Do we need a DPO for our recruiting?

If your company has a DPO (mandatory from 20 people regularly processing personal data), yes - and they should sign off the recruiting workflow once. Without a DPO: a one-time records-of-processing update is enough.

Do we have to disclose the hosting location?

Yes, in the privacy notice. If the ATS hosts in Germany (like KI BMS), you write that down and the topic is closed. If it hosts outside the EU, you need standard contractual clauses + transfer impact assessment.

What happens to applications we never invited?

They follow the same retention rules as invited applications. KI BMS sets the retention window on creation, anonymises automatically on expiry - regardless of which stage the application is in.

KI BMS

Pricing

Topics

GDPR in recruiting - what you actually have to do (and what you don't)

Pragmatic GDPR practice for German-speaking HR teams - without lawyer language, with concrete thresholds.

GDPR

Recruiting

Compliance

Finn GlasCo-Founder + Engineering

·March 23, 2026·

2 min read

Six concrete duties

What GDPR practically requires from you in recruiting comes down to six points. I list them here the way a data protection officer would check them in an audit.

Information before applying: what you store, how long, who has access, KI yes/no.

Lawful basis: consent or legitimate interest - in recruiting usually consent plus pre-contractual.

Data minimisation: collect only what the role requires. No photo if not needed. No date of birth if not needed.

Retention: 6 months after rejection, then anonymise. Talent pool only with explicit extension.

Right of access: any candidate can request their data, you must deliver within 30 days.

Erasure: any candidate can request deletion at any time, you delete within reasonable time.

Three myths that waste a lot of time

Myth 1: 'We need a separate, hand-signed consent in a Word doc per application.' Wrong - the consent in the careers-page privacy notice is enough, as long as it's specific.

Myth 2: 'We have to keep everything for 10 years because of anti-discrimination law.' Wrong - 6 months after rejection is enough for the legal claim window. Longer retention needs a different legal basis.

Myth 3: 'KI in recruiting is forbidden.' Wrong - pre-sorting with human decision is fine. Forbidden is auto-decision with legal effect without a human.

What a modern ATS handles for you

Three of the six duties can be automated by an ATS. Information via a built-in GDPR clause on the careers page. Retention via a per-candidate retention window with auto-anonymisation on expiry. Right of access via self-service export. The other three (lawful basis, minimisation, erasure) remain human decisions, but the ATS helps keep them consistent.

FAQ

Frequently asked

Share this article

Try KI BMS

Free plan, no credit card. We host in Germany. You can export and delete everything self-serve.

Written by

Finn Glas

Co-Founder + Engineering

Finn is one of the Co-Founders. He owns the engineering side, the infrastructure, and most of the late-night fixes that ship before anyone notices.

finn.glas at aicuflow dot comLinkedIn Website