Applicant Tracking and GDPR Compliance: Ensuring Compliant Hiring for EU Candidates

Most ATS and GDPR guides oversimplify compliance by relying on candidate consent as the primary legal basis. However, this approach creates a serious vulnerability: the moment a candidate withdraws consent, you may be legally required to erase their entire record disrupting pipelines, audits, and future hiring needs. This blog breaks down why consent alone is a flawed strategy and what a more resilient, compliant approach to recruitment data actually looks like.

Does GDPR Apply to Your US Company? (The Answer Is Probably Yes)

THE RULE THAT SURPRISES US EMPLOYERS

Receiving a single CV from a person located in the EU through your careers page, LinkedIn, or a referral triggers full GDPR obligations. There is no US incorporation exemption. Fines are calculated on global annual revenue, not EU revenue.

GDPR Article 3 defines scope on the basis of the data subject's location, not where your company is registered or where your servers sit. The moment a German software engineer submits an application through your Greenhouse portal, you are processing personal data of an EU-located individual in the context of offering employment services to people in the EU. That is GDPR jurisdiction.

This catches US companies completely off guard for one simple reason: most US compliance thinking is entity-based. You're a Delaware LLC. You have no EU office. Surely European rules don't reach you? They do explicitly and by design. The drafters of GDPR wrote the extraterritorial provision specifically to prevent companies from avoiding obligations

What GDPR Actually Requires From Your Recruitment Data Process

General data protection regulation is not a single rule it is a framework of obligations that apply simultaneously. For US companies using an ATS to manage EU candidate data, the relevant obligations cluster into five areas.

Lawful Basis

You must have a documented legal ground for every process candidate data activity before it begins not after a complaint arrives. More on this in Section 3, because the default US assumption (consent) is wrong for recruitment.

Transparency

Candidates must be told at the point of data collection: what data you collect, why, how long you keep it, who you share it with, what rights they have, and how to exercise those rights. This means a GDPR-compliant candidate privacy notice linked at every application touchpoint.

Data Subject Rights

EU candidates have the right to access their data (DSAR), correct it, delete it (Right to Erasure Article 17), restrict processing, and object to processing. Your ATS must support each of these operationally not just theoretically.

Note on backup deletion: Deleting a candidate profile in your ATS does not automatically purge backups. You have a legal obligation under Article 17 to confirm complete erasure across all systems, including database backups.

Data Minimization

You may only collect data that is adequate, relevant, and limited to what is necessary for the specific purpose. US job applications routinely ask for date of birth, gender, and salary history fields that are either unnecessary or legally restricted in EU contexts.

Retention Limits

Data may not be kept indefinitely. You must define retention periods by category, communicate them to candidates, and automate deletion or anonymization at the end of each retention window. ATS archive features that US teams treat as benign are GDPR landmines.

Recommended listening: Ensuring GDPR is at the Heart of your Recruitment Processes — The Talent Exchange

The Lawful Basis Problem: Why Consent Is the Wrong Default

CRITICAL COMPLIANCE ERROR

Every competing guide on ATS and GDPR tells you to get candidate consent. That is dangerous advice. Consent as the sole legal basis for processing recruitment data creates a deletion trap any candidate who withdraws consent is entitled to immediate erasure of their entire record, with no fallback.

There are six lawful bases under GDPR Article 6. For recruitment, the two appropriate anchors are:

1. Legitimate Interests (Article 6(1)(f)) for assessing candidates during an active hiring process
2. Contractual Necessity (Article 6(1)(b)) for processing data of an accepted candidate to enter an employment contract

Consent may be used as a supplement, for example, asking a candidate whether you can retain their ATS Resume for future roles but it should never be the primary basis for an active hiring process.

Why does this matter practically? Under legitimate interests, you do not need to delete a candidate's record the moment they ask, as long as your processing remains proportionate and you have conducted a Legitimate Interest Assessment (LIA). Under consent-only, a candidate's withdrawal triggers an erasure obligation with very limited exceptions. If your HRIS, payroll system, or backup infrastructure has replicated that record, you have a complex deletion cascade to manage and the clock starts the moment they withdraw.

The correct approach: document legitimate interests as your primary basis, supplement with consent only for optional retention or profile sharing, and execute a formal LIA before your first EU job posting goes live.

Your ATS as a Data Processor: The DPA You Must Execute

Under GDPR Article 28, any third party that processes personal data on your behalf is a data processor. Your ATS vendor whether Greenhouse, Lever, Workable, or any other processes EU candidate data on your instructions. That makes them a processor, and you are required to have a signed, GDPR-compliant Data Processing Agreement (DPA) in place before any EU candidate data enters their system.

The vendor's standard Terms of Service is not a DPA with own data. A GDPR-compliant DPA must include:

1. The processing subject matter, duration, nature, and purpose
2. The categories of data subjects and personal data usage
3. Your obligations and rights as controller
4. Specific commitments from the processor regarding security, sub-processor management, and deletion at contract end

Most major ATS vendors have DPAs available on request or in their trust/legal documentation portals. The failure point is not that the DPA doesn't exist it's that US HR teams never ask for it and never execute it. Failure to have a signed DPA exposes you to a lower-tier GDPR fine of up to €10 million or 2% of global annual turnover, whichever is higher.

ACTION REQUIRED

Before your next EU job posting: download your ATS vendor's DPA, have it reviewed by GDPR-competent counsel, execute it, and retain the signed copy. If your vendor doesn't offer a DPA, that is a significant red flag about their fitness for EU data processing.

EU-US Data Transfers: The $290M Mistake Most US HR Teams Are Making

REAL ENFORCEMENT · REAL CONSEQUENCES

In 2023, As per Europe Day Uber was fined €290 million by the Dutch Data Protection Act Authority for transferring driver data from the EU to US servers without adequate transfer safeguards. The mechanism for candidate data in a US-hosted ATS is identical. Most US companies are making exactly this mistake right now.

When a candidate in Germany submits an application and that data routes to your ATS vendor's servers in Virginia, you have executed a cross-border data transfer from the EU to a third country. GDPR Chapter V requires that this transfer be protected by one of three mechanisms:

1. EU-US Data Privacy Framework (DPF) verify vendor certification at dataprivacyframework.gov
2. Standard Contractual Clauses (SCCs) 2021 version, executed as standalone or incorporated into DPA
3. Binding Corporate Rules (BCRs) relevant only for large multinationals with extensive internal data flows

DPF Certification The Simpler Path

Verify that your ATS vendor is certified under the EU-US Data Privacy Framework at dataprivacyframework.gov. If certified, their processing of EU candidate data is covered for the transfer mechanism obligation. Greenhouse, Lever, and Workable are all DPF-certified as of 2024–2025 but verify current status, as certification must be renewed annually.

Standard Contractual Clauses (SCCs)

SCCs are the alternative if your vendor is not DPF-certified, or as an additional layer. SCCs (2021 version) must be executed as a standalone agreement or incorporated into your DPA, and they also require a Transfer Impact Assessment (TIA) a documented analysis of whether the destination country's legal framework undermines the protections offered by the SCCs.

For the US, this means assessing the impact of FISA 702 on candidate data a legal analysis that requires competent EU data protection counsel.

The EU Representative Obligation (Article 27)

Article 27 of GDPR requires that any controller or processor established outside the EU but subject to GDPR designate a representative in an EU member state in writing. This representative acts as a contact point for data subjects and supervisory authorities. It is not optional; it is a mandatory compliance appointment, and the fine for failure reaches up to €10 million or 2% of global turnover.

This obligation is absent from virtually every ATS-focused GDPR guide, yet it is one of the easiest demonstrate compliance items to execute. Reputable EU Representative services offer designation under Article 27 for approximately $1,000–$3,000 per year depending on tier.

Recommended EU Representative Services

You designate them formally in writing, update your privacy notice to include their contact details, and they handle supervisory authority correspondence on your behalf.

Configuring Your Compliant Applicant Tracking system for GDPR

Most organizations treat GDPR configuration as a feature list. The problem is sequencing: if you configure candidate-facing consent before you have documented lawful basis, you have built on a flawed foundation. If you execute a DPA before identifying sub-processors, you may need to renegotiate. Sequence matters - wrong order costs time and legal fees.

• Document lawful basis - Complete a Legitimate Interest Assessment before any EU data enters your ATS. This is your legal anchor for everything that follows.
• Execute the DPA with your ATS vendor- Do not process EU data without a signed, GDPR-compliant DPA.
• Verify transfer mechanism - Confirm DPF certification or execute SCCs + TIA. This must be in place before data flows to US servers.
• Appoint EU Representative - Designate formally in writing; update all privacy notices immediately.
• Configure ATS data settings - Activate EU data residency if available, set retention periods per data category, enable automated deletion workflows.
• Build candidate privacy notice - GDPR-compliant notice linked at every application entry point, referencing lawful basis, retention periods, data subject rights, and EU Rep contact details.
• Activate DSAR workflow - Configure your ATS to generate access reports on demand; establish a 30-day response procedure with a named owner.
• Disable or document AI screening features- If using AI scoring, implement Article 22 disclosures before those features run on EU candidates.

CASE STUDY - UPMC IRELAND

As Per Cezzane UPMC (a US-based healthcare system) achieved €660,000 in annual savings and a 67% reduction in time-to-hire while implementing a GDPR-compliant centralised ATS across 13 facilities. Compliance cost was offset by recruitment efficiency gains within the first year.

AI Resume Screening Hiring Process and Article 22: What US Companies Must Disclose

If your ATS uses AI-powered scoring, ranking, or filtering Greenhouse AI, Lever Intelligence, HireVue video assessments, or any integrated tool that assigns a score or recommendation to a candidate you are engaging in automated decision-making with legal or significant effects on individuals. GDPR Article 22 imposes specific obligations on this processing.

The obligations are three-fold:

1. Disclose to candidates that automated decision-making is taking place, what logic is involved, and what significance and consequences it may have for them
2. Give candidates the right to request human review of any automated decision
3. Give candidates the right to express their point of view and contest a decision

The practical implication: If a candidate is screened out by Greenhouse's AI matching score and you cannot demonstrate that a human was meaningfully involved in that decision, and if you did not disclose automated decision-making in your privacy notice, you have an Article 22 violation. The candidate can use this to challenge the hiring decision and compel a full human re-review.

GDPR vs. CCPA: What US Compliance Teams Get Wrong About Overlap

The most dangerous assumption in US compliance departments is that CCPA compliance provides meaningful GDPR coverage. It does not. The two frameworks operate on fundamentally different architectures, and the gap is largest precisely where ATS design decisions are made.

• Default Posture: CCPA follows an opt-out model, while GDPR requires a clear lawful basis (opt-in approach) before any data processing begins.
• Employment Data Scope: CCPA has historically had limited coverage for applicant data, whereas GDPR fully applies to all candidates as data subjects.
• Consent Mechanism: CCPA relies on opt-out and “Do Not Sell” links; GDPR mandates freely given, specific, informed, and unambiguous consent.
• Data Retention: CCPA does not enforce strict retention timelines, but GDPR requires purpose-based retention with a defined and documented schedule.
• AI & Automated Decisions: CCPA offers limited protections, while GDPR (Article 22) gives candidates the right to human review of automated decisions.
• Penalties & Fines: CCPA penalties go up to $7,500 per intentional violation; GDPR imposes much stricter fines up to €20M or 4% of global annual turnover.

The Applicant tracking system configuration implication is direct: A US ATS built for CCPA compliance will have opt-out-style consent banners, unlimited-duration data archiving, and no automated decision-making disclosure. That configuration is affirmatively non-compliant with GDPR. Do not assume any overlap. Build the two compliance stacks separately, with separate configuration documentation for each.

GDPR-Applicant Tracking System Readiness Checklist

Use this as your pre-launch audit before any EU job posting goes live, and as ongoing documentation for legal sign-off or M&A diligence.

Legal Foundation

• Legitimate Interest Assessment (LIA) completed and documented for recruitment processing
• Data Processing Agreement (DPA) executed with ATS vendor not just vendor Terms of Service
• Sub-processors under your ATS identified and covered by DPA or sub-processor agreements
• EU Representative appointed under Article 27; designation letter on file
• UK GDPR Representative appointed separately if hiring in the UK

Data Transfer Compliance

• ATS vendor DPF certification verified at dataprivacyframework.gov
• SCCs executed if DPF certification is absent or as additional safeguard layer
• Transfer Impact Assessment (TIA) documented for all SCC-based transfers
• Data flow map completed showing where EU candidate data travels and to whom

ATS Configuration

• EU data residency activated (if available on your tier)
• Retention periods configured by data category; automated deletion enabled
• DSAR workflow active; 30-day response procedure documented with named owner
• Right to Erasure workflow tested, including backup purge confirmation process
• Consent module activated only for optional processing (talent pool retention, not core hiring)
• Application forms audited unnecessary fields (DOB, gender, salary history) removed for EU postings

Transparency & AI

• GDPR-compliant candidate privacy notice drafted, reviewed by EU counsel, and published
• Privacy notice linked at every application entry point (careers page, LinkedIn Easy Apply redirect, email intake)
• EU Representative contact details included in privacy notice
• AI scoring/screening features audited; Article 22 disclosures added to privacy notice if any are active
• Human review pathway documented and operationally active for AI-screened candidates
• Records of Processing Activities (ROPA) under Article 30 created for all recruitment data flows

Conclusion

Applicant tracking and GDPR compliance is not a checkbox exercise that ends when you tick 'GDPR feature' in your ATS settings. It is a continuous legal obligation one that attaches the moment a single EU-located person submits a CV through any channel you control.

Each is fixable. None is expensive relative to the fines they prevent.

If your company is about to post its first EU-facing job opening, the compliance build sequence in Section 8 is your starting point. If you already have EU candidates in your ATS and have not completed these steps, you are already non-compliant, and the enforcement clock is running.

Frequently Asked Questions

Does GDPR apply to a US company with no offices in the EU?

Yes. GDPR Article 3 applies extraterritorially to any organization that offers goods or services to individuals in the EU, or that monitors EU individuals' behaviour. Collecting a job application from an EU-located person qualifies. There is no exemption based on incorporation address, office location, or EU revenue threshold.

We only hire one or two EU candidates a year. Do we still need full GDPR compliance?

Yes. GDPR obligations are not proportional to volume they apply from the first instance of processing EU personal data. However, certain obligations (like appointing a Data Protection law Officer) are triggered by scale or type of processing. An organization processing small volumes of non-sensitive EU candidate data may not need a DPO but still needs a DPA, lawful basis documentation, a privacy notice, and a transfer mechanism.

Our ATS vendor says they are GDPR compliant. Is that enough?

No. Vendor GDPR compliance is a necessary but not sufficient condition. You also need: a signed DPA with that vendor, verification of their DPF certification or execution of SCCs, correct configuration of GDPR-specific features in your account, and your own lawful basis documentation, privacy notices, and data subject rights processes. Vendor compliance does not substitute for controller compliance.

What is the difference between a DPA and Terms of Service?

A Terms of Service governs the commercial relationship between you and your ATS vendor. A Data Processing Agreement (DPA) is a separate GDPR-mandated contract that governs how your vendor processes personal data on your behalf as a processor under Article 28.

Can we use GDPR candidate consent as the default lawful basis in our ATS?

No. Consent as the sole basis for recruitment data processing is dangerous. Candidates can withdraw consent at any time, and withdrawal triggers an erasure obligation with limited exceptions. The correct primary basis for active recruitment is legitimate interests (Article 6(1)(f)) supported by a Legitimate Interest Assessment, or contractual necessity (Article 6(1)(b)) for candidates who have accepted an offer. Consent may be used as a supplement for optional processing only.

What is a Data Subject Access Request (DSAR) and how must we handle it?

A DSAR is a request from a candidate (or any individual) for a copy of all personal data you hold about them. Under GDPR Article 15, you must respond within 30 days (extendable to 90 days for complex requests).

Do we need to appoint a Data Protection Officer (DPO)?

For most US companies, doing standard recruitment of EU candidates: probably not. DPO appointment is mandatory under Article 37 for public authorities; organizations whose core activities require large-scale, systematic monitoring of data subjects; organizations whose core activities involve large-scale processing of special categories of data.