Do we have to delete all data after 6 months?

Anonymising is enough. Aggregate stats stay valid, identity is gone. KI BMS handles anonymisation with one click and a confirm. A thorough applicant data deletion concept that goes beyond the GDPR basics is covered in the linked article.

Is auto-send of the receipt email GDPR-compliant?

Yes. The receipt is pre-contract - no extra consent needed. The auto-mail must include the GDPR notice in its content.

What is the lawful basis in the hiring procedure?

For the normal procedure, Art. 6(1)(b) GDPR (pre-contractual measure), flanked by § 26 BDSG. Since the ECJ (C-34/21) partly struck down § 26 BDSG, the safe footing is Art. 6(1)(b) + Art. 88 GDPR. You only need consent for storage beyond the procedure (talent pool).

Do we need a data processing agreement with our ATS?

Yes, with every piece of software that processes applicant data on your behalf (Art. 28 GDPR). It's mandatory, not nice-to-have, and the first thing an audit checks. Request the DPA before go-live; a vendor that needs weeks for it is a red flag. KI BMS provides it on request within one business day.

Can we google candidates or check their social media?

Only to a limited extent. Professional networks (LinkedIn, Xing) and openly accessible, job-relevant information are defensible. Systematically searching private profiles (Instagram, Facebook) is legally delicate and usually impermissible - it breaches purpose limitation and minimisation. Whatever you find, you can't secretly feed into the assessment without disclosing it.

What does a GDPR breach in recruiting cost?

Up to €20M or 4% of global annual turnover, whichever is higher. In practice, recruiting fines are usually issued for a missing deletion concept or applicant data kept too long; a German authority did exactly that publicly in 2024. An automatic retention window with an audit log is the cheapest insurance against it.

KI BMS

Pricing

Guides

GDPR checklist for recruiting 2026 - clean, step by step

Q: Can we keep application data in the talent pool for 2 years?

With explicit consent, yes. The consent must be voluntary + documented, time-limited (authorities recommend 1-2 years), and revocable at any time. KI BMS stores consent date + window per candidate.

An honest mandatory checklist for German HR teams. No lawyer language, no 'might possibly' - just: do this, don't do that.

GDPR

Compliance

Guide

Finn GlasCo-Founder + Engineering

·June 28, 2026·

5 min read

·Updated

On this page

What GDPR really requires in recruiting Why exactly 6 months - not 'eventually'Three myths that get expensive in an audit What to do in the first 30 minutes

Key takeaways

Retention 6 months from rejection; longer with consent in the talent pool.

Inform before application about data use + KI involvement, not after.

No auto-decisions without human review (Art. 22 GDPR).

30-day right to information + one-click export. KI BMS does this by default.

The 6 months aren't a hunch: the AGG complaint window (§ 15 (4) AGG) runs 2 months, plus a buffer for litigation + post - hence 6.

Step by step

Set retention

Default 6 months from rejection. Per candidate you can extend with consent. Anonymisation at end of window is automatic.

GDPR notice on the form

Plain language: 'Your data is stored for the application, anonymised after 6 months. KI pre-sorting is used; a human always decides.' No 14 pages, one paragraph is enough.

Data minimisation pass

Look at your application form. Do you really need date of birth, photo, marital status? If no, remove. For every field you ask, you must be able to justify why.

Right-to-information process

If someone asks 'what data do you have on me?', it must be answered in 30 days. One-click export on the candidate detail page suffices.

Turn on audit log

On by default in KI BMS. Who changed what when - the only answer that holds under anti-discrimination law to 'who decided this?'.

Rejection template with concrete reason

A concrete, factual rejection is legally safer than a vague one. Template: 'For this role we need 3+ years Python backend; your focus is frontend.' Concrete > nice.

Four cores. One - lawful basis (typically: consent or pre-contract). Two - purpose limitation: application data only for application purposes. Three - data minimisation: don't ask more than needed. Four - retention limit: don't keep data longer than needed.

Plus two procedural duties: information before collection, access on request. The rest are special cases (special categories like health, third-country transfer, etc.). A practical breakdown is in our article GDPR in recruiting - what you actually have to do.

In concrete articles: the lawful basis for the normal procedure is Art. 6(1)(b) GDPR (pre-contract), flanked by § 26(1) BDSG as the employee-data norm. Important in 2026: the ECJ (C-34/21) declared § 26 BDSG partly incompatible with EU law, so the safe footing is directly on Art. 6(1)(b) + Art. 88 GDPR. Special data (photo, health) falls under Art. 9, information under Art. 13/14, access under Art. 15 (deadline: 1 month), erasure under Art. 17, the auto-decision ban under Art. 22, the DPA under Art. 28, the record of processing under Art. 30, the technical/organisational measures under Art. 32.

Why exactly 6 months - not 'eventually'

The most-asked question has a clean answer. A rejected applicant can claim discrimination compensation under § 15(4) AGG within 2 months. If it goes to court you need the application file as evidence - the legitimate-interest basis to keep it beyond the 2 months. Add litigation and postal time and authorities land on 6 months from rejection as the safe default. In Austria it's closer to 7 months because of § 29 GlBG.

It also means: deleting earlier isn't extra safety, it's an evidence risk. And keeping it longer without grounds is the breach authorities cite most. The 6-month window with automatic anonymisation at the end is therefore the calmest path - exactly what KI BMS does per candidate automatically.

Three myths that get expensive in an audit

Myth 1 - 'We need a consent checkbox for every application.' Wrong. The normal hiring procedure runs on Art. 6(1)(b) GDPR; consent is superfluous and even problematic because it would be revocable at any time. You only need explicit consent for the talent pool (storage beyond the procedure) - and it must be voluntary, time-limited (authorities recommend 1-2 years), and revocable at any time.

Myth 2 - 'Photo and date of birth belong on the application form.' No. Data minimisation (Art. 5) means: ask only what's relevant to the role. A photo, birth date, marital status, religion almost never are - and a required photo is an AGG discrimination risk on top. If a photo arrives in the CV, use it only within the procedure and don't put it in presentations or databases.

Myth 3 - 'Third-country transfer doesn't affect us.' It does, the moment your ATS, sourcing tool, or mail provider mirrors data to the US. Then you need a transfer basis (the EU-US Data Privacy Framework adequacy decision or standard contractual clauses under Art. 44 ff.). The simplest way to avoid the topic entirely: an EU-hosted tool. KI BMS hosts in Germany and provides the Art. 28 DPA on request within one business day.

What to do in the first 30 minutes

Six steps. Each takes <5 minutes in a modern ATS. In KI BMS most defaults are already right - you just have to look once.

FAQ

Frequently asked

Share this article

Try KI BMS

Free plan, no credit card. We host in Germany. You can export and delete everything self-serve.

Written by

Finn Glas

Co-Founder + Engineering

Finn is one of the Co-Founders. He owns the engineering side, the infrastructure, and most of the late-night fixes that ship before anyone notices.

finn.glas at aicuflow dot comLinkedIn Website