20 M€
Maximum CNIL fine for non-compliance
2 years
Maximum CV retention period
1 month
Response time for candidate rights
63%
% of recruiters unaware of GDPR
Personal data in recruitment: what's covered
Types of personal data in recruitment
| Category | Examples | Status |
|---|---|---|
| Identity | Name, surname, photo | Collection authorised (necessary) |
| Contact | Email, phone, address | Collection authorised (necessary) |
| Career | CV, diplomas, experience | Collection authorised (necessary) |
| Evaluations | Interview notes, tests, reviews | Collection authorised (necessary) |
| Compensation | Current salary, salary expectations | Collection authorised (if relevant) |
| Ethnic origin | Any belonging information | FORBIDDEN in all circumstances |
| Health | Diseases, disability, medicines | FORBIDDEN (except medical fitness) |
| Religion / politics | Beliefs, union membership | FORBIDDEN |
Legal obligations: the 4 pillars
- 1
Legal basis for processing
To process candidate data, you need a legal basis. Most common: legitimate interest (recruiting is a legitimate company interest). Consent is rarely appropriate due to power imbalance between employer and candidate.
- 2
Informing candidates
Informing candidates is mandatory. Minimum content includes: processing controller identity, purposes, recipients, retention period, candidate rights and DPO contact if applicable.
- –Mention in the job advert
- –Link to privacy policy
- –Mention in application receipt
- 3
Limited retention period
General rule: no longer than necessary. Data of rejected candidates should not be kept indefinitely.
- 4
Respect candidate rights
Any candidate can exercise rights to access, rectify, erase, object, port and limit processing. Response time: 1 month maximum.
Recommended retention periods
| Situation | Recommended period | After that |
|---|---|---|
| Rejected candidate | 2 years max after last contact | Deletion or anonymisation |
| Hired candidate | Contract duration + legal archives | HR file archiving |
| CV database / pool | 2 years with consent renewal | Deletion or re-consent |
Best practices vs mistakes to avoid
Avantages
- Minimise collected data (only what's necessary)
- Secure data (restricted access, encryption)
- Inform candidates at application
- Document processes (mandatory register > 250 employees)
- Train teams on GDPR rules
- Implement regular purge process
Inconvénients
- Collect forbidden data (religion, health, political views)
- Keep CVs indefinitely without purge procedure
- Share applications without prior information
- Make automated decisions without human intervention
- Store on unsecured tools (personal Dropbox, Gmail)
- Ignore rights exercise requests
GDPR information notice model
Include in your adverts or application forms:
"Personal data collected for this recruitment is processed by [Company Name] to evaluate your application. Legal basis: legitimate interest. Retention: 2 years maximum after last contact. You have rights to access, rectify, delete and object. Contact: [DPO/HR email]."
Sanctions for non-compliance
CNIL sanction levels
| Level | Sanction | Example |
|---|---|---|
| Compliance order | Obligation to comply | Absence of information notice |
| Warning | Possible publication (name and shame) | Non-compliance with retention periods |
| Fine | Up to 20 M€ or 4% of global turnover | Collection of forbidden data |
GDPR compliance checklist recruitment
- Recruitment privacy policy drafted
Before any recruitment
- Information notice in adverts
Systematic from publication
- Retention periods defined
2 years max for rejected candidates
- Deletion process in place
Automatic or periodic manual purge
- Receipt with GDPR mention
For each application received
- Restricted access to candidate data
Only relevant people
- Rights exercise response procedure documented
Max 1 month deadline
0/7 effectué(s)0%
GDPR recruitment FAQ
Can you check a candidate's LinkedIn profile?
Yes, checking a candidate's professional LinkedIn profile is legal because this information is publicly accessible in a professional context. However, only collect professionally relevant information, don't explore personal life (personal Facebook, personal photos) and treat all candidates the same way to avoid discrimination risks.
Is appointing a DPO (Data Protection Officer) mandatory?
Appointing a DPO is mandatory for public organisations, companies processing data at large scale or sensitive data systematically. For most SMEs, it's not mandatory but recommended. Without a DPO, the HR manager or director assumes GDPR obligations. In all cases, a contact address for exercising rights must be provided.
Must a recruitment ATS (software) be GDPR compliant?
Yes, your ATS or recruitment software must comply. Check: data hosting (EU preferred), security measures, data deletion capability, Data Processing Agreement (DPA) signature with provider. In case of CNIL control, you're responsible as data controller, even if a third party manages the data.
What to do if a candidate requests data deletion?
The right to erasure (right to be forgotten) must be respected within 1 month. Delete all candidate data: CV, interview notes, test results, email exchanges. Document the request and response. Exception: if the candidate was hired, their data transfers to the HR file under applicable rules for employee data.
Recruit in compliance with Aurelia
Aurelia was designed with GDPR in mind: 100% EU hosting, configurable retention periods, easy deletion, DPA signed with all sub-processors.