Do we have to delete all data after 6 months?

Anonymising is enough. Aggregate stats stay valid, identity is gone. KI BMS handles anonymisation with one click and a confirm.

Is auto-send of the receipt email GDPR-compliant?

Yes. The receipt is pre-contract - no extra consent needed. The auto-mail must include the GDPR notice in its content.

Can we keep application data in the talent pool for 2 years?

With explicit consent, yes. The consent must be voluntary + documented. KI BMS stores consent date + window per candidate.

KI BMS

Pricing

Guides

GDPR checklist for recruiting 2026 - clean, step by step

An honest mandatory checklist for German HR teams. No lawyer language, no 'might possibly' - just: do this, don't do that.

GDPR

Compliance

Guide

Finn GlasCo-Founder + Engineering

·January 5, 2026·

2 min read

Key takeaways

Retention 6 months from rejection; longer with consent in the talent pool.

Inform before application about data use + KI involvement, not after.

No auto-decisions without human review (Art. 22 GDPR).

30-day right to information + one-click export. KI BMS does this by default.

Step by step

Set retention

Default 6 months from rejection. Per candidate you can extend with consent. Anonymisation at end of window is automatic.

GDPR notice on the form

Plain language: 'Your data is stored for the application, anonymised after 6 months. KI pre-sorting is used; a human always decides.' No 14 pages, one paragraph is enough.

Data minimisation pass

Look at your application form. Do you really need date of birth, photo, marital status? If no, remove. For every field you ask, you must be able to justify why.

Right-to-information process

If someone asks 'what data do you have on me?', it must be answered in 30 days. One-click export on the candidate detail page suffices.

Turn on audit log

On by default in KI BMS. Who changed what when - the only answer that holds under anti-discrimination law to 'who decided this?'.

Rejection template with concrete reason

A concrete, factual rejection is legally safer than a vague one. Template: 'For this role we need 3+ years Python backend; your focus is frontend.' Concrete > nice.

Four cores. One - lawful basis (typically: consent or pre-contract). Two - purpose limitation: application data only for application purposes. Three - data minimisation: don't ask more than needed. Four - retention limit: don't keep data longer than needed.

Plus two procedural duties: information before collection, access on request. The rest are special cases (special categories like health, third-country transfer, etc.).

What to do in the first 30 minutes

Six steps. Each takes <5 minutes in a modern ATS. In KI BMS most defaults are already right - you just have to look once.

FAQ

Frequently asked

Share this article

Try KI BMS

Free plan, no credit card. We host in Germany. You can export and delete everything self-serve.

Written by

Finn Glas

Co-Founder + Engineering

Finn is one of the Co-Founders. He owns the engineering side, the infrastructure, and most of the late-night fixes that ship before anyone notices.

finn.glas at aicuflow dot comLinkedIn Website