NOTE: While TalentLyft has consulted with legal professionals both in the creation of this article and for our own product features, we are not a law firm. All information that is used in this article is general information and is not intended as legal advice. Users should take independent legal advice regarding their own data protection policies.

To enable and set up your GDPR settings in TalentLyft, the first step is to go to ProfileApp settingsCompliance and enable your GDPR settings.

Now the options have appeared that allow you to regulate GDPR settings for your account.

1. Company name and DPO email address

Enter your company’s legal name and enter the contact email of your Data protection officer.

If you don't have a designated Data protection officer, ask around your company for the contact that should be used if candidates have any questions regarding GDPR. Data protection officer email will be displayed on the candidate portal and candidates can contact you via that email address if they have any inquiries regarding the handling of their personal data.

2. Retention period

The retention period determines how long you want to keep your candidates' data in your database after the position they initially applied for is archived. The length of this period is up to you, but it might be a good idea to advise with your legal department regarding this.

GDPR doesn't state how long this period can be, as long as candidates agree with it and give you their consent.

Candidates are not obliged to give their consent for your retention period in order to apply for a job opening. Any candidate can apply with or without consent. The only difference is how long you will be keeping them in your database.

For candidates who don't give you their retention period consent, you will need to delete their information from your database when the job opening they applied for is archived. TalentLyft will place these candidates on the Needs to be deleted list when you archive the job they applied for.

To avoid this, you can ask them to give the consent subsequently.

3. Inactivity period

It is important to note that this period is not applicable to candidates who have a valid retention period consent.

Not having a valid retention period consent means that:

  1. Their retention period consent has expired or

  2. They haven't given the retention period consent in the first place.

Normally, candidates without a valid retention period consent are placed on Needs to be deleted list when the job that they applied for is archived. However, some jobs, like open applications, might not be archived for a very long time. So if a candidate didn't give you consent to keep his/her personal data for an extended period, how long are you allowed to keep that data?

This is a complex question and not one with a simple answer. That is why we have the Inactivity period. This period defines how long you want to keep the personal data of candidates without a valid retention period consent. It is the time that needs to pass without any activity being recorded with a candidate in order to put him on the Needs to be deleted list.

Activities that are taken into consideration include everything that appears in a candidate's timeline (emails, evaluations, stage movement, etc.)


Let's say that your Inactivity period is set to six months. A candidate applies to your Open application and he/she doesn't give you the retention period consent. You screen their application and decide that this candidate is not a good fit for your company. You send him/her a rejection email. Since this job is still active in TalentLyft, the candidate won't be put on the Needs to be deleted list immediately, so you will keep their personal data for the time being. Six months later, if you haven't had any activities with this candidate in the meantime, this candidate will be put on the Needs to be deleted list. Next time you go to your Needs to be deleted list to delete candidates according to GDPR, this candidate will be on the list.

The privacy policy consent is another consent you must ask for according to GDPR. Unlike retention period consent, this one is mandatory for candidates in order to apply for a job. Your privacy policy describes what personal data you are going to use and for what purpose. The privacy policy text is to be added in the last step of your GDPR compliance setup.

If you tick this checkbox, your candidates will be asked explicitly to agree with your Privacy policy. If the checkbox is left unticked, they will be informed that by applying for this job they agree to your Privacy policy.

Example when the checkbox is ticked:

Example when the checkbox is left unticked:

5. Require share compliance

This checkbox is to be used by TalentLyft users with multiple company accounts only. If you have access to only one company account, then it makes no sense to tick this checkbox.

By ticking this, you will be asking your candidates to give their consent for you to share their information with your sister companies or subsidiaries. If a candidate doesn't give you this consent, you will not be able to move or copy that candidate's data from one company account to another.

Moving or copying candidates from one company account to another is a feature available to users with access to multiple company accounts only.

If your TalentLyft company account is a unique group account with multiple sister companies or subsidiaries organized in departments, you should mention in your Data processing policy that the data will be shared between the members of the group.

6. Manually delete candidates

According to the GDPR, candidates must be able to delete their personal data from your database. With TalentLyft, they can do that through the Candidate portal. Tick this checkbox to disable the option for the candidates to delete their personal data themselves.

When this checkbox is ticked, the automatic deletion upon candidates' request will be replaced with a deletion request being sent to your Data processing officer's email address. Upon receiving this request, you will need to delete the candidate's personal data yourself (anonymize the candidate).

NOTE: We suggest you leave this checkbox unticked. According to GDPR, you have to respect the candidate's decision and ensure data deletion without unnecessary delay. By ticking this checkbox, you will be generating additional work for yourself and/or your team.

7. Privacy policy text

The final thing to set up is your Privacy policy text that will appear when a candidate clicks on the privacy and data processing policy link. You can write your own or use our English and Croatian templates for the GDPR privacy policy.

Did this answer your question?