How GDPR Applies to Recruitment
Every stage of a recruitment process involves the collection and processing of personal data: application forms, CVs, interview recordings, assessment scores, reference notes, and correspondence. GDPR requires that all of this processing has a lawful basis, that candidates are informed of how their data will be used, and that data is retained only for as long as necessary.
The lawful basis most commonly relied on in recruitment is legitimate interests — the employer has a legitimate interest in assessing candidates for a vacancy. For sensitive data (health information, criminal records), explicit consent or another specific legal basis is required. Consent as a general basis for ordinary recruitment processing is problematic: consent must be freely given, and the power imbalance in a hiring relationship makes this difficult to establish.
Candidate Rights
Candidates have the same GDPR rights as any other data subject: the right to access their personal data; the right to rectification of inaccurate data; the right to erasure ('right to be forgotten') in certain circumstances; the right to restrict processing; and the right to object to processing. In the recruitment context, a candidate who asks what data you hold about them, and what you did with it, is exercising a Subject Access Request — which must be fulfilled within one month.
Where automated decision-making or profiling is used — including AI-assisted scoring — candidates have the right not to be subject to decisions based solely on automated processing, and the right to request human review. This right is separate from but complementary to the EU AI Act's human oversight requirements.
Data Retention
GDPR requires that personal data is kept for no longer than necessary for the purpose for which it was collected. For recruitment, this means: data for successful candidates moves into employment records with a new and ongoing legal basis; data for unsuccessful candidates should be deleted or anonymised within a defined timeframe, typically three to six months after the process concludes.
Employers often want to retain candidate data for future vacancies — to build a talent pool. This requires separate, specific consent from the candidate, with a clear explanation of what data is retained, for how long, and for what purpose. Passive retention of all unsuccessful candidate data without a specific basis is non-compliant.
Video Interview Data Specifically
Video interviews generate particularly sensitive data: audio and video recordings of candidates, transcripts, AI-generated scores, and notes from reviewers. Each of these is personal data under GDPR. Recordings must be stored securely, access must be restricted to those with a legitimate need to review them, and they must be deleted within the standard retention window unless a specific legal basis for longer retention exists.
Candidates must be informed, before recording begins, what will be recorded, who will have access to the recording, whether AI will process it, and how long it will be retained. This disclosure should be part of the invitation to the video interview, not buried in a general privacy policy.
How Palantrix handles candidate data
Palantrix stores all candidate data — including video recordings, transcripts, and AI scores — on EU/Irish AWS infrastructure, ensuring data residency within the EEA. Candidates are informed about AI processing before their interview begins. Retention controls allow employers to set deletion schedules aligned with their GDPR obligations. Candidates can access their interview data through the Palantrix candidate portal, and access to recordings is restricted to permissioned hiring team members. The audit trail for every data processing decision is retained and accessible for compliance review.
See how AI Video Interviews work →Frequently Asked Questions
Can we keep candidate CVs on file for future roles without their consent?
No — not without a specific legal basis. Retaining CVs beyond the conclusion of the hiring process for which they were submitted requires either the candidate's explicit consent (with a clear explanation of what is retained and for how long) or another specific lawful basis. Passive retention of all CVs 'just in case' does not meet GDPR requirements.
How long can we retain interview recordings?
Most data protection authorities recommend three to six months for unsuccessful candidates, aligned with the window in which a candidate might reasonably bring a discrimination claim. For successful candidates, recordings may be retained as part of the employment record for the duration of employment. Specific retention policies should be documented and applied consistently.
Do candidates have the right to see their interview recording?
Yes, as part of a Subject Access Request under GDPR. A candidate can request access to all personal data held about them, including video recordings, AI scores, and reviewer notes. This is a significant practical consideration when using video interview platforms — ensure your platform can produce a candidate's full data record in a format that meets SAR obligations.
Does GDPR apply to candidates based outside the EU?
GDPR applies to the processing of data by organisations established in the EU, or to the data of individuals in the EU regardless of where processing takes place. If you are an EU-based employer hiring candidates in the EU, GDPR applies. If you are hiring internationally, the data of EU-resident candidates is subject to GDPR even if the role is based elsewhere.
How does GDPR interact with the EU AI Act in recruitment?
The two frameworks overlap and reinforce each other. GDPR gives candidates the right to human review of automated decisions and the right to access personal data. The EU AI Act adds specific transparency, audit, and oversight requirements for high-risk AI in employment contexts. Both apply simultaneously — compliance with one does not satisfy the other. Employers using AI in hiring must address both frameworks.