
The Belgian DPA fined a Brussels-based recruitment firm €75,000 in late 2024 for retaining candidate CVs past their agreed retention period. The firm had a GDPR policy. They'd just never connected it to their actual data practices. That gap — between what the policy says and what the system does — is where most recruiting agencies are sitting right now.
This guide covers what GDPR actually requires from recruitment agencies in 2026, where enforcement focus has shifted, and how your technology choices affect your compliance posture. Not legal advice — get a solicitor for that. But practical context that most agencies don't have.
Why GDPR Enforcement Has Intensified for Recruiters
When GDPR came into force in 2018, enforcement was patchy and mostly focused on tech companies and major data breaches. That's changed.
Since 2023, data protection authorities across the EU — particularly in Germany (BfDI), the Netherlands (Autoriteit Persoonsgegevens), and Belgium (APD) — have increasingly targeted smaller organisations, including recruitment agencies. The reasoning: agencies are data-intensive businesses. They collect sensitive personal information (employment history, salary expectations, references, sometimes health-related information for certain roles) at scale, from people who often don't realise how long that data is being retained.
A 2025 investigation by the APD found that 68% of Dutch recruitment agencies had no documented data retention schedule for candidate records. That's not a minor procedural gap — it's a fundamental GDPR non-compliance that creates direct liability.
The enforcement trend is clear. Agencies that were operating on the assumption that GDPR was for big companies need to revisit that assumption.
The Lawful Basis Problem
GDPR requires that every instance of data processing has a documented lawful basis. For recruitment agencies, the three most relevant are:
Consent — the candidate explicitly agrees to you holding and using their data for specified purposes. This is the most controllable basis, but it comes with obligations: you must document when consent was given, make it easy to withdraw, and stop processing when it's withdrawn.
Legitimate interests — your business has a genuine need to process the data that isn't overridden by the individual's rights. For active job search candidates, this can apply. For candidates who submitted a CV three years ago and have had no contact since, it's much harder to sustain.
Contractual necessity — you need the data to fulfil a contract with the candidate. This applies when you're actively placing someone, not for speculative database building.
Here's where agencies get into trouble: they collect candidate data under one lawful basis and then continue to process it under circumstances where that basis no longer holds. A candidate sends a CV for a specific role. You keep the CV. The role is filled by someone else. Two years later, the CV is still in your ATS under their name, being searched as part of your talent pool — without a documented basis for that continued processing.
That's a compliance gap. And it's extraordinarily common.
Candidate Consent: What You Actually Need
Consent under GDPR is stricter than most agencies realise. To be valid, it must be:
- Freely given — the candidate can't be penalised for not consenting
- Specific — consent to one purpose doesn't cover another (consent to hold their CV doesn't automatically cover sending it to clients)
- Informed — they need to know what they're consenting to, including how long data will be held and who it may be shared with
- Unambiguous — a pre-ticked checkbox doesn't count; they need to actively signal agreement
- Withdrawable — they must be able to withdraw consent at any time, and you must have a mechanism to action that withdrawal
In practice for recruitment agencies: when a candidate submits their CV, they should be presented with clear information about what you'll do with it, for how long, and how they can request deletion. This isn't just a privacy notice buried in small print — the information needs to be accessible at the point of data collection.
When you proactively reach out to candidates via LinkedIn (unsolicited), the consent situation is different. You're collecting data (their LinkedIn profile) and initiating contact without prior consent. The legitimate interests basis can cover this initial contact, but if they don't respond or ask to be removed from your database, you can't keep processing their data indefinitely.
Data Retention: The Rule Most Agencies Are Breaking
GDPR doesn't specify a maximum retention period for recruitment data. But it does require that you only keep personal data for as long as necessary for the purpose it was collected.
That's an obligation most recruitment agencies aren't meeting. The default position in many agencies is "keep everything forever" — because you never know when an old candidate might become relevant again. That instinct is understandable from a business perspective. It's also illegal.
The industry standard that data protection officers typically recommend for recruitment agencies:
- Unsuccessful applicants: 6-12 months from the end of the relevant recruitment process
- Placed candidates: up to 7 years if required for tax/employment records, otherwise 2-3 years post-placement
- Talent pool candidates (opted in): up to 2 years from last meaningful contact, with periodic re-consent
- Proactively sourced candidates who didn't respond: 3-6 months maximum
These aren't fixed rules — they depend on your specific business context and the jurisdictions you operate in. But they're a starting point for a defensible retention policy.
The practical problem: if your candidate management system doesn't support automated retention schedules, you're manually managing deletion across potentially thousands of records. Nobody actually does that manually. Which is why so many agencies have databases full of legally indefensible data.
Subject Access Requests: Your 30-Day Obligation
Any candidate can send you a Subject Access Request (SAR) asking what personal data you hold about them. Under GDPR, you must respond within one calendar month.
Your response needs to include: every piece of personal data you hold on that individual, across all systems. ATS records. Emails. Notes. Assessment results. Interview feedback. Any data shared with clients. The lawful basis for holding each category.
If that sounds complex, it's because it is — particularly if your data is spread across an ATS, a separate email system, a spreadsheet, and LinkedIn messages. Agencies operating with fragmented data infrastructure will struggle to compile a complete, accurate SAR response in thirty days.
The right to erasure (the "right to be forgotten") works similarly. A candidate can request that you delete all data you hold on them. Unless you have a compelling legitimate reason to retain it — a legal claim, a statutory record-keeping requirement — you're obligated to delete it, from every system, and confirm that deletion.
In practice, this means you need a way to find every instance of a person's data across your entire tech stack and delete it with a documented audit trail. That's operationally very hard without a system designed to support it.
Sharing Data With Clients: The Requirement You May Be Overlooking
When you present a candidate shortlist to a hiring client, you're transferring personal data to a third party. Under GDPR, that transfer requires:
A documented basis for the transfer. Typically this is candidate consent or your legitimate interests as a processor facilitating a placement. The candidate should know their profile may be shared with potential employers — and they should have had a meaningful opportunity to object.
A data processing agreement with your client. If your client is processing candidate data (interviewing them, running assessments, storing their information), they need to be a "controller" in GDPR terms, and you need to have a DPA in place before you share the data.
Many agencies skip the DPA with clients because it feels bureaucratic. But if a candidate complaint ever surfaces, the absence of a DPA creates shared liability that could have been avoided. It takes thirty minutes to have a standard DPA drafted and signed — it's not a significant burden.
For cross-border transfers outside the EU/EEA (sending candidate data to a US-based client, for example), additional requirements apply. Standard Contractual Clauses are the most common mechanism, but the requirements have tightened since the Schrems II ruling.
What a GDPR-Compliant ATS Actually Does
This is where technology choices have a direct compliance impact. A GDPR-compliant candidate management system should handle several things natively:
Consent Tracking Per Candidate
Every candidate record should document: when consent was given, what it covers, and whether it's been withdrawn. This isn't a PDF attached to the record — it should be a structured field in the candidate's profile that can be queried and reported on across your entire database.
Automated Retention Schedules
The system should allow you to set retention rules by candidate category. Unsuccessful applicants get flagged for deletion after twelve months. Placed candidates after thirty-six months. The system generates a regular review list, you confirm deletions, and there's an audit log of what was deleted and when.
Without this, you're relying on human memory and manual processes to manage retention across potentially thousands of records. That's not realistic.
Subject Access Request Workflows
When an SAR comes in, you should be able to pull all data on a named individual from across the platform — profile, communications, notes, pipeline history, documents — within minutes. Not hours of manual searching across systems.
Audit Logs
Who accessed a candidate record, when, and what they did with it. Who shared it with a client. Who exported it. If a data protection authority ever asks you to demonstrate your data processing practices, audit logs are the documentation you need.
Data Storage in the EU/EEA
Candidate data processed by a recruitment agency operating in the EU should, by default, be stored on servers within the EU/EEA. Many US-based platforms store data in US data centres, which creates compliance complications. Confirm this explicitly with any platform you're evaluating.
Where Yena Fits the Compliance Picture
Worth being specific here rather than vague. Yena is built specifically for European recruitment agencies, which shapes the compliance features significantly compared to US-market platforms that have retrofitted GDPR compliance.
Data is stored on EU servers. Candidate records include consent tracking fields. Data retention policies can be configured per candidate category, with automated review prompts. Subject access requests can be compiled from a single candidate view rather than requiring manual aggregation across systems.
Yena holds SOC 2 Type I certification, and GDPR compliance documentation is available on request for due diligence purposes.
What Yena doesn't do: it won't replace your legal counsel on GDPR matters, and it won't make compliance decisions for you. It provides the infrastructure to implement compliance practices — the policies and judgment still come from your team.
If you're comparing platforms on GDPR features, the Yena vs. Bullhorn and Yena vs. Loxo comparisons cover the compliance differences in detail. For the pricing and setup details, Yena runs at €49-99/user/month with a 24-hour setup time.
Practical Steps to Close Your Compliance Gaps Now
If you've read this far and realise you have gaps, here's a prioritised action list:
Step 1: Audit what you're actually holding. Pull a report of every candidate record in your ATS older than twelve months. How many are there? What's the oldest? Do you have a documented basis for retaining each one? This audit will be uncomfortable. Do it anyway.
Step 2: Define your retention policy. Decide how long you'll retain data for each candidate category (applicants, placed candidates, talent pool, sourced-but-unresponsive). Write it down. Have it reviewed by someone with GDPR expertise.
Step 3: Update your candidate-facing privacy notice. Check that what your privacy notice says matches what you're actually doing. If you're retaining data for two years but the notice says six months, you have a problem either way — either your notice is wrong or your practice is.
Step 4: Establish a deletion process. Implement whatever mechanism you'll use to action retention schedule deletions and right-to-erasure requests. If you're using a spreadsheet, that mechanism is manual and unreliable. If you're using a CMS with retention tooling, it should be automated.
Step 5: Review client data processing agreements. Do you have DPAs in place with the clients you share candidate data with? If not, draft and circulate standard DPAs. Most clients will sign without issue — it's a routine document.
Step 6: Train your team. The most common cause of GDPR failures isn't deliberate non-compliance — it's team members who don't know the rules or who make reasonable-seeming decisions that happen to be wrong. A half-day training session updated annually is the minimum.
The Cost of Getting This Wrong
GDPR fines are tiered. Minor infringements: up to €10M or 2% of global annual turnover. Serious infringements (including data retention violations and processing without lawful basis): up to €20M or 4% of global annual turnover, whichever is higher.
For a small recruitment agency turning over €2M annually, a serious infringement could theoretically result in an €80,000 fine. The Belgian DPA's €75,000 fine cited earlier was for exactly this category of violation — retaining data past its retention period.
The less quantifiable cost: reputational damage. Executive search operates on trust. If a candidate files a complaint that triggers an investigation and subsequent media coverage, the damage to your reputation with clients and candidates can outlast any financial penalty.
Compliance isn't cheap. But it's less expensive than enforcement.
One More Thing Worth Saying
GDPR compliance is often framed as a cost centre — something you do to avoid fines. It can also be a competitive differentiator.
Senior executives are increasingly aware of how their data is handled. A candidate who trusts that your agency will manage their information responsibly is more likely to engage with you, share their real situation, and refer colleagues. An agency known for rigorous data practices builds a reputation that attracts the kind of high-value candidates who care about these things.
In executive search, you're often asking people to share sensitive career information — compensation expectations, reasons for leaving, aspirations they haven't shared publicly. That requires trust. GDPR compliance, properly implemented, is part of building it.
If you're reviewing your compliance posture and considering a platform switch as part of that, Yena's 10-day trial lets you test the compliance features against your actual workflows before committing. The automation infrastructure and GDPR tooling work together — compliance doesn't have to mean manual effort.
Note: This post is for informational purposes only and does not constitute legal advice. For advice specific to your agency's situation, consult a data protection solicitor or your local data protection authority's guidance materials.
Janis Kolomenskis is the founder of Yena, an AI-native recruiting platform built for European executive search firms and staffing agencies.