In order to set up your TalentLyft account to be GDPR compliant, go to Company Settings and click on Recruiting preferences.

Find the Compliance settings section and there will be Use GDPR compliance settings checkbox. Upon ticking this checkbox, a new screen will appear.

  • Data protection officer contact email - Email where candidates can send inquiries regarding their data privacy concerns.
  • Retention period - When applying to your job openings, your candidates will be able to give consent for you to keep their data during this period. Maximum Retention period which can be set is 60 months.
  • Inactivity retention period - Define how long after last action (last communication or change of stage in hiring pipeline) do you want to keep data for candidates who haven't given consent. This also applies for sourced candidates until they give you consent.
  • Require privacy policy consent - If you tick this checkbox, your candidates will be asked explicitly to agree with your Privacy policy. If checkbox is left unticked, they will be informed that by applying for this job they agree to your Privacy policy.
  • Privacy policy - Text editor field where you can define your Privacy policy which will be displayed to candidates when applying. You can find a Privacy policy template here.

Requesting consent from existing candidates

At the bottom of the Compliance settings section you can request consent from all candidates. If you tick the Request consent from all candidates checkbox and save settings, email in which you are asking consent will be sent to all existing candidates in your database.

Existing candidates will get the email displayed on the image below.

By clicking on the Review policy button, candidates will be redirected to the page where they can give their consent.

Managing candidates without consent

Candidates who don't give their consent will not be deleted. They will be marked as candidates who need to be deleted when Inactivity retention period expires. To find all candidates who need to be deleted in Candidates database, use the Candidate needs to be deleted filter.

When you filter candidates who are marked as candidates who need to be deleted, you'll have three options:

  1. Send an email to candidates and prolong Inactivity retention period.
  2. Anonymize candidate - all data about candidates is removed, but they are included in Analytics.
  3. Delete candidate - candidates are completely removed from the system and Analytics.

Retention period can also be defined differently for specific jobs. When creating a job in TalentLyft, you will be able to override default Retention period setting. This should be very useful for Open applications.

Application form

On application form, a checkbox is added where candidates can give their consent for keeping their data during the defined Retention period.

On the image above, Require privacy policy consent was not checked in the Compliance settings, so the candidate is informed that by applying he has read, understood and agrees with the privacy and data processing policy. The candidates can click on link privacy and data processing policy to read the entire policy text. If Require privacy policy consent checkbox is ticked, candidates are obliged to tick the checkbox here in order to apply, thus explicitly agreeing to the policy.

Candidate portal

Once the candidates apply, they will get the application confirmation email with link to their Candidate portal.

By accessing their portal, the candidates can see all of their applications and request to view their personal data.

Upon requesting to see their personal data, candidates are informed that they will be sent a token which is valid for 1 hour upon issuing. Token arrives in a form of email message and allows candidates to access their personal data for one hour.

After clicking on the View your data button, candidates are redirected to the data review page. On this page, candidates will see their applications and files they sent in each of the applications. Candidates can also request export of their personal data, update their data or delete it.

  • Export data - can be requested once per hour. Zipped JSON file is sent to candidates email.
  • Request data update - update can be requested once every 24 hours. Candidates can send message about data which needs to be updated.
  • Delete all data - candidates delete all personal data, but remain part of group Analytics. In other words, candidate is Anonymized.

Below these options, the data protection officer contact email is displayed. This email is to be used by candidates for sending any complaint about potential misuse of their personal data.


In order to receive notifications about requested data updates and deleted candidate data, you must set up your notifications in the Personal settings to include GDPR edit information request and GDPR delete application request

Related articles

GDPR badges

When do candidates get a "Candidate needs to be deleted" flag?

GDPR Privacy Policy Notice - English Template

GDPR Privacy Policy Notice - Croatian Template

Did this answer your question?