Yena LogoYena.
Sourcing de CandidatosFind and engage candidates.EnrichAuto-fill verified data.CRMCandidate + client relationships.Portal do clienteShare shortlists live.
Certificado SOC 2 Tipo IConforme com o RGPD
Executive SearchAgências de RecrutamentoATS for In-House TeamsRecrutamento Interno
CRM de Recrutamento para AgênciasCRM para Agências de StaffingATS para Executive SearchATS para pequenas agências
Software de Recrutamento de TIRecrutamento IndustrialRecrutamento na SaúdeAssessoria Jurídica e FiscalRetalho e Comércio EletrónicoServiços FinanceirosCibersegurança
ComparaçõesBlogCentro de AjudaGuia de Melhores PráticasGuia ATS com CRMLinkedIn Recruiter vs ATS
Ferramentas GratuitasCalculadora ROI do ATSDiagnóstico de Ops de RecrutamentoParser de CV com IA GratuitoReformatador de CV com IA GratuitoKit de Ferramentas de Recrutamento
Preços
EntrarVer em 15 min

O seu stack de recrutamento, simplificado.

Produtos

  • Sourcing de Candidatos
  • Enrich
  • CRM
  • Portal do cliente
  • Preços
  • Descarregar Aplicação Desktop

Soluções

  • Executive Search
  • Agências de Recrutamento
  • ATS for In-House Teams
  • Recrutamento Interno

Casos de uso

  • ATS para pequenas agências
  • ATS para executive search

Recursos

  • Comparações
  • Centro de Ajuda
  • Blog
  • Guia de Melhores Práticas
  • Guia RGPD
  • GDPR Compliance Checklist
  • Guia ATS com CRM
  • ATS Cost Guide
  • LinkedIn Recruiter vs ATS
  • Retained vs Contingent Search
  • How to Start a Recruiting Agency
  • Recruiting Software Stack Guide
  • Best Cities for Executive Search

Ferramentas Gratuitas

  • Calculadora ROI do ATS
  • Diagnóstico de Ops de Recrutamento
  • Parser de CV com IA Gratuito
  • Reformatador de CV com IA Gratuito
  • Kit de Ferramentas de Recrutamento

Empresa

  • Sobre Nós
  • Contacto
  • Carreiras
  • Política de Privacidade
  • Termos de Serviço
  • Security
  • Data Processing Agreement
  • Cookie Policy

Comparar a Yena

vs Bullhorn·vs Greenhouse·vs Personio·vs Lever·vs Workable·vs SmartRecruiters·vs BambooHR·vs Vincere·vs Loxo·vs Manatal·vs iCIMS·vs Teamtailor·vs Recruit CRM·vs SAP SuccessFactors·vs JobAdder·vs Ashby·vs JazzHR·vs Recruitee·vs Softgarden·vs Crelate·vs Zoho Recruit·vs Traffit·vs Firefish·vs Recruiterflow·vs Recrur·vs Staffin·vs Teamdash
Riga, Letónia | Mazā Nometņu iela 31, LV-1002
[email protected]
© 2026 SIA "New Tech".
Home/Resources/GDPR Compliance Checklist
Compliance Checklist

GDPR compliance checklist for recruiters (practical, not theoretical).

Know your lawful basis, collect only what you need, control access, retain data appropriately, and fulfill candidate requests quickly.

9 min readInteractive Checklist

Recruiting teams handle sensitive personal data (CVs, contact details, notes), so GDPR compliance has to be built into the workflow, not handled in ad-hoc spreadsheets and inboxes.

Checklist (copy/paste).

01

Lawful basis

Article 6

Processing must have a lawful basis under GDPR Article 6, such as consent or legitimate interests. For many recruiting activities, 'legitimate interests' can apply, but it requires a defensible assessment and must not override the individual's rights and expectations.

Action items

Document which lawful basis you use for: inbound applicants vs sourced candidates vs talent pool nurturing
If using legitimate interests, complete a Legitimate Interests Assessment (purpose, necessity, balancing) and store it with your compliance docs
Provide clear transparency info (privacy notice) aligned to the purpose you claim for processing
02

Data minimisation (only collect what you need)

GDPR principles include data minimisation—collect data that is adequate, relevant, and limited to what's necessary for the recruiting purpose. In recruiting practice, avoid collecting sensitive 'special category' data unless there's a clear need and additional conditions are met (often best avoided entirely).

Action items

Define 'required fields' vs 'nice-to-have' fields in your ATS and disable the rest
Add a rule: no free-text notes that include unrelated sensitive info (health, political views, etc.)
03

Retention + deletion (storage limitation)

Under storage limitation, personal data should not be kept longer than necessary for the purpose you stated. If the recruiting purpose ends, you should delete (or anonymize) the data rather than keeping it 'just in case.'

Action items

Write a retention policy: e.g., unsuccessful applicants deleted after X months unless they opt into a talent pool
Track proof of ongoing interest if you keep people in a talent pool for longer periods
Implement automated deletion/anonymisation jobs (don't rely on manual cleanup)
04

Candidate rights (DSAR-ready)

Candidates can request access to their personal data, and your process must be able to extract and provide it. A DSAR response should cover what data you hold, why you process it, how long you keep it, and other required context.

Action items

Create a 'DSAR runbook': intake → identity verification → data export → review (third-party data) → response
Ensure you can export a candidate's full record (CV, notes, activity history, sources) from your system of record
05

Access control + confidentiality

Executive search and agency recruiting require controlled visibility (who can see which candidates/searches) because confidentiality is part of the service. Your tooling must enforce this access model so sensitive candidate/client context isn't casually shared across teams.

Action items

Define roles (admin, recruiter, researcher) and project-based access ('who can see this search?')
Ensure the 'system of record' is not a shared spreadsheet for real candidate data and notes
06

Vendors + processors (DPAs, subprocessors, data residency)

If you use vendors (ATS, enrichment tools, email sync, storage), you need clarity on processing terms and where data is stored/processed. Treat 'we are GDPR-compliant' marketing claims as insufficient without operational controls and agreements.

Action items

Maintain a vendor register: vendor, data categories, purpose, lawful basis, retention, location, subprocessors
Ensure DPAs exist for any processor handling candidate data

Templates (lead magnets).

These work well as gated downloads and align with how agencies actually operate:

01

Legitimate Interests Assessment (LIA) template

Purpose / necessity / balancing template to document your lawful basis

02

Recruiting retention policy template

Clear retention periods for applicants vs talent pool

03

DSAR response checklist + data export form

Step-by-step process for handling data subject access requests

Common mistakes (what breaks compliance).

Keeping candidate data indefinitely

Storing data 'because it might be useful later' violates storage limitation unless you can justify ongoing purpose and safeguards.

Claiming legitimate interests without documentation

Using legitimate interests without doing the balancing test and documenting it leaves you exposed in an audit or complaint.

Operating from Excel trackers

Letting the real workflow live in spreadsheets with contact details and notes weakens access control and auditability.

GDPR by Design

Use a real system of record, not spreadsheets.

Yena is positioned as an executive-search-first ATS/CRM for Europe, with GDPR and confidentiality needs considered in product design rather than bolted on later. The most practical message: use a real system of record with controlled access and repeatable workflows, because spreadsheet-first execution is exactly where compliance and operational risk multiply.

Controlled access
Role-based permissions + project visibility
Automated retention
Scheduled deletion + anonymization workflows
DSAR-ready
One-click candidate data export
EU-hosted
Data residency + DPA included
See GDPR features

Frequently asked questions

Having a clear lawful basis for processing (usually legitimate interests for sourced candidates) and being able to prove it with documentation. Without this, all other compliance work is built on shaky ground.

Only as long as necessary for the stated purpose. For unsuccessful applicants, 6-12 months is common. For talent pools, you need ongoing proof of interest (opt-in, engagement tracking). No indefinite storage 'just in case.'

Not always. For sourcing and initial outreach, 'legitimate interests' can apply if you have a defensible assessment and provide transparency. Consent is one option, but not the only lawful basis under Article 6.

You have 30 days to respond. You must provide: what data you hold, why you process it, how long you keep it, who you share it with, and their rights. Your ATS/CRM must be able to export this quickly—spreadsheet-only tracking makes DSARs painful.

Spreadsheets aren't inherently non-compliant, but they make compliance extremely difficult: no access controls, no audit logs, no automated retention, weak security. For serious recruiting operations, spreadsheets create operational and compliance risk.

A DPA is a contract required when a vendor processes personal data on your behalf (your ATS, enrichment tools, etc.). It defines their obligations, security measures, subprocessors, and your rights. Every vendor handling candidate data needs one.

Related resources

GDPR DACH Guide

Complete compliance guide for DACH region

ATS with CRM Guide

Why executive search needs integrated systems

ATS for Small Agencies

Practical buyer's guide for 1-25 recruiters

GDPR-ready from day one

Built for compliance, not bolt-on compliance.

See how Yena handles GDPR workflows, access control, and data retention—designed for European recruiting agencies.

Book DemoFull GDPR Guide

EU-hosted • DPA included • 14-day free trial