GDPR Compliance Checklist for HR Teams Using Cloud Recruitment Software

Why "GDPR-Compliant" on a Vendor's Website Means Almost Nothing

Every HR software vendor in Europe claims GDPR compliance. It's on their homepage, their security page, and their sales deck.

It also means almost nothing.

GDPR compliance isn't a certification. There's no official badge you earn, no approved-vendor list from the European Data Protection Board. When a vendor says "we're compliant," it typically means: we signed a Data Processing Agreement, we store data in the EU, and we have a privacy policy.

That's table stakes. The real question is: does this tool's feature set actively expose your company to GDPR liability?

Here's what to actually check before signing a contract.

The GDPR Compliance Checklist for HR Software

1. Data Processing Agreement (DPA)

• Vendor provides a standard DPA without requiring you to ask
• DPA references EU Standard Contractual Clauses (SCCs) for any international transfers
• Sub-processors are listed and updated when they change

Red flag: Vendor says "we're compliant" but delays sending a DPA, or offers only a generic privacy policy.

2. Data Residency and Sub-Processors

• Candidate data stored in EU/EEA data centers
• No transatlantic data transfers without SCCs
• All sub-processors (email delivery, analytics, CRM) also covered by SCCs or EU-hosted

Why it matters: Cloud recruiting tools typically use a dozen US-based sub-processors --- Intercom, Segment, Mixpanel, Salesforce. Every sub-processor is a potential transfer risk under Schrems II. Ask vendors for their full sub-processor list, not just their primary hosting location.

3. Candidate Data Retention

• Configurable retention periods by country
• Automated deletion after the retention window closes
• Candidates can request their own data deletion (right to erasure --- Article 17 GDPR)
• Rejected candidates' data deleted within a documented window

Country benchmarks:

• Germany: 6 months post-rejection (standard court precedent)
• France: 2 years with explicit candidate consent; 2 years for approved shortlists
• Netherlands: 4 weeks post-rejection without consent, 1 year with consent

Red flag: No automated deletion. Manual deletion processes will fail during busy hiring periods and create audit exposure.

4. Consent and Legal Basis Management

• Candidate consent logged with timestamp and IP address
• Withdrawal of consent triggers a data deletion workflow
• Sourced candidates (not direct applicants) have a consent flow before being added to the system

Why it matters: Many ATSs let recruiters add LinkedIn-sourced candidates without any consent mechanism. Under GDPR, you need a documented legal basis for every data subject. Legitimate interest works for active job seekers --- but you must document why you collected the data, what you stored, and how long you'll keep it.

5. Access Controls and Audit Logging

• Role-based permissions (recruiter vs. hiring manager vs. HR admin)
• Audit log: who viewed or modified which candidate record, and when
• Two-factor authentication available
• Data portability export in machine-readable format

6. Algorithmic Processing and AI Transparency

• If the tool uses AI scoring, candidates can request an explanation of how they were scored
• Automated rejection decisions include a human review step (GDPR Article 22)
• Scoring criteria documented internally and defensible

Red flag: AI-powered screening tools that rank or reject candidates without disclosing criteria. Article 22 GDPR restricts solely automated decisions that "significantly affect" a candidate --- and rejection from a hiring process qualifies.

7. Country-Specific Compliance Modules

• Germany: Works council (Betriebsrat) documentation support
• France: Works council notification workflow
• Netherlands: Explainable AI scoring
• Spain/Austria/Belgium: Co-determination documentation

For deeper coverage of works council requirements in Germany, France, and the Netherlands, see [What Are Works Councils and Why Your HR Software Needs to Support Them](/blog/works-councils-hr-software-support).

How Leading Tools Score on GDPR

From Rekko's audit of 137 HR tools:

Tool	DPA Available	EU Data Residency	Auto-Deletion	AI Transparency
Recruitee	Yes	Yes EU	Yes	Yes
Teamtailor	Yes	Yes EU	Yes	Yes
Workable	Yes	Yes EU	Yes	Limited
Factorial	Yes	Yes EU	Manual	Limited
Deel	Yes	Yes EU optional	Manual	N/A
Remote	Yes	Yes EU	Manual	N/A

Manual = Available but requires manual configuration or is incomplete

For a side-by-side GDPR feature comparison between these two leading tools, see [Personio vs Teamtailor](/compare/personio-vs-teamtailor). If your shortlist includes BambooHR and HiBob, see [BambooHR vs HiBob](/compare/bamboohr-vs-hibob).

The 3 Most Common GDPR Mistakes HR Teams Make

1. Not verifying sub-processors

The ATS is EU-hosted, but sends candidate notifications via a US email provider and tracks page views with a US analytics tool. Every link in the sub-processor chain carries risk.

2. Keeping rejected CVs indefinitely

GDPR doesn't set a universal retention limit for candidates. But German courts treat 6 months as the standard. Retaining CVs for 2--3 years without active consent is a DPA investigation risk that compounds every year you don't clean the database.

3. Adding sourced candidates without documenting legal basis

If a recruiter adds someone sourced from LinkedIn or a referral, they need a legal basis --- documented before the data is stored, not after an auditor asks for it.

Before Your Next ATS Evaluation

1. Require a signed DPA before starting any trial
2. Ask specifically: "List all sub-processors and their hosting locations"
3. Test the right-to-erasure flow with a test candidate record
4. If you have a works council, confirm they have been notified before implementation begins

The right tool doesn't just claim compliance. It makes compliance easier for your team to maintain month after month, without manual cleanup cycles.

For a structured framework to evaluate ATS tools against GDPR and other EU requirements, see the [ATS Buyer's Guide](/blog/how-to-choose-ats-buyers-guide-eu).

Use Rekko to filter ATS and HRIS tools by GDPR compliance features at [https://rekko.polsia.app](https://rekko.polsia.app).

---

Looking for the right tool? [Compare 137+ HR tools](https://rekko.polsia.app) --- free, with EU compliance data.