GDPR – Definition, Principles & Practical Tips for HR

The General Data Protection Regulation (GDPR) is the EU-wide legal framework governing the processing of personal data – including in HR and recruiting. It requires organisations to collect applicant data only on a clearly defined legal basis, to inform individuals transparently, and to delete data after specified retention periods. Violations can be fined up to €20 million or 4% of global annual turnover.

What is the GDPR? Definition and Purpose

The General Data Protection Regulation (GDPR; German: Datenschutz-Grundverordnung / DSGVO) is an EU regulation that has applied directly in all EU member states since 25 May 2018. It replaced the EU Data Protection Directive of 1995 and establishes a uniform legal framework for handling personal data across Europe.

The GDPR's aim is to protect the fundamental rights of natural persons – in particular the right to informational self-determination. Companies, public authorities and other organisations that process data of EU citizens are bound by the GDPR, regardless of whether they are based inside or outside the EU.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person. This includes not only names, addresses or dates of birth, but also email addresses, IP addresses, photographs and – particularly relevant in HR – application documents, performance appraisals and assessment results.

Legal Bases in the HR Context

Article 6 GDPR: Legal bases for data processing

Every processing of personal data requires a legal basis. Article 6 GDPR sets out the permissible grounds. In day-to-day HR work, two are especially relevant:

• Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures): Data may be processed where this is necessary for the performance of a contract or in order to take steps prior to entering into one. In recruiting, this means: applicant data may be processed to carry out the selection procedure – without a separate consent.
• Art. 6(1)(a) GDPR (consent): If data is to be used beyond the original purpose of the application – e.g. for a talent pool – a freely given, informed consent from applicants is required.

§26 BDSG: Employee data protection in Germany

The Federal Data Protection Act (Bundesdatenschutzgesetz / BDSG) supplements the GDPR for the German employment context. §26 BDSG explicitly governs data processing for purposes of the employment relationship – including the application process. Processing is permissible where it is necessary for the decision to establish an employment relationship.

Note for international readers: §26 BDSG is specific to German law. Other EU member states have equivalent national provisions that complement the GDPR in the employment context.

The 7 Principles of the GDPR (Art. 5)

Article 5 GDPR sets out the fundamental principles that must be observed in all data processing:

1. Lawfulness, fairness and transparency – Data is processed only on a legal basis and in an open manner.
2. Purpose limitation – Data may only be used for the specified purpose.
3. Data minimisation – Only the data that is genuinely necessary for the purpose may be collected.
4. Accuracy – Data must be kept up to date and correct.
5. Storage limitation – Data may not be stored longer than necessary.
6. Integrity and confidentiality – Appropriate security measures protect data from unauthorised access.
7. Accountability – Organisations must be able to demonstrate compliance with all principles.

GDPR in Recruiting: What HR Teams Need to Know

What data may be collected?

The principle of data minimisation applies in the application process too. Only data that is genuinely required for the hiring decision may be collected: name, contact details, qualifications, work experience. Questions about pregnancy, religious affiliation or other characteristics that may not be used as selection criteria under applicable equal treatment law are not permissible.

The privacy notice in the application form must clearly communicate which data is processed for which purpose, who the responsible controller is, and what rights applicants have.

Consent: When is it required – and when is it not?

A common source of uncertainty in recruiting: do I need consent from applicants?

For the actual application process, this is generally not required – Art. 6(1)(b) GDPR in conjunction with §26 BDSG (or the equivalent national provision) is sufficient as the legal basis. Explicit consent becomes necessary when data is to be used beyond the original purpose – for example for a candidate database (talent pool). Such consent must be freely given, informed and demonstrable. Applicants must be able to withdraw it at any time.

Retention periods for applicant data

Once these periods have expired, there is an obligation to delete the data. HR teams should therefore set up automated deletion routines or at least reminders in their Applicant Tracking System (ATS).

GDPR and Digital HR Tools

A Data Processing Agreement (DPA) is mandatory

Anyone using external service providers that process personal data on their behalf – for example an e-recruiting system, an online assessment tool or cloud-based HR software – is required by Art. 28 GDPR to conclude a Data Processing Agreement (DPA) with those providers. This agreement sets out the technical and organisational measures (TOMs) for data protection and the obligations of the processor in binding terms.

Without a DPA, any transfer of data to the service provider is unlawful – regardless of how technically secure the software may be.

GDPR-compliant talent assessment

GDPR principles also apply to digital assessments in recruiting: applicants must be informed in advance about what data is collected and for what purpose. Talent assessment carries a particular responsibility here, as it processes psychological and cognitive data that may be considered especially sensitive.

The digital platform Aivy processes applicant data on the basis of a Data Processing Agreement, maintains technical and organisational measures in line with current standards, and provides GDPR-compliant assessments. For further information on the platform's IT security and data protection, visit here.

Frequently Asked Questions about GDPR in HR

What is the GDPR?

The GDPR (General Data Protection Regulation) is an EU regulation that has been in force since 25 May 2018. It regulates the processing of personal data uniformly and directly across all EU member states – without the need for national implementing legislation. Its aim is to protect the fundamental rights of natural persons.

Does the GDPR apply to applicant data?

Yes. Application documents, assessment results and all other data collected as part of a selection process are personal data and are fully subject to the GDPR. The primary legal basis is Art. 6(1)(b) GDPR in conjunction with §26 BDSG (or equivalent national law) – a separate consent is generally not required for the application process itself.

How long may applicant data be retained?

After a rejection, data protection officers and supervisory authorities typically recommend a maximum retention period of 6 months. This reflects the limitation period for compensation claims under anti-discrimination law (§15 AGG in Germany). For talent pools, a retention period of up to 2 years is common, provided written consent has been obtained.

What happens in the event of a GDPR violation?

Supervisory authorities may impose fines of up to €20 million or 4% of total worldwide annual turnover – whichever is higher (Art. 83 GDPR). In addition, affected individuals may claim damages (Art. 82 GDPR), and competitors or associations may issue cease-and-desist letters.

Do I need a Data Processing Agreement for HR software?

Yes. Where an external software provider processes personal data on behalf of your organisation – which is the case with virtually every cloud-based HR tool – Art. 28 GDPR requires a Data Processing Agreement (DPA). Without this agreement, the transfer of data to the provider is unlawful.

When is consent required in recruiting?

No consent is needed for the standard application process – pre-contractual measures under Art. 6(1)(b) GDPR are sufficient. Consent becomes necessary when you wish to retain applicant data beyond the current process, for example for future vacancies (talent pool), or when you intend to use the data for purposes not directly related to filling the position.

What are technical and organisational measures (TOMs)?

TOMs are security measures that organisations must implement under Art. 32 GDPR to protect personal data. These include technical measures such as encryption, access control concepts and regular backups, as well as organisational measures such as staff training, confidentiality agreements and physical access controls. TOMs must be documented in the DPA with external service providers.

Conclusion

The GDPR is not a bureaucratic burden – it is a legal framework that strengthens the trust of applicants and employees in your HR processes. For HR professionals, three things are essential: first, knowing the correct legal basis for each data processing activity; second, implementing clear retention and deletion periods; and third, ensuring a valid Data Processing Agreement is in place for all external tools and platforms.

Organisations using digital assessments or e-recruiting tools should treat GDPR compliance as a selection criterion for providers – not merely as a legal obligation, but as a mark of professionalism towards candidates and a safeguard against liability risks.

Would you like to see what GDPR-compliant talent assessment looks like in practice? Learn more about IT security and data protection at Aivy.

Sources

• General Data Protection Regulation (EU) 2016/679. European Parliament and Council of the EU, 2016. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
• Federal Data Protection Act (BDSG), in particular §26 on data processing for employment purposes. German Bundestag, 2018. https://www.gesetze-im-internet.de/bdsg_2018/__26.html
• GDPR information. Federal Commissioner for Data Protection and Freedom of Information (BfDI). https://www.bfdi.bund.de/DE/Datenschutz/Ueberblick/ueberblick_node.html
• Guidelines on the processing of personal data in the context of employment. European Data Protection Board (EDPB), 2022. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-processing-personal-data-context-employment_en
• Guide to Data Protection in Human Resources. Bitkom e.V., 2022. https://www.bitkom.org
• Wybitul, Marc: Employee Data Protection under GDPR and BDSG. 2018.