Since May 25, 2018, the General Data Protection Regulation (GDPR) is in effect, reviewing how personal data of EU citizens is being collected and shared. With TalentLyft, you can set up your GDPR settings to be 100% GDPR compliant. 

How does TalentLyft help? 

You can set up your GDPR account settings, track the GDPR consents of your candidates, and delete/anonymize candidates in your system. 

Candidates will also be given the freedom to request an update of their personal data, extend or withdraw their consents and to delete their data from your candidate database through the Candidate portal.  All of this is supported by TalentLyft. 

First thing to do is to familiarize yourself with your duties and responsibilities toward your candidates, as well as set up your GDPR settings in TalentLyft.  It will be easier if you already have a data protection officer or a legal advisor that could help you with setting up your TalentLyft GDPR settings.

Remember, you are not alone in this. We will help, as much as we can. Here is the link to the official regulation document, published in the Official Journal of the European Union

Setting up your GDPR account settings

To enable and set up your GDPR settings in TalentLyft, the first step is to go to ProfileApp settingsCompliance and enable your GDPR settings.

Now the options have appeared that allow you to regulate GDPR settings for your account. 

You can set up your account in these easy steps: 

1. Company name and DPO email address

Enter your company’s legal name and enter the contact email of your Data protection officer.

If you don't have a designated Data protection officer, ask around your company for the contact that should be used if candidates have any questions regarding GDPR. Data protection officer email will be displayed on the candidate portal and candidates can contact you via that email address if they have any inquiries regarding the handling of their personal data.

2. Retention period 

Retention period determines for how long you want to keep your candidates' data in your database after the position they initially applied for is archived. The length of this period is up to you, but it might be a good idea to advise with your legal department regarding this.

GDPR doesn't state how long this period can be, as long as candidates agree with it and give you their consent.

Candidates are not obliged to give their consent for your retention period in order to apply for a job opening. Any candidate can apply with or without the consent. The only difference is how long you will be keeping them in your database.

For candidates who don't give you their retention period consent, you will need to delete their information from your database when the job opening they applied for is archived. TalentLyft will place these candidates will on the Needs to be deleted list when you archive the job they applied for.

To avoid this, you can ask them to give the consent subsequently.

3. Inactivity period

It is important to note that this period is not applicable to candidates who have a valid retention period consent.

Not having a valid retention period consent means that:

  1. Their retention period consent has expired or
  2. They haven't given the retention period consent in the first place.

Normally, candidates without a valid retention period consent are placed on Needs to be deleted list when the job that they applied for is archived. However, some jobs, like open applications, might not be archived for a very long time. So if a candidate didn't give you consent to keep his/her personal data for an extended period, how long are you allowed keep that data?

This is a complex question and not one with a simple answer. That is why we have the Inactivity period. This period defines how long you want to keep personal data of candidates without a valid retention period consent. It is the time that needs to pass without any activity being recorded with a candidate in order to put him on the Needs to be deleted list.

Activities that are taken into consideration include everything that appears in a candidate's timeline (emails, evaluations, stage movement, etc.)


Let's say that your Inactivity period is set to six months. A candidate applies to your Open application and he/she doesn't give you the retention period consent. You screen their application and decide that this candidate is not a good fit for your company. You send him/her a rejection email. Since this job is still active in TalentLyft, the candidate won't be put on the Needs to be deleted list immediately, so you will keep their personal data for the time being. Six months later, if you haven't had any activities with this candidate in the meantime, this candidate will be put on the Needs to be deleted list. Next time you go to your Needs to be deleted list to delete candidates according to GDPR, this candidate will be on the list.

4. Require Privacy policy consent 

The privacy policy consent is another consent you must ask for according to GDPR. Unlike retention period consent, this one is mandatory for candidates in order to apply for a job. Your privacy policy describes what personal data you are going to use and for what purpose. The privacy policy text is to be added in the last step of your GDPR compliance setup.

If you tick this checkbox, your candidates will be asked explicitly to agree with your Privacy policy. If checkbox is left unticked, they will be informed that by applying for this job they agree to your Privacy policy.

Example when the checkbox is ticked:

Example when the checkbox is left unticked:

5. Require share compliance 

This checkbox is to be used by TalentLyft users with multiple company accounts only. If you have access to only one company account, then it makes no sense to tick this checkbox. 

By ticking this, you will be asking your candidates to give their consent for you to share their information with your sister companies or subsidiaries. If a candidate doesn't give you this consent, you will not be able to move or copy that candidate's data from one company account to another. 

Moving or copying candidates from one company account to another is a feature available to users with access to multiple company accounts only.

If your TalentLyft company account is a unique group account with multiple sister companies or subsidiaries organized in departments, you should mention in your Data processing policy that the data will be shared between the members of the group.

6. Manually delete candidates 

According to the GDPR, candidates must be able to delete their personal data from your database. With TalentLyft, they can do that through the Candidate portal. Tick this checkbox to disable the option for the candidates to delete their personal data themselves. 

When this checkbox is ticked, the automatic deletion upon candidates' request will be replaced with a deletion request being sent to your Data processing officer email address. Upon receiving this request, you will need to delete the candidate's personal data yourself (anonymize the candidate). 

NOTE: We suggest you to leave this checkbox unticked. According to GDPR you have to respect candidate's decision and ensure data deletion without unnecessary delay. By ticking this checkbox, you will be generating additional work for yourself and/or your team. 

7. Privacy policy text

The final thing to set up is your Privacy policy text that will appear when a candidate clicks on the privacy and data processing policy link. You can write your own or use our English and Croatian templates for GDPR privacy policy.

Related articles: 

GDPR - Deleting candidates (Anonymize)

How to send a consent request via email?

GDPR compliance - Sourced and Imported candidates

When do candidates get a "Candidate needs to be deleted" flag?

Extending retention period consents

Did this answer your question?