How to Create GDPR-Compliant Job Application Forms

Candidate data is personal data — full stop

Every CV, cover letter, and job application form submitted to your company contains personal data protected by GDPR. Names, addresses, phone numbers, email addresses, work history, education, and sometimes even health information or criminal records — it's all personal data, and much of it may qualify as special category data.

HR departments are often the highest-volume collectors of personal data in an organization, yet HR data processing frequently receives less compliance attention than customer-facing data collection. This guide will help you build job application forms that meet every GDPR requirement.

What GDPR requires for job application data

Lawful basis for processing

For job applications, the typical lawful bases are:

• Article 6(1)(b) — processing necessary for steps prior to entering into a contract (the employment contract). This covers processing the application for the specific role the candidate applied for.
• Article 6(1)(f) — legitimate interest. This can apply to some aspects of recruitment processing, but requires a Legitimate Interest Assessment.
• Article 6(1)(a) — consent. This is required if you want to keep the application data beyond the original purpose (e.g., for future job openings).

Important distinction: you don't need consent to process an application for the role the candidate applied for (contractual necessity covers this). But you do need consent to keep their data on file for future opportunities.

Special category data in recruitment

Job applications may involve special category data (Article 9):

• Disability information — if you ask about reasonable accommodations
• Health data — if the role requires medical clearance
• Criminal records — for roles requiring background checks
• Ethnicity or religion — if you collect diversity monitoring data

For special category data, you need explicit consent and must clearly explain why the data is needed. Diversity monitoring data should always be optional and ideally anonymized.

Common GDPR mistakes in recruitment forms

Mistake 1: No privacy notice at the point of collection

Your job application form must include or link to a recruitment-specific privacy notice that explains:

• Who is collecting the data (your company name and contact details)
• What data you're collecting and why
• How long you'll keep application data
• Who will have access to the applications (HR team, hiring managers, external recruiters)
• The candidate's rights (access, deletion, rectification, portability)

A generic website privacy policy is not sufficient. Recruitment processing has specific purposes, recipients, and retention periods that should be spelled out.

Mistake 2: Keeping CVs forever

This is one of the most widespread GDPR violations in HR. Many companies collect hundreds or thousands of applications and never delete them. Under GDPR, you must define a retention period and stick to it.

Best practices for retention:

• Active application: keep data for the duration of the recruitment process
• After rejection: delete within 6 months (some jurisdictions allow less). This window accounts for potential discrimination claims
• Talent pool (with consent): if the candidate consents to being kept on file for future roles, retain for a maximum of 12 months, then request renewed consent or delete
• Successful candidates: application data becomes part of the employee file, governed by your employee data retention policy

Mistake 3: No consent for talent pools

If you want to keep a rejected candidate's application for future opportunities, you must obtain specific, informed consent. This means:

• A separate checkbox (not bundled with the application submission)
• Clear language: "I consent to [Company] retaining my application data for up to 12 months for consideration for future roles"
• The ability to withdraw consent at any time
• An actual process for deletion when consent is withdrawn or the retention period expires

Mistake 4: Sharing applications through unsecured channels

Forwarding CVs via email to hiring managers, storing applications in shared Google Drive folders, or printing applications and leaving them on desks — these are all potential GDPR violations. Application data should be accessible only through controlled, secure systems with proper access controls.

Mistake 5: Using US-hosted form builders

If your job application form sends candidate data to a US-based platform, you're transferring personal data outside the EU. This creates the same GDPR compliance challenges discussed throughout this blog: CLOUD Act exposure, inadequate transfer safeguards, and audit risk.

The right to be forgotten for rejected candidates

Under GDPR Article 17, rejected candidates have the right to request deletion of their application data. Your recruitment process must support this:

1. Clear contact method — candidates should know how to request deletion (include this in your recruitment privacy notice)
2. Timely response — you must respond within 30 days
3. Complete deletion — delete from all systems, including email, ATS, shared drives, and backups
4. Confirmation — inform the candidate that their data has been deleted

Even without a specific request, you should proactively delete application data once your defined retention period expires.

Building a compliant job application form

Here's what a GDPR-compliant job application form should include:

Essential fields only

• Full name
• Email address
• Phone number (optional)
• CV/resume upload or text field
• Cover letter (optional)
• How they heard about the role (optional, for recruitment marketing)

Required compliance elements

• Link to your recruitment privacy notice
• Consent checkbox (not pre-checked) for data processing: "I have read the recruitment privacy notice and understand how my data will be processed"
• Separate consent checkbox for talent pool (optional): "I consent to my application being retained for up to 12 months for future opportunities"
• Statement of retention period: "Application data for unsuccessful candidates will be deleted within 6 months"

What NOT to include

• Date of birth (unless legally required for the role)
• Nationality or immigration status (unless legally required)
• Marital status
• Photo (common in some countries but increasingly discouraged)
• Social media profiles (unless directly relevant to the role)
• Any field not directly relevant to assessing the candidate's suitability

Where to host your application form

For EU companies, application form data should be processed and stored within the EU. Using a US-based form builder or ATS creates unnecessary compliance risk, especially given the sensitivity of recruitment data.

Key requirements for your form tool:

• EU data residency — data stored and processed in the EU
• EU-incorporated processor — not subject to US jurisdiction
• Data deletion capability — delete individual submissions to fulfill right-to-erasure requests
• Data export — provide candidates with a copy of their data upon request
• Access controls — restrict who can view applications

How FormGuard helps HR teams

FormGuard provides what HR departments need for compliant recruitment forms:

• EU-only storage in Frankfurt, Germany — candidate data never leaves EU jurisdiction
• No US subprocessors — no CLOUD Act exposure for sensitive candidate information
• Individual submission deletion — delete specific applications when retention periods expire or candidates request erasure
• CSV export — fulfill data access requests quickly
• Consent checkboxes — add required checkbox fields for processing consent and optional talent pool consent
• Clean, professional forms — present a positive candidate experience that reflects well on your employer brand

Recruitment is often a candidate's first interaction with your company. A professional, privacy-respecting application process sets the right tone.

Build your GDPR-compliant application form →