Deleting applicant data: the deletion concept that goes beyond the GDPR basics

There's a lot of talk about GDPR in recruiting, but mostly only about the first half: obtain consent, link the privacy notice, document the legal basis. That's doable and most teams do it. The second half - getting rid of the data at the end of its purpose - is systematically forgotten, because it brings no visible benefit and nobody pushes for it. That's exactly why thousands of old applications from years past sit around in many companies, with no legal basis for their retention left.

The principle behind it is storage limitation: personal data may only be kept as long as needed for the purpose it was collected for. Once the application process is finished and no other basis applies, it must be deleted. A deletion concept is the plan that does this systematically and demonstrably - instead of leaving it to chance and forgetting.

There's no blanket window for application documents - it depends on the purpose and legal situation. In practice, for rejected applications many companies anchor to the period within which claims under the anti-discrimination act could still be raised, plus a safety buffer, and delete afterwards. Important: the window begins at the conclusion of the concrete application procedure, not at receipt of the application, and it's a maximum retention duration, not a must-keep figure.

For the hired person the situation differs: documents relevant to the employment transfer into the personnel file and follow its own, often longer windows. But the pure application documents that don't transfer into the employment are subject to storage limitation here too. The concrete windows for your case you clarify with your DPO - this article explains the practice and doesn't replace legal advice.

There's a legitimate reason to keep an application beyond the window: when the person explicitly consents to staying in your talent pool for future roles. That's a separate purpose with its own legal basis - voluntary, informed consent. It must be given actively, not by silence, and must be revocable at any time. A talent pool people simply 'slipped into' because nobody deleted isn't a talent pool but a data-protection problem.

The clean practice: at or after the rejection, actively ask whether the person wants to stay in your pool. On yes, a separate, transparently communicated window applies (often one to two years with a reminder). On no or silence, the normal deletion window runs. That keeps the pool legally clean and containing only people who really want to be there.

Full deletion isn't the only path. Often you want to remove the personal trace but keep the statistical insight - e.g. how many applications came via which channel. Here anonymisation helps: the identifying data (name, contact, CV) is irretrievably removed, while the non-personal key figures stay for your analysis. A cleanly anonymised application is, in data-protection terms, no longer personal data.

The difference from pseudonymisation matters: pseudonymised means the link is still reconstructable via a key - that's still personal. Anonymised means the link can't be reconstructed even with effort. Only true anonymisation satisfies storage limitation while preserving the aggregate statistics for you. Make sure your tool really anonymises and doesn't merely hide.

The last and most often underestimated part of a deletion concept is the proof. The GDPR requires accountability: you must be able to demonstrate that you deleted or anonymised the data on time. A process that deletes but leaves no trace is, in a dispute, almost as bad as none - you can't prove you fulfilled your duty.

A good tool makes the deletion concept a default rather than homework. In KI BMS retention runs per candidate: you set a window, after which anonymisation happens automatically, and every step - setting the window, the anonymisation itself - lands in the audit log with a timestamp. That way the proof arises on its own. You don't have to remember to delete, and you don't have to document by hand that you did it - both happen as a natural consequence of the process.