Agency Recruiting3 min read

GDPR and Recruitment: What Your ATS Must Handle (And What Exposes You)

GDPR compliance for recruitment agencies goes well beyond cookie banners. Here's the specific obligations your ATS must meet - and the gaps that create real regulatory exposure.

Andreas Gruber·

GDPR is seven years old and most recruitment agencies are still not fully compliant. Not because they are careless — because the obligations are specific, the tooling implications are significant, and "we have a privacy policy on the website" is not the same as a compliant recruitment operation.

Here is what compliance actually requires for a recruitment agency, and where the gaps typically live.

The four obligations that create the most exposure

Lawful basis documentation per candidate record

Every candidate record must have a documented lawful basis. For active applicants, this is typically legitimate interest (they applied) or contractual necessity. For talent pool candidates who did not apply but were identified through sourcing, explicit consent is required.

The gap: most ATS platforms do not capture and display the lawful basis per record. If you cannot show an auditor the lawful basis for every record in your database, you cannot demonstrate compliance.

Right to erasure with documented execution

When a candidate requests deletion of their data, you must be able to execute it fully — across all fields, all notes, all communications — and document that it was done. "I deleted their CV" is not sufficient. Every record associated with that individual must be anonymized or removed, with an audit entry confirming the action.

The gap: most ATS platforms do not have a one-click anonymization feature that touches all associated data. Manual erasure across multiple record types is error-prone and leaves a compliance gap.

Retention policies enforced as a system

GDPR requires that personal data is not retained beyond the purpose for which it was collected. For active candidates, the retention window is the hiring process plus a reasonable legal buffer (typically 6-12 months). For passive talent pool candidates, annual consent renewal is best practice.

The gap: retention is almost universally managed manually in recruitment ATS platforms. Someone is supposed to delete old records. No one does it systematically.

Data residency

Candidate data from EU residents processed on US servers without adequate transfer mechanisms (Standard Contractual Clauses, adequacy decisions) is non-compliant. This affects any ATS with data stored in AWS US-East or equivalent US data centers, which includes most American-headquartered platforms.

Pickr stores data in Zurich, Switzerland — within European legal jurisdiction.

What your ATS needs to have natively

  • One-click candidate anonymization (all fields, all records, audit entry)
  • Lawful basis captured per candidate record
  • Configurable retention policies with automated expiry flags
  • Full data export for candidate right-of-access requests
  • Audit trail of all data access and modifications
  • Data residency within EU/EEA or Switzerland

If your current ATS requires manual processes for any of these, you have compliance gaps that are manageable now and expensive later.

Frequently Asked Questions

Do recruitment agencies need to comply with GDPR?+

Yes. Any agency processing personal data of EU residents must comply with GDPR regardless of where the agency is headquartered. Candidate data — CVs, interview notes, assessment results, communications — is among the most sensitive personal data categories.

How long can a recruitment agency keep candidate data?+

Active application data: duration of process plus 6-12 months for legal retention. Talent pool data (candidates not actively in a process): explicit annual consent renewal required. Data retained beyond these windows without a documented basis is a compliance risk.

What are the GDPR risks for recruitment agencies specifically?+

Retaining candidate data without documented lawful basis, failure to execute right-to-erasure requests completely, storing EU candidate data on US servers without adequate transfer mechanisms, and lack of audit trails for data access. Fines up to €20 million or 4% of global annual turnover apply.

Run your free hiring process audit

Connect your ATS in 3 minutes. Get a full breakdown of where your process loses time and candidates — with three prioritised fixes.

Start free audit →
A

Andreas Gruber

Founder of Pickr and ScalingPPL. Former recruiter who placed engineers and operators into European startups and scale-ups for four years before building the tool he wished had existed.

Related articles

ATS Comparison

The Best ATS for Recruitment Agencies in 2026: Written by Someone Who Actually Ran One

Agency Recruiting

The Recruitment Agency Tech Stack in 2026: What You Actually Need vs. What You're Probably Paying For

Agency Recruiting

Multi-Client ATS: The Features That Separate Agency Tools From In-House Tools