
Picture this: you've just placed a senior finance director with a Frankfurt-based private equity firm. Three weeks later, you get a letter from the German data protection authority (Landesbeauftragter für Datenschutz) asking you to document your legal basis for processing 847 candidate profiles in your database. You don't have one. Not a documented one, anyway.
This isn't a hypothetical. Enforcement against recruitment agencies across the EU has accelerated since 2023, and 2026 brings an additional layer of complexity: the EU AI Act's first substantive obligations kicked in for high-risk AI systems — which includes automated candidate screening — in August 2025. If you're running a recruiting agency across multiple European markets and you haven't updated your compliance posture recently, you're carrying more risk than you probably realise.
This isn't a legal textbook. It's a recruiter's survival guide — practical, specific, and honest about where the real exposure sits.
GDPR: The Foundation Everything Else Sits On
Six years in, GDPR is no longer new — but most recruitment agencies are still running their data practices on a mixture of incomplete consent flows, vague privacy notices, and ATS databases that haven't been cleaned since implementation. The risk profile has shifted from "unlikely to be investigated" to "increasingly likely, especially if a candidate complains."
The core mechanics haven't changed. You need a lawful basis for every processing activity. For most candidate data, that's either legitimate interest (Article 6(1)(f)) or consent (Article 6(1)(a)). The practical rule of thumb:
- Candidate contacted you directly for a specific role → legitimate interest usually holds
- Candidate sourced from LinkedIn or Xing and you want to add to your talent pool → legitimate interest is shakier; a clear opt-in is cleaner
- Candidate who didn't get placed and you want to keep their CV for six months → document a legitimate interest assessment, or get explicit consent
- Candidate marketing emails (newsletters, salary surveys) → separate consent, always
The ICO's updated employment practices guidance from 2023 is the most practical regulator document available on this. Even for EU-based agencies, it's worth reading because the legal analysis largely applies across GDPR jurisdictions.
Data retention: the number most agencies get wrong
GDPR doesn't give you a specific number. What it gives you is a principle — data must not be kept "longer than necessary." Regulators in different EU markets have published guidance that effectively sets soft limits. In practice:
- Unsuccessful applications: 6 months (aligns with discrimination claim windows in most EU jurisdictions)
- Talent pool candidates with opt-in: 12 months, then re-consent or delete
- Successfully placed candidates: placement date plus your guarantee period, plus a buffer for disputes — typically 12-18 months total
- Right-to-work documentation: 2 years post-employment end in most EU countries
- Financial records: 7 years (tax law, not GDPR — this overrides the shorter periods above for invoice-level data)
France's CNIL is the strictest on this. Their formal recommendation (Délibération 2020-092) specifies 2 years from last contact as the maximum for candidate data — with re-consent required before that window closes if you want to continue. German data protection authorities at both federal (BfDI) and Länder level take a similar position. The UK ICO is marginally more flexible but not by much.
The agencies that get caught by regulators aren't doing anything malicious. They've just never built data deletion into their workflows — so data that should have been cleaned 18 months ago is still sitting in the system, and nobody noticed.
Our full GDPR guide for agencies goes deeper on consent flows, erasure request workflows, and data processing agreements with client companies — worth reading alongside this one.
The EU AI Act: What Recruitment Agencies Actually Need to Do Now
The EU AI Act became fully applicable for high-risk AI systems in August 2025. Automated candidate screening tools — systems that filter, rank, or score job applicants without individual human review — are explicitly classified as high-risk under Annex III of the Act.
Here's the honest reality: most recruitment agencies don't know where they sit on this. They're using an ATS with an AI matching feature, or a third-party screening tool, and they haven't thought about whether the system constitutes "automated decision-making" under the Act's definition. The answer depends on how the tool is configured and how your recruiters actually use it.
What counts as "high-risk" under the Act
An AI system is high-risk for recruitment purposes if it's used to make, or meaningfully influence, decisions about candidate selection. That includes:
- Automated CV parsing that scores and ranks candidates before a human sees them
- Knockout question systems that filter out candidates based on algorithmic thresholds
- AI-powered "cultural fit" or "job match" scores that affect who progresses
- Video interview analysis tools that assess personality or suitability from facial expressions or tone
What does not count as high-risk: AI that generates job descriptions, suggests outreach messaging, summarises interview notes, or handles scheduling. Those are productivity tools, not decision-making systems.
Obligations for high-risk AI users
If you're deploying high-risk AI in your recruitment process, the Act requires you — as the "deployer" — to:
- Conduct a fundamental rights impact assessment before deployment
- Ensure a human reviews any AI-generated recommendations before consequential decisions are made
- Maintain logs of the AI system's operation for at least 6 months
- Inform candidates that AI is being used in their assessment
- Provide candidates with the right to request human review of AI decisions affecting them
The "inform candidates" requirement is one most agencies aren't meeting. A sentence in your privacy notice saying "we may use automated tools" doesn't satisfy the Act. The notification needs to be specific: what system, what it assesses, how it influences the outcome. This is partly why the trend among compliant agencies is shifting away from fully automated screening toward AI-assisted ranking with mandatory human review checkpoints.
For a deeper read on how AI in recruitment intersects with both GDPR and the AI Act, the AI in recruitment 2026 overview covers the current state of the technology and the compliance picture in parallel.
The EU AI Act doesn't ban AI in recruitment. It requires transparency, human oversight, and documentation. Agencies that build those in from the start will have a competitive advantage — clients increasingly ask about it.
Country-Specific Rules That Will Catch You Out
Pan-European compliance is a framework, not a finish line. Each jurisdiction layers national law on top of GDPR and the AI Act, and the gaps between them are where agencies operating across borders tend to get into trouble.
Germany: Works Councils and the BDSG
Germany runs GDPR alongside the BDSG (Bundesdatenschutzgesetz), which adds employment-specific requirements. Section 26 BDSG governs candidate data in the recruitment context and is stricter than the GDPR baseline on several points — particularly around consent in the employment relationship (it's often deemed involuntary due to power imbalance, making legitimate interest or legal obligation the safer bases).
The bigger operational issue for agencies placing candidates in German companies: Works Councils (Betriebsräte). Under the German Works Constitution Act (BetrVG), Works Councils have co-determination rights on the introduction of new technical systems that monitor or assess employee behaviour. This extends to recruitment tools used within the client company's environment. If your client has a Works Council, they may need to formally agree to the use of specific ATS or AI screening tools before you can implement them in that engagement.
Practically: raise this in the client onboarding conversation. Ask whether a Works Council is in place. If yes, factor in an additional 4-8 weeks for the co-determination process before any technology-dependent recruitment workflow goes live. Agencies that skip this step have found placements delayed or client relationships damaged when Works Councils retroactively raise objections.
France: RGPD Plus CNIL-Specific Restrictions
France applies EU GDPR as "RGPD" (Règlement Général sur la Protection des Données) with no major structural differences — but the CNIL's enforcement approach and specific guidance create a distinctly French compliance environment.
Key French-specific points for recruitment agencies:
- Employment law framing: France has strict rules around what information can be collected at the application stage. Nationality, family situation, photographs, religious practice, trade union membership — collecting these during recruitment is prohibited under French labour law, separate from GDPR considerations.
- LinkedIn sourcing: The CNIL has formally investigated French recruitment firms for scraping LinkedIn profiles without adequate legal basis. Their 2022 guidance makes clear that sourcing from professional networks requires candidates to have a "reasonable expectation" of being contacted by recruiters — and that this expectation diminishes rapidly if the outreach is unrelated to their visible professional activity.
- CDI vs CDD context: Permanent (CDI) versus fixed-term (CDD) employment affects how job advertisements must be framed and what information is legally required in an offer — relevant if you're advising clients on French hiring documentation.
UK: UK GDPR Post-Brexit
The UK is no longer subject to EU GDPR — it runs UK GDPR, which is substantively equivalent but independently enforced by the ICO. The EU Commission's adequacy decision for the UK (issued June 2021) allows EU-to-UK data transfers without additional safeguards, and it was renewed in late 2025, removing one major uncertainty for cross-Channel agencies.
UK-specific watch points:
- The Data Protection and Digital Information Bill (DPDI) has been progressing through Parliament through early 2026. It introduces some modest divergence from EU GDPR — particularly around the legitimate interests assessment framework and research exemptions. If you operate across the UK-EU boundary, monitor ICO communications for implementation updates.
- The ICO's AI recruitment guidance (published 2023) is the most practical regulatory document on Article 22-equivalent obligations in the UK context. It's clearer and more actionable than much of the EU Commission's AI Act implementation guidance.
- UK employment equality law creates a 3-month window for discrimination claims in the employment tribunal — longer than some EU equivalents — which affects how long you should retain unsuccessful application data. 6 months is the commonly cited safe period.
The Compliance Comparison: EU GDPR vs UK GDPR vs Country Rules
| Area | EU GDPR | UK GDPR (ICO) | Germany (+ BDSG) | France (CNIL) |
|---|---|---|---|---|
| Lawful basis for sourcing | Legitimate interest or consent | Legitimate interest or consent | Consent preferred (power imbalance concern) | Legitimate interest, but narrowly applied to professional data |
| Talent pool retention limit | Proportionate to purpose (typically 12-24 months) | 12 months recommended, re-consent after | 12-24 months, documented LIA required beyond 12 | 2 years max from last contact (CNIL 2020-092) |
| AI screening disclosure | Required (Article 22 + AI Act from Aug 2025) | Required (UK GDPR Article 22 + ICO AI guidance) | Required; BfDI takes strict view on "meaningful influence" | Required; CNIL guidance from 2022 on algorithmic tools |
| Works Council involvement | Varies by country | N/A (UK doesn't have comparable body) | Strong co-determination rights under BetrVG §87 | CSE/CE consultation rights on algorithmic tools |
| Restricted application data | Sensitive categories (Article 9) | Sensitive categories (Article 9) | Article 9 + BDSG Section 26 restrictions | Article 9 + French Labour Code (nationality, family status banned at application stage) |
| Cross-border data transfers | Adequacy decision or SCCs required for third countries | UK adequacy decisions (includes EEA); SCCs for others | EU GDPR rules apply; DPA oversight active | EU GDPR rules apply; CNIL scrutinises US-hosted SaaS |
What Your ATS Must Do to Support Compliance
Policy documents don't enforce themselves. The gap between what your compliance policy says and what actually happens in day-to-day recruiting is where the real risk lives. Your ATS needs to close that gap operationally.
The minimum functionality you should require from any platform you use:
- Consent tracking per candidate: When was consent captured, for what, and via which channel. Withdrawal should be recordable and should trigger a retention review flag.
- Automated retention flags: When a candidate record approaches its configured retention limit, the system should notify you — not wait for a manual audit that never happens. Auto-anonymisation is even better.
- Erasure request workflow: A logged, trackable process from receipt to completion, with documentation of what was deleted and what was retained (with the legal basis for retention cited).
- DSAR generation: The ability to produce a complete record of all data held on a specific candidate across the system. Manual compilation from multiple tabs is not a compliant workflow at scale.
- Audit log: Who accessed each candidate record, when, and what changes were made. Essential for breach investigations and regulatory enquiries.
- AI transparency controls: If the platform uses AI matching or scoring, you need to be able to configure what candidates are told about it and ensure human review is built into the workflow before decisions are communicated.
If you're evaluating platforms, see our best ATS for agencies 2026 comparison — compliance features are one of the evaluation criteria we weighted heavily. If you want to see how Yena specifically handles consent workflows, retention automation, and AI Act transparency requirements, the Yena vs Personio comparison shows how dedicated recruiting platforms differ from HR suites on the compliance architecture.
One honest note: if your agency places fewer than 50 candidates per month, some of this can be managed with well-designed manual processes and clear documentation. A small exec search boutique with 8 active candidates at any time has a different risk profile than a staffing agency running 400 concurrent roles. Don't over-engineer this if you don't need to — but do document everything, even manually.
For agencies at higher volume — 100+ new candidates per month — manual compliance management is genuinely not viable. The error rate in manual consent tracking and retention management is too high, and a single ICO or CNIL investigation based on a candidate complaint will cost more in management time than a year's subscription to a compliant ATS. Our AI resume parser handles structured data extraction from CVs in a GDPR-compliant way, which is often the first manual process worth automating.
Frequently Asked Questions
Do I need a Data Protection Officer (DPO) as a recruitment agency?
Under Article 37 of GDPR, a DPO is mandatory if you process personal data on a large scale as a core business activity. Recruitment agencies do process personal data as a core activity — the question is scale. EU supervisory authorities haven't set a specific number, but if you're processing thousands of candidate records regularly, appointing a DPO (internal or external) is strongly advisable and may be technically required. The ICO's position for UK agencies is similar. For smaller boutique agencies, a designated data protection contact who maintains your compliance documentation and handles requests is usually sufficient.
What do I do when a candidate asks what data I hold on them?
That's a Subject Access Request (SAR / DSAR). You have one calendar month to respond — and respond means delivering the actual information, not just acknowledging the request. The response must include: every piece of personal data you hold on them, the purposes for which you process it, the legal basis, how long you intend to retain it, and who you've shared it with. If your candidate data is spread across an ATS, email system, and shared drives, you need to search all of them. Budget 2-4 hours for a manual response; a well-configured ATS should reduce this to 15-20 minutes.
Can I use AI scoring tools without telling candidates?
No. Under GDPR Article 22 and the EU AI Act (for systems classified as high-risk), candidates must be informed when automated processing is used in decisions that significantly affect them. Getting screened out of a job application qualifies. The notification needs to be specific enough to be meaningful — not buried in a generic privacy policy. Candidates also have the right to request human review of AI-driven decisions. Build this into your application flow, not as an afterthought.
A client company wants me to share a candidate's CV with their sister company for a different role. Is that OK?
Generally, no — not without the candidate's knowledge and consent. The candidate gave you their CV for a specific purpose (the role you're working on). Sharing it with a third party for a different purpose requires either explicit candidate consent for that specific use, or a fresh legitimate interest assessment that you document. This applies even within the same corporate group. Your client contract should include a clause prohibiting this kind of secondary sharing without your consent and the candidate's knowledge.
Our ATS vendor is based in the US. Does that mean every CV upload is an international data transfer?
If candidate data is processed on US-based servers without an EU data residency option, yes — each upload constitutes a transfer to a third country under GDPR. This requires either the vendor to be covered by an active adequacy mechanism (the EU-US Data Privacy Framework, renewed 2024, covers many US cloud vendors), or Standard Contractual Clauses incorporated into your vendor agreement. Ask your vendor explicitly: where is candidate data stored? Is there an EU data residency option? Do your standard terms include SCCs? Most major cloud ATS vendors can answer these questions. If they can't, that's a red flag.
A Practical Compliance Checklist
EU Recruitment Agency Compliance Checklist 2026
- Written data retention policy with specific periods by category (not "as long as necessary")
- Consent mechanism on all application forms — separate from T&Cs, with plain language
- Privacy notice that describes: purposes, legal bases, retention periods, AI use, international transfers
- Data Processing Agreements (or Article 26 joint controller arrangements) in all client contracts
- Documented legitimate interest assessment for any sourcing not based on direct application
- SAR/erasure request procedure with assigned ownership and 30-day response SLA
- ATS configured with retention flags or auto-anonymisation
- Candidate notification for any AI screening tool that influences selection decisions
- Human review checkpoint before AI-influenced rejections are communicated
- DPA or SCCs in all vendor agreements where personal data is processed
- Record of Processing Activities (RoPA) — required for systematic personal data processing
- Works Council checklist for any German client company engagement
- Annual compliance review (guidance updates regularly; this list will be out of date by 2027)
The CIPD's research reports on employment practices and data in HR are a useful ongoing resource for staying current — they publish practical guidance that bridges the gap between legal requirements and operational HR/recruiting practice. And SHRM's talent acquisition coverage, despite being US-oriented, often covers EU regulatory developments with useful context for US-headquartered companies expanding into European recruitment markets.
European recruitment compliance isn't getting simpler. The EU AI Act adds a new layer on top of GDPR, national laws add further country-specific requirements, and enforcement is becoming more active rather than less. The agencies that handle this well aren't necessarily the ones with the biggest legal budgets — they're the ones who've built compliance into their workflows rather than treating it as a separate checkbox exercise.
The right ATS makes the difference between compliance that requires constant vigilance and compliance that runs in the background. If you want to see how Yena approaches GDPR-native workflows, consent tracking, and EU AI Act transparency requirements, book a 20-minute demo — it's the fastest way to see whether the platform fits your compliance posture.