What a GDPR-compliant applicant tracking system should let you control

An applicant tracking system cannot make you GDPR compliant on its own. What GDPR-compliant recruitment software should do is give you the controls to track consent, set retention periods, run deletion workflows, show a privacy notice, and export candidate data.

100Hires is a GDPR-compliant data processor under Article 28, and you remain the data controller. That split matters: you decide the lawful basis, the privacy notice, and the outreach rules for candidates.

Consent is not always the right basis in recruitment, since applying for a job is not the same as consent. 100Hires records the consent you collect and applies the retention, deletion, and export workflows you configure, so the controls match the decisions you have already made.

Stop scrambling when a candidate asks you to delete their data

The most common source of GDPR exposure in recruiting is not a misconfigured system. It is the email inbox. A candidate sends their CV directly, and it sits in Outlook. Their details get forwarded to a hiring manager.

Notes from the call go into a spreadsheet. Months later they send a deletion request, and you do not know where everything is.

Right-to-be-forgotten and access requests are also arriving more deliberately. Candidates who feel ignored or treated unfairly now send data subject access requests as a form of accountability.

Erasure requests that used to be rare now arrive monthly for many EU and UK hiring teams.

Recruiters are unsure how long they can hold a CV, what a privacy notice has to say, and what to do when a candidate emails asking for everything on file.

Then procurement gets involved, asking where data is hosted, whether you sign a DPA, and what happens to the candidates you reject and the resume database you build over time.

When the answers live in scattered spreadsheets and inboxes, every one of those questions becomes a fire drill. GDPR-compliant recruitment software keeps the candidate-data controls and records in one hiring system.

Keep GDPR work inside the hiring workflow

What your security and procurement team will ask for

Security reviews ask the same questions every time. Here is how 100Hires answers them in one place, with the hosting, encryption, and DPA details your procurement team will want on file. For the full program, see the 100Hires security overview.

How to choose the best ATS for GDPR compliance

Skip the vendor badges and look at the controls. The best ATS for GDPR compliance is the one that covers the specific obligations recruiting teams actually face, without an enterprise implementation project to switch them on.

  • Consent tracking - request consent in one click, see the status on every candidate profile, and keep an audit trail of changes
  • Retention with auto-delete - set how long you keep candidate data and let expired records clear themselves
  • Erasure and export - handle right-to-be-forgotten and access requests in a few clicks, not a week of inbox archaeology
  • Data residency and a DPA - know where candidate data lives (EU customer data in 100Hires is hosted in Germany) and get the DPA with SCCs procurement will ask for, available on request
  • AI without training on your data - candidate data is not used to train AI, and AI features can be disabled at the account level, with AI built to support human decisions

Run any hiring system on your shortlist through this checklist, including 100Hires: the controls and procurement answers above are documented on this page.

If you also hire in US healthcare, the same evaluation logic applies to HIPAA, and the HIPAA-ready ATS page walks through it.

100Hires vs a typical ATS on GDPR

Here is how 100Hires lines up against a typical ATS on the GDPR features hiring teams actually use, with pricing you can check up front.

23,000+ recruiters & business owners read this newsletter

The hiring playbook, in your inbox

One email a week - benchmarks, AI screening tactics, and short interview templates from the 100Hires team. No product pitches.

We use cookies to offer you our service. By continuing to use this site, you consent to our use of cookies as described in our policy