GDPR & Recruitment: 5 Costly Compliance Mistakes- and How to Avoid Them

Hiring great talent is already tough—but get GDPR wrong in the process, and you could be on the hook for far more than just a missed hire.

We’ve all been there: a promising candidate drops out. An old CV resurfaces. A new hire asks how their data is being used—and you fall from the sky. In recruitment, it’s not just about who you hire—but how you handle them - and their data - before, during, and after the process. And under the General Data Protection Regulation (GDPR), mishandling candidate data could land you in serious trouble.

In this article, we’ll unpack the hidden GDPR risks in recruitment, highlight real-life cases that led to six-figure fines, and show you how to fix the gaps before they cost you more than your reputation.

→ Whether you're working hand-in-hand with your internal data protection officer, or navigating compliance with external partners, one thing’s for sure: privacy mistakes in hiring are more common—and more costly—than you think.

GDPR & Recruitment: Why It's a Risky Zone

Recruitment feels like a fast-paced funnel—but it’s also a data minefield.

Every job application brings with it a package of personal data: resumes, cover letters, work history, education records, even personal references. And when you’re handling hundreds—or thousands—of these profiles, it’s easy to overlook the fine print of data protection.

So, what exactly is “personal data” in recruitment?

Think:

• Full names, addresses, and emails

• Employment history, education details

• Date of birth, nationality, and even photos

• Notes from interviews or internal evaluations

• Data pulled from social platforms like LinkedIn

Now ask yourself: Do you really need all of it? For how long? And who else has access to it?

Under the GDPR, you need a clear legal basis to process each piece of candidate data. Usually, that means:

• Consent – for talent pools or marketing updates

• Legitimate interest – for assessing a candidate's fit

• Contractual necessity – to prepare job offers or contracts

Get it wrong, and you’re not just losing trust. You could be facing serious fines.

5 Common GDPR Mistakes in Recruitment (and How to Fix Them)

Let’s dive into the mistakes recruitment teams make again and again—and how to avoid being the next headline (for the wrong reason).

1. Vague or Missing Privacy Notices

• The Mistake: You’ve launched a sleek career page. But your privacy notice? Blurry, outdated, or worse—nonexistent.

  
  

• Why it’s risky: GDPR demands transparency. The harder it is for candidates to understand what information you collect, why, and for how long, the higher the risk of being in breach.

  
  

• Real-world tip: Write a human-readable privacy notice. Make it visible at every candidate touchpoint—application forms, interview invites, even rejection emails.

2. Holding Onto Candidate Data Forever

• The Mistake: “We might need this candidate later.” Sound familiar? You end up with a database of resumes from five years ago.

  
  

• Why it’s risky: GDPR says you can’t keep data longer than necessary. And "just in case" isn’t a valid reason.

  
  

• Case Study: A.D.C.P. Sp. z o.o. in Poland kept a rejected applicant’s data after the recruitment ended. The Polish DPA reprimanded them, and the Supreme Administrative Court ruled that candidate data can only be kept for a set legal period (like for potential discrimination claims), not indefinitely.

  
  

• Lesson: Define your data retention policy. 6–12 months post-application is often enough. After that, delete or get explicit consent from the candidates to store their data for longer.

3. Collecting More Than You Need

• The Mistake: You ask for date of birth, nationality, or even marital status before the first interview.

  
  

• Why it’s risky: GDPR follows the principle of data minimization. If you don’t need it, don’t collect it—especially not in the early stages.

  
  

• Fix it fast: Only request essential information. And review your forms regularly—are there any outdated fields you could remove?

4. Adding Candidates to Talent Pools Without Consent

• The Mistake: A great candidate doesn’t make the cut—but you still add them to your CRM for future roles.

  
  

• Why it’s risky: The candidate only gave consent for that specific role. GDPR requires clear, informed opt-in—no auto-check boxes or hidden clauses allowed.

  
  

• What to do: Ask explicitly if they want to be added to your talent pool. Make it easy to opt out. Keep a record of their choice.

5. Using Recruitment Tools That Aren’t GDPR-Compliant

• The Mistake: You’re using an ATS, screening software, or AI-powered recruiter without checking its data practices.

  
  

• Why it’s risky: If your vendor doesn’t comply with GDPR, you’re still responsible as the data controller.

  
  

• Case Study: In 2020, French startup Videofutur was warned by CNIL for using a video interview tool with facial analysis features, without proper candidate consent. The company-not just the tech vendor-was held responsible for unlawful profiling.

  
  

• Lesson: Always ensure your recruitment tools are GDPR-compliant and get explicit consent before processing sensitive data. As the data controller, you’re responsible for your vendors’ practices.

• Quick win: Regularly audit your tools, secure signed Data Processing Agreements (DPAs), and confirm candidate data stays within the EU or is transferred legally.

When GDPR Mistakes Get Real: A Few More Stories

Case: Overcollection in Screening

A Dutch firm was warned for collecting personal references and criminal record data during early-stage screening, without informing the candidate. The Dutch DPA emphasized that such sensitive data must be handled with heightened care and only when necessary.

Case: No Right to Access Process

An EU-based tech company failed to respond to a candidate’s data access request within the legal timeframe. The candidate escalated the issue, and the company was fined €15,000 for non-cooperation.

These aren’t edge cases—they’re preventable slip-ups from companies that didn’t prioritize data privacy in hiring.

The Fix: Practical GDPR Recruitment Checklist

Want to get compliant without slowing down hiring? Here’s your starting point.

Your Privacy Notice Should Cover:

• What data you collect and why

• Legal basis for processing

• Who you share it with

• Retention periods

• Candidate rights and how to contact your DPO

Set a Smart Data Retention Policy

• 6–12 months for standard applications

• Longer only with explicit consent

• Automate deletion reminders in your ATS

Consent vs. Legitimate Interest—Know the Line

• A consent for talent pools, marketing, or storing data for a longer period

• Legitimate interest for core recruitment functions (but document your justification!)

Choose your recruitment tech wisely

• Ask where the candidate data is hosted

• Ensure tools allow for deletion, access requests, and DPAs

• Don’t assume popular = compliant

Train Hiring Managers

• Do they know what’s considered sensitive data?

• Are they documenting feedback properly?

• Are interview notes stored securely?

Final Thoughts: Privacy as a Competitive Advantage

Let’s be real—GDPR isn’t just about bureaucracy. It’s about trust. The way you handle candidate data says a lot about how you’ll handle employees once they join.

Being privacy-first in recruitment isn’t a blocker—it’s a brand builder. Candidates notice. So do future clients and partners.

Whether you're growing fast or scaling sustainably, partnering with a compliance expert who understands both data protection and business growth can help you future-proof your hiring process.

Curious how other companies build GDPR-compliant recruitment journeys without losing speed or flexibility?

Discover how heyData helps recruiters stay on the safe side of privacy law.