadequate record-keeping, carry fines of up to €10 million or 2% of global revenue. Even smaller penalties represent significant financial and reputational damage for most organisations.
Reputational Damage and Candidate Trust
Beyond financial penalties, a GDPR breach in your hiring process sends a signal to the talent market that your organisation does not protect personal data. In a competitive hiring environment, that reputational cost is harder to recover from than any fine. Candidates who trust that their data is handled responsibly are more likely to complete your application process, engage with your employer brand, and refer others.
How Does GDPR Apply to AI Video Interviewing?
AI video interviewing introduces specific GDPR considerations that go beyond standard resume handling.
Video Response Data as Personal Data Under GDPR
A candidate’s video interview response contains personal data by definition: their face, voice, and name. If your platform uses AI to analyse that video for tone, language patterns, or empathy signals, the resulting assessment data is also personal data derived from that individual. This means it is covered by GDPR and must be handled accordingly, stored securely, retained for defined periods, and deleted on request.
Consent Requirements Before AI Analysis of Candidate Responses
Where AI analysis goes beyond straightforward video playback into biometric or behavioural assessment, facial expression analysis, speech pattern scoring, and emotional tone evaluation, GDPR’s special category provisions may apply. Explicit, informed consent is required before this type of processing takes place. Candidates must understand what the AI is assessing, how the output influences hiring decisions, and what their rights are regarding that data. Consent cannot be buried in a checkbox at the bottom of an application form.
How VidHirePro’s GDPR-Compliant Platform Protects Candidate Data?
VidHirePro is built with GDPR compliance as a foundation, not an afterthought. Our platform includes clearly documented data retention controls, candidate consent workflows at the point of interview invitation, and transparent AI scoring that explains how assessments are generated. We provide a Data Processing Agreement for every enterprise engagement and support your team’s right-to-deletion processes with built-in data management tools. Review our full GDPR compliance policy to see the specifics of how we protect candidate data.
Frequently Asked Questions About GDPR in Recruitment
Does GDPR Apply to Candidates Who Apply From Outside the EU?
GDPR applies based on the location of the data subject, not the location of the data controller. If a candidate is physically located in the EU when they submit their application, even if the role is based elsewhere, GDPR applies to how you handle their data. If a candidate is located outside the EU, GDPR does not apply directly, though equivalent national laws may.
Can You Keep Rejected Candidates’ Data for Future Roles?
Yes, but only with explicit consent. If you want to retain an unsuccessful candidate’s profile for future opportunities, you must tell them so at the point of collection, explain how long you intend to keep it, and give them a clear mechanism to withdraw consent. Retaining data silently “just in case” a future role arises is a GDPR violation. Build this consent step into your rejection communications and make it easy for candidates to opt in or out.
GDPR compliance in hiring is not a burden to be minimised; it is a standard that reflects how seriously your organisation takes the privacy of the people it invites into its process. Build your workflows around it, choose vendors who support it, and communicate it clearly to every candidate who engages with your brand.
Ready to see how a GDPR-compliant video interviewing platform handles candidate data? Explore VidHirePro’s compliance features or get in touch with our team.