All Collections
Recruiting Compliance: GDPR, EEO & CCPA
GDPR Compliance
When do I need to delete the candidates according to the GDPR regulations?
When do I need to delete the candidates according to the GDPR regulations?

If you are gathering candidate data in the EU, there are a few conditions which determine whether a candidate needs to be deleted or not.

Updated over a week ago

What is GDPR and is it applicable to me?

Since May 25, 2018, the General Data Protection Regulation (GDPR) is in effect, reviewing how the personal data of EU citizens is being collected and shared. With TalentLyft, you can set up your GDPR settings to be 100% GDPR compliant. Here is the link to the official regulation document, published in the Official Journal of the European Union.

How does TalentLyft help me and my company?

Candidate "Needs to be deleted" flag is part of GDPR functionalities in TalentLyft which can be found in the Engage module as a filter. It helps you keep your candidate database GDPR compliant. Once a day, TalentLyft will check the entire candidate database and determine which candidates need to be deleted.

To make it easier to understand, we have created a graph with conditions and the results below:

Regardless of the way, candidates enter the system (sourced or applied), they all go through the same "IF loop" displayed on the diagram above.

Condition monitoring which is mentioned below is performed on a candidate, not on an application. This means that TalentLyft won't flag the candidate for deletion if he/she has at least one application that allows you to keep his/her personal data. Whenever a position is archived in your system, TalentLyft will perform these checks on all candidates who were part of the hiring process for that position, and flag them according to the three conditions.

First condition

The strongest condition is a valid retention period of consent. If the candidate has given his consent for personal data retention and it has not expired, he/she will not be flagged as a "Candidate who needs to be deleted", regardless of all other conditions. If there is no valid retention period consent found on the candidate (the candidate has either not given the consent or it has expired), the second condition will come into consideration.

Second condition

The system checks if the candidate has any applications for active jobs. If the candidate hasn't given consent for you to keep their personal data for X months and is not currently part of any active selection process, he needs to be deleted. In this case, no other conditions need to be checked. However, if this candidate is part of an active selection process, the third condition must be checked.

Third condition

For these examples, we already know the candidate does not have valid consent, and he/she is not a part of an active selection process, otherwise, this third condition would not even be taken into consideration. The inactivity period (counted from the last activity with the candidate which includes: comment, email, call, meeting, move to the stage, disqualified, or reverted) is what determines when these candidates need to be deleted. As long as the inactivity period doesn't expire, these candidates are not placed on the "Needs to be deleted" list.

How to be GDPR compliant?

Make sure you are regularly tracking and deleting candidates that should be deleted from your system according to GDPR. The list of people that must be deleted will be generated in the Engage module, and accessed by using the "Needs to be deleted" filter and adding that the conditions are true, as seen in the example below:

Mark all of these candidates and delete their data in bulk within a matter of seconds.

Did this answer your question?