GDPR for hiring teams: the practical guide most ATS vendors hide

If you hire in the EU, you process personal data. That puts you inside GDPR scope. Most ATS vendors hand you a 40-page legal PDF and call it compliance. Here's the actually-useful version, written for a recruiter who has 20 minutes.

What you have to do — in plain English

1. Have a legal basis (Article 6)

For recruitment, the cleanest legal basis is consent — the candidate ticks a box that says "I agree to Hirelylikely processing my application data for the purpose of this role". You store the proof of consent (timestamp, IP if you want, the version of the privacy policy they agreed to).

For internal candidate sourcing (talent pools), the basis is usually legitimate interest, which means you have to document why you think your interest outweighs the candidate's privacy. Be conservative here.

2. Tell them what you're doing (Article 13)

At the point of collection, your apply form must link to a privacy notice that says: who you are, what you're collecting, why, for how long, who you share it with, and how the candidate can exercise their rights. Standard issue. Bad ATSes bury this. Good ones put it next to the submit button.

3. Let them get their data back (Article 15)

A candidate can ask for a copy of everything you hold on them. By law you have 30 days. In practice, if your ATS doesn't have a one-click export endpoint, you'll do this by hand and it'll suck. Make sure your tool ships this out of the box.

4. Let them be forgotten (Article 17)

A candidate can ask you to delete their data. Most ATSes either say no (illegal) or actually hard-delete (which trashes your funnel analytics). The right pattern is anonymisation in place: the candidate's name, email, CV, and contact info are wiped, but the application row stays attached to the job. Your "we received 200 applicants for this role" number survives. Their identity doesn't.

What you don't actually have to do

• You don't need a DPO unless you process data at scale or sensitive categories.
• You don't need a fancy consent banner if your apply form has a clear opt-in checkbox.
• You don't need to delete CVs the day after rejecting — retention of 6-12 months for hiring records is generally defensible.
• You don't need to ask for a candidate's consent every time you re-read their CV. The original consent covers the purpose.

The two questions that matter at vendor selection

When picking an ATS, ask:

1. Where does the data live? EU-region storage is the easiest answer. If the answer is "US with SCCs", you're not breaking the law but you're adding complexity.
2. Are Article 15 and Article 17 endpoints actually shipped? Not "on the roadmap", not "we can build it for you" — shipped, with a button a candidate can click in their portal. If not, the manual burden falls on you.

Hirelylikely answers "Ireland" and "yes" to both. Most US-built tools answer "Virginia" and "we can do it manually". Pick accordingly.

Disclaimer

We're not lawyers. This is operational guidance, not legal advice. For a real edge-case or a regulator letter, talk to actual counsel.