Applicant Tracking and GDPR Compliance: Ensuring Compliant Hiring for EU Candidates

Most ATS and GDPR guides oversimplify compliance by relying on candidate consent as the primary legal basis. However, this approach creates a serious vulnerability: the moment a candidate withdraws consent, you may be legally required to erase their entire record, disrupting pipelines, audits, and future hiring needs. This blog breaks down why consent alone is a flawed strategy and what a more resilient, compliant approach to recruitment data actually looks like.

Does GDPR Apply to Your US Company? (The Answer Is Probably Yes)

THE RULE THAT SURPRISES US EMPLOYERS
Receiving a single CV from a person located in the EU through your careers page, LinkedIn, or a referral triggers full GDPR obligations. There is no US incorporation exemption. Fines are calculated on global annual revenue, not EU revenue.

Article 3 of the GDPR determines the scope based on the data subject’s location, not on your legal registration or the location of your servers. The instant that a German software developer applies to your position via your Greenhouse platform, you are processing the personal information of someone located within the EU for employment services within the EU. That is GDPR jurisdiction.

The surprise for many US companies stems from one basic idea: most US companies base their GDPR compliance on the concept of entity. “I’m a Delaware LLC; I don’t have any EU offices; of course, GDPR doesn’t apply to me!” It does so explicitly by design; the writers of the GDPR crafted this specific provision for the exact purpose of preventing companies from.

What GDPR Actually Requires From Your Recruitment Data Process

General Data Protection Regulation is not a single rule; it is a framework of obligations that apply simultaneously. For US companies using an ATS to manage EU candidate data, the relevant obligations cluster into five areas.

Lawful Basis

You must have a documented legal ground for every process candidate data activity before it begins, not after a complaint arrives. More on this in Section 3, because the default US assumption (consent) is wrong for recruitment.

Transparency

Candidates must be told at the point of data collection: what data you collect, why, how long you keep it, who you share it with, what rights they have, and how to exercise those rights. This means a GDPR-compliant candidate privacy notice is linked at every application touchpoint.

Data Subject Rights

EU candidates have the right to access their data (DSAR), correct it, delete it (Right to Erasure Article 17), restrict processing, and object to processing. Your ATS must support each of these operationally, not just theoretically.

Note on backup deletion: Deleting a candidate profile in your ATS does not automatically purge backups. You have a legal obligation under Article 17 to confirm complete erasure across all systems, including database backups.

Data Minimization

You may only collect data that is adequate, relevant, and limited to what is necessary for the specific purpose. US job applications routinely ask for date of birth, gender, and salary history fields that are either unnecessary or legally restricted in EU contexts.

Retention Limits

Data may not be kept indefinitely. You must define retention periods by category, communicate them to candidates, and automate deletion or anonymization at the end of each retention window. ATS archive features that US teams treat as benign are, in fact, GDPR landmines.

Recommended listening: Ensuring GDPR is at the Heart of your Recruitment Processes — The Talent Exchange

The Lawful Basis Problem: Why Consent Is the Wrong Default

CRITICAL COMPLIANCE ERROR
Every competing guide on ATS and GDPR tells you to get candidate consent. That is dangerous advice. Consent as the sole legal basis for processing recruitment data creates a deletion trap; any candidate who withdraws consent is entitled to immediate erasure of their entire record, with no fallback.

1. Legitimate Interests (Article 6(1)(f)) for assessing candidates during an active hiring process
2. Contractual Necessity (Article 6(1)(b)) for processing data of an accepted candidate to enter an employment contract

Consent may be used as a supplement, for example, asking a candidate whether you can retain their ATS Resume for future roles, but it should never be the primary basis for an active hiring process.

Why does this matter practically? Under legitimate interests, you do not need to delete a candidate’s record the moment they ask, as long as your processing remains proportionate and you have conducted a Legitimate Interest Assessment (LIA). Under consent-only, a candidate’s withdrawal triggers an erasure obligation with very limited exceptions. If your HRIS, payroll system, or backup infrastructure has replicated that record, you have a complex deletion cascade to manage, and the clock starts the moment they withdraw.

The correct approach: document legitimate interests as your primary basis, supplement with consent only for optional retention or profile sharing, and execute a formal LIA before your first EU job posting goes live.

Your ATS as a Data Processor: The DPA You Must Execute

Under GDPR Article 28, any third party that processes personal data on your behalf is a data processor. Your ATS vendor, whether Greenhouse, Lever, Workable, or any other process, will collect EU candidate data on your instructions. That makes them a processor, and you are required to have a signed, GDPR-compliant Data Processing Agreement (DPA) in place before any EU candidate data is processed in their system.

The vendor’s standard Terms of Service is not a DPA with its own data. A GDPR-compliant DPA must include:

1. The processing subject matter, duration, nature, and purpose
2. The categories of data subjects and personal data usage
3. Your obligations and rights as a controller
4. Specific commitments from the processor regarding security, sub-processor management, and deletion at contract end

Most major ATS vendors offer DPAs upon request or through their trust/legal documentation portals. The failure point isn’t that the DPA doesn’t exist; it’s that US HR teams never request it or implement it. Failure to have a signed DPA exposes you to a lower-tier GDPR fine of up to €10 million or 2% of global annual turnover, whichever is higher.

ACTION REQUIRED
Before your next EU job posting: download your ATS vendor’s DPA, have it reviewed by GDPR-competent counsel, execute it, and retain the signed copy. If your vendor doesn’t offer a DPA, that is a significant red flag about their fitness for EU data processing.

EU-US Data Transfers: The $290M Mistake Most US HR Teams Are Making

REAL ENFORCEMENT · REAL CONSEQUENCES

In 2023, on Europe Day, Uber was fined €290 million by the Dutch Data Protection Authority for transferring driver data from the EU to US servers without adequate safeguards. The mechanism for candidate data in a US-hosted ATS is identical. Most US companies are making exactly this mistake right now.

When a candidate in Germany submits an application and that data routes to your ATS vendor’s servers in Virginia, you have executed a cross-border data transfer from the EU to a third country. GDPR Chapter V requires that this transfer be protected by one of three mechanisms:

1. EU-US Data Privacy Framework (DPF) verifies vendor certification at dataprivacyframework.gov
2. Standard Contractual Clauses (SCCs) 2021 version, executed as a standalone or incorporated into DPA
3. Binding Corporate Rules (BCRs) apply only to large multinationals with extensive internal data flows.

DPF Certification: The Simpler Path

Verify that your ATS vendor is certified under the EU-US Data Privacy Framework at dataprivacyframework.gov. If certified, their processing of EU candidate data is covered for the transfer mechanism obligation. Greenhouse, Lever, and Workable are all DPF-certified as of 2024–2025, but verify current status, as certification must be renewed annually.

Standard Contractual Clauses (SCCs)

SCCs are the alternative if your vendor is not DPF-certified, or as an additional layer. SCCs (2021 version) must be executed as a standalone agreement or incorporated into your DPA, and they also require a Transfer Impact Assessment (TIA), a documented analysis of whether the destination country’s legal framework undermines the protections offered by the SCCs.

For the US, this means assessing the impact of FISA 702 on candidate data, a legal analysis that requires competent EU data protection counsel.

The EU Representative Obligation (Article 27)

Article 27 of GDPR requires that any controller or processor established outside the EU but subject to GDPR designate a representative in an EU member state in writing. This representative serves as a point of contact for data subjects and supervisory authorities. It is not optional; it is a mandatory compliance appointment, and the fine for failure reaches up to €10 million or 2% of the total. This obligation is absent from virtually every ATS-focused GDPR guide, yet it is one of the easiest items to demonstrate compliance with.ble EU Representative services offer designation under Article 27 for approximately $1,000–$3,000 per year, depending on tier.

Recommended EU Representative Services

You designate them formally in writing, update your privacy notice to include their contact details, and they handle supervisory authority correspondence on your behalf.

Configuring Your Compliant Applicant Tracking System for GDPR

Most organizations treat GDPR configuration as a feature list. The problem is sequencing: if you configure candidate-facing consent before you have documented a lawful basis, you have built on a flawed foundation. If you execute a DPA before identifying sub-processors, you may need to renegotiate. Sequence matters - wrong order costs time and legal fees.

• Document lawful basis - Complete a Legitimate Interest Assessment before any EU data enters your ATS. This is your legal anchor for everything that follows.
• Execute the DPA with your ATS vendor- Do not process EU data without a signed, GDPR-compliant DPA.
• Verify transfer mechanism: confirm DPF certification or execute SCCs + TIA. This must be in place before data flows to US servers.
• Appoint EU Representative - Designate formally in writing; update all privacy notConfigure ATS data settings: activate EU data residency if available, set retention periods per data category, and enable automated deletion workflows.deletion workflows.
• Build candidate privacy notice - GDPR-compliant notice linked at every application entry point, referencing lawful basis, retention periods, data subject rights, and EU Rep contact details.
• Activate the DSAR workflow: configure your ATS to generate access reports on demand and establish a 30-day response procedure with a named owner.
• Disable or document AI screening features- If using AI scoring, implement Article 22 disclosures before those features run on EU candidates.

CASE STUAccording to Cezzane, UPMC (a US-based healthcare system) achieved €660,000 in annual savings and a 67% reduction in time-to-hire by implementing a GDPR-compliant centralized ATS across 13 facilities. Compliance costs were offset by recruitment efficiency gains in the first year.hin the first year.

AI Resume Screening Hiring Process and Article 22: What US Companies Must Disclose

If your ATS uses AI-powered scoring, ranking, or filtering, Greenhouse AI, Lever Intelligence, HireVue video assessments, or any integrated tool that assigns a score or recommendation to a candidate, you are engaging in automated decision-making with legal or significant effects on individuals. GDPR Article 22 imposes specific obligations on this processing.

The obligations are threefold:

1. Disclose to candidates that automated decision-making is taking place, what logic is involved, and what significance and consequences it may have for them.
2. Give candidates the right to request human review of any auGive candidates the right to express their views and contest decisions.

The practical implication: If a candidate is screened out by Greenhouse’s AI matching score, you cannot demonstrate that a human was meaningfully involved in that decision, and you did not disclose automated decision-making in your privacy notice, you have an Article 22 violation. The candidate can use this to challenge the hiring decision and compel a full human re-review.

GDPR vs. CCPA: What US Compliance Teams Get Wrong About Overlap

The most dangerous assumption in US compliance departments is that CCPA compliance provides meaningful GDPR coverage. It does not. The two frameworks operate on fundamentally different architectures, and the gap is largest precisely where ATS design decisions are made.

• Default Posture: CCPA follows an opt-out model, while GDPR requires a clear lawful basis (opt-in approach) before any data processing begins.
• Employment Data Scope: CCPA has historically had limited coverage for applicant data, whereas GDPR fully applies to all candidates as data subjects.
• Consent Mechanism: CCPA relies on opt-out and “Do Not Sell” links; GDPR mandates freely given, specific, informed, and unambiguous consent.
• Data Retention: CCPA does not enforce strict retention timelines, but GDPR requires purpose-based retention with a defined and documented schedule.
• AI & Automated Decisions: CCPA offers limited protections, while GDPR (Article 22) gives candidates the right to human review of automated decisions.
• Penalties & Fines: CCPA penalties can reach $7,500 per intentional violation; GDPR imposes much stricter fines up to €20M or 4% of global annual turnover.

The Applicant tracking system configuration implication is direct: A US ATS built for CCPA compliance will have opt-out-style consent banners, unlimited-duration data archiving, and no automated decision-making disclosure. That configuration is affirmatively non-compliant with GDPR. Do not assume any overlap. Build the two compliance stacks separately, with separate configuration documentation for each.

GDPR-Applicant Tracking System Readiness Checklist

Use this as your pre-launch audit before any EU job posting goes live, and as ongoing documentation for legal sign-off or M&A diligence.

Legal Foundation

• Legitimate Interest Assessment (LIA) completed and documented for recruitment processing.
• Data Processing Agreement (DPA) executed with ATS vendor, not just vendor Sub-processors under your ATS are identified and covered by a DPA or a sub-processor agreement processor agreements.
• EU Representative appointed under Article 27; designation letter on file
• UK GDPR Representative appointed separately if hiring in the UK.

Data Transfer Compliance

• ATS vendor DPF certification verified at dataprivacyframework.gov
• SCCs are executed if DPF certification is absent or as an additional safeguard layer.
• Transfer Impact Assessment (TIA) documented for all SCC-based transfers.
• Data flow map completed, showing where EU candidate data travels and to whom

ATS Configuration

• EU data residency activated (if available on your tier)
• Retention periods configured by data category; automated deletion enabled
• DSAR workflow active; 30-day response procedure documented with named owner
• Right to Erasure workflow tested, including backup purge confirmation process
• Consent module activated only for optional processing (talent pool retention, not core hiring)
• Application forms audited unnecessary fields (DOB, gender, salary history), removed for EU postings.

Transparency & AI

• GDPR-compliant candidate privacy notice drafted, reviewed by EU counsel, and published
• Privacy notice linked at every application entry point (careers page, LinkedIn Easy Apply redirect, email intake)
• EU Representative contact details included in privacy notice
• AI scoring/screening features audited; Article 22 disclosures added to privacy notice if any are active.
• Human review pathway documented and operationally active for AI-screened candidates
• Records of Processing Activities (ROPA) under Article 30 were created for all recruitment data flows.

Conclusion

Applicant tracking & GDPR compliance is not a check-the-box activity that ends when you click the GDPR option in your ATS setup. It is a never-ending legal requirement that takes effect immediately upon your receiving your first resume from any European Union-based applicant, via any means under your control.
Each is fixable. Neither requires much investment compared to the potential penalty for failing to implement it.
If your firm is poised to make its first job offer in the EU market, the compliance implementation roadmap of Section 8 serves as your guide. If your ATS includes EU applicants and you lack those elements, you are already non-compliant.