GDPR in recruiting - what you actually have to do (and what you don't)

Before the detail, the five sentences that cover 90% of cases. This is practical information, not legal advice - but it's the line a data protection officer follows in an audit.

What GDPR practically requires from you in recruiting comes down to six points. I list them here the way a data protection officer would check them in an audit. For a ready-made checklist, see the GDPR checklist for recruiting 2026.

The '6 months' isn't a statutory number but a clean calculation. It follows from two windows plus a buffer: a rejected applicant must assert an AGG compensation claim (discrimination under § 1 AGG) in writing within 2 months (§ 15 (4) AGG). If they do, the lawsuit must be filed at the labour court within a further 3 months (§ 61b (1) ArbGG). Plus a one-month processing buffer makes 2 + 3 + 1 = 6 months.

The lawful basis for keeping (rather than deleting immediately) is the legitimate interest in defending legal claims, Art. 6 (1)(f) and Art. 17 (3)(e) GDPR, within the storage-limitation principle of Art. 5 (1)(e). Three nuances that come up in practice:

The moment candidate data sits in cloud software - any ATS, any applicant-management tool, even a simple form tool - the vendor processes personal data on your behalf. For that, a data processing agreement (DPA) under Art. 28 GDPR is mandatory before the first data flows. Without it, the processing is formally unlawful, and that carries fines (up to €10m or 2% of annual turnover).

In practice that just means: check whether your vendor provides a ready-made DPA (reputable ones do without you asking), sign it, file it. With a Germany-hosted ATS like KI BMS that's a two-minute step. With a vendor outside the EU you add standard contractual clauses and a transfer impact assessment - more effort, same purpose. What else to watch for when choosing a tool is in applicant tracking software explained.

If your tool scores applications with a KI fit-score, that touches two rulebooks. First, Art. 22 GDPR: a solely automated rejection with legal effect is not allowed - a human must decide on the merits. The CJEU clarified in the SCHUFA ruling (C-634/21) that merely 'rubber-stamping' a decisive score counts as an automated decision. Pre-sort yes, let it decide no.

Second, the EU AI Act: recruiting KI is classed as high-risk (Annex III no. 4), and the full duties apply from 2 August 2026 - human oversight, logging of KI operations (log retention at least 6 months), and the duty to inform candidates about the KI use. In practice that means: the KI use belongs in the privacy notice, and a candidate can request meaningful information about the pre-sorting logic under Art. 15 GDPR - including their fit-score and its reasoning.

Myth 1: 'We need a separate, hand-signed consent in a Word doc per application.' Wrong - the consent in the careers-page privacy notice is enough, as long as it's specific.

Myth 2: 'We have to keep everything for 10 years because of anti-discrimination law.' Wrong - 6 months after rejection is enough for the legal claim window. Longer retention needs a different legal basis.

Myth 3: 'KI in recruiting is forbidden.' Wrong - pre-sorting with human decision is fine. Forbidden is auto-decision with legal effect without a human.

Three of the six duties can be automated by an ATS. Information via a built-in GDPR clause on the careers page. Retention via a per-candidate retention window with auto-anonymisation on expiry (for a deeper look: Deleting applicant data - the deletion concept beyond GDPR basics). Right of access via self-service export. The other three (lawful basis, minimisation, erasure) remain human decisions, but the ATS helps keep them consistent.