GDPR, Privacy and Security in Recruitment AI

Why privacy in recruitment is not an afterthought

Recruiters work with sensitive data every day. CVs, conversation transcripts, salary expectations, personal preferences, sometimes even medical information. One data breach and you're in the news. One GDPR violation and you risk fines up to 4% of your annual turnover.

Yet many recruitment teams treat privacy as a checkbox. They have a privacy statement on the website, ask for consent, and think that's enough. It's not.

In this article, you'll learn what the GDPR actually requires when you use AI and automation in your recruitment process. No legal jargon, but practical guidelines you can apply immediately.

GDPR in recruitment: the basics

The General Data Protection Regulation (GDPR) sets requirements for how you collect, process, and store personal data. For recruitment, there are a few core principles:

Purpose limitation

You may only collect personal data for a specific, defined purpose. In recruitment: assessing a candidate's suitability for a specific role. You may not use that data for other purposes, such as marketing or profiling.

Data minimization

Collect only what you need. A resume and cover letter: fine. The social media profile of the candidate's partner: no. This principle is often violated out of curiosity, not malice.

Retention periods

You may not store candidate data indefinitely. After the procedure ends, you must delete the data, unless the candidate gives consent for inclusion in a talent pool. The standard retention period is four weeks after rejection, extendable to one year with consent.

Right of access and deletion

Candidates have the right to know what data you have about them, and to request deletion. You must respond within one month.

AI and GDPR: the extra layer

When you deploy AI in recruitment, additional obligations apply. The GDPR is clear about this:

Automated decision-making: Article 22 of the GDPR gives individuals the right not to be subject to decisions based solely on automated processing. In practice: you may not let AI be the sole decision-maker on whether a candidate advances to the next round.

Transparency: You must inform candidates that you use AI in the selection process. What does the AI do? On what basis does it make assessments? How are those assessments used?

Data Protection Impact Assessment (DPIA): When you deploy AI for assessing candidates, you're obligated to conduct a DPIA. This is a risk analysis that describes what data you process, why, and what protective measures you take.

Transparency at Simply is not an abstract concept. Every AI-generated observation refers back to the exact moment in the conversation. Candidates (and regulators) can always verify how an assessment was formed.

The EU AI Act: what's new in 2025

In addition to the GDPR, you'll be dealing with the EU AI Act in 2025. This law classifies AI systems for recruitment and selection as 'high risk.' That means:

• Mandatory conformity assessment for AI systems used in recruitment
• Requirements for training data quality (no bias)
• Mandatory logging of AI decisions
• Human oversight of all AI decisions
• Transparency requirements toward users and affected parties

If you're already using AI tools, start mapping your compliance now. Don't wait until enforcement begins.

Practical checklist for GDPR-compliant recruitment

Here's a checklist you can use immediately:

Before the conversation

• Inform candidates about the use of AI and recording tools
• Obtain explicit consent for recording conversations
• Document what data you collect and why
• Review your processing agreements with all tools you use

During the conversation

• Only record with consent
• Store data in GDPR-compliant systems
• Limit access to recordings and summaries to authorized persons

After the conversation

With AI summaries, conversations are automatically summarized. The summary contains only relevant information, no personal details that aren't relevant to the assessment.

• Share summaries only with stakeholders in the selection process
• Delete recordings and data after the retention period
• Document the selection process (in case a candidate requests access)

Common mistakes

1. No processing agreement with your tool providers

Every tool that processes candidate data (your ATS, your recording tool, your AI assistant) is a processor. You must have a processing agreement. No exception.

2. Keeping data 'just in case'

'We keep it in case the candidate applies again later.' That's not a valid legal basis. Without explicit consent, you must delete the data after the retention period.

3. Using AI without informing candidates

Many teams use AI tools without mentioning this to candidates. That's a violation of the transparency obligation. Include it in your privacy statement and mention it in the interview invitation.

4. Not conducting a DPIA

If you use AI for assessing candidates, you must conduct a DPIA. Many organizations skip this because it's 'too complicated.' But it's mandatory, and the consequences of not doing it are bigger than the effort of doing it.

Security: more than a password

GDPR compliance isn't just about policy. It's also about technical security. Candidate data must be protected against unauthorized access, data breaches, and loss.

Enterprise-grade security at Simply includes:

• GDPR-compliant data processing
• ISO-27001 certification
• Encryption of data in transit and at rest
• Role-based access control
• Regular security audits and penetration tests

These aren't nice-to-haves. These are the minimum requirements for any tool that processes candidate data.

The role of the Data Protection Officer (DPO)

If your organization has a DPO, involve them in your recruitment technology choices. Not after the fact, but upfront. The DPO can help you with:

• Conducting a DPIA
• Reviewing processing agreements
• Drafting a privacy statement that meets requirements
• Advising on retention periods and legal bases

Don't have a DPO? Then this is a good time to consider whether you need one. For large-scale processing of special categories of personal data (which is what recruitment involves), a DPO is often mandatory.

International recruiting: extra complexity

Recruiting candidates outside the EU? Then you'll face additional rules around data transfers to third countries.

• Data transfers to the US: possible via the EU-US Data Privacy Framework, but keep following developments
• Data transfers to the UK: based on adequacy decision, but the UK may set its own rules
• Data transfers to other countries: Standard Contractual Clauses (SCCs) are usually needed

Tools that process your candidate data must be transparent about where data is stored. Integrations with your existing systems ensure data isn't unnecessarily copied to additional locations.

Candidate trust as competitive advantage

Privacy isn't just compliance. It's also trust. Candidates who trust that you handle their data carefully are more honest in conversations, more engaged in the process, and more positive about your brand.

How do you build that trust?

• Be proactively transparent (tell what you do before they ask)
• Give candidates control (show them what data you have and let them choose)
• Respond quickly to access requests
• Treat data as something that belongs to the candidate, not to you

Practical steps for GDPR-compliant AI use

Many agencies want to use AI but hesitate over privacy implications. The most important step is informing the candidate. Explain upfront that the conversation will be recorded, what the recording will be used for, and how long it will be stored. This can be done with a standard statement at the beginning of each conversation.

On top of that, it's important to have a data processing agreement with your AI provider. This document specifies where data is stored, who has access, and what happens when the contract ends. Simply offers this as standard. All data is processed within the EU, stored encrypted, and automatically deleted after the agreed retention period. ISO-27001 certification guarantees that these processes are not just documented but are actually verified by an independent auditor.