πŸ‘€
Who This Is For

Founders, COOs, Heads of People, and Operations Managers at SMEs with 10–200 employees hiring remote staff in or from the US, UK, Australia, Canada, India, or Europe.

For COOs, HR leaders, and operations teams scaling international remote teams, this is not a legal technicality. It is a practical risk with real consequences: regulatory fines, candidate trust erosion, and contractual liability with staffing partners.

This guide gives you a clear, decision-ready framework for GDPR compliance in remote hiring β€” covering what applies to your situation, what you must put in place, and where most employers get it wrong.

What Is GDPR Compliance for Remote Hiring?

GDPR compliance for remote hiring is the legal obligation to process job candidate personal data in accordance with the General Data Protection Regulation (EU) 2016/679 β€” at every stage of the recruitment lifecycle, regardless of where your company is headquartered.

In practice, this means any data you collect from a candidate β€” CV, interview notes, assessment results, identity documents, background check reports, or email exchanges β€” must be handled lawfully, transparently, and with clearly defined retention limits.

The complexity for remote hiring lies in GDPR's extraterritorial reach (Article 3). The regulation extends to any organisation that targets or employs individuals in the EU/EEA, irrespective of the employer's location. That is the clause that catches most non-EU employers off guard.

⚑
Why It Matters

For companies in the US, UK, Australia, Canada, and the Middle East, non-compliance is not a theoretical risk. GDPR enforcement against non-EU employers is active and growing. Data-conscious senior candidates β€” especially in Europe β€” notice when employers handle their information carelessly. It affects your ability to attract top talent.

Does GDPR Apply to Your Company? A Practical Breakdown

The answer depends on your candidate pool, your systems, and your hiring model. Here is how to assess your exposure by scenario:

  • US company hiring an EU-based remote employee: GDPR applies to that candidate's data throughout and after the hiring process. See regional breakdown for US-specific obligations.
  • Australian company using a European-hosted ATS: If the platform stores data on EU servers, data processing obligations apply β€” regardless of candidate location.
  • UK company post-Brexit: UK GDPR applies. If you also process EU-resident candidate data, EU GDPR applies simultaneously. Transfer mechanisms differ between UK and EU frameworks.
  • Global company hiring a contractor in India: GDPR does not automatically apply to Indian nationals located in India β€” but EU-hosted systems or EU-resident decision-makers can re-trigger it. See the cross-border transfers section for staffing agency obligations.
  • No EU nexus at all: GDPR technically does not apply. However, most scaling SMEs cannot guarantee this indefinitely β€” and GDPR-aligned practices are now a global hiring standard.
πŸ’‘
Pro Tip

Default to treating GDPR as your baseline compliance standard for all international hiring. Use the compliance checklist as your starting audit regardless of geography.

GDPR Lawful Basis for Recruitment: Legitimate Interest vs Consent

Every act of processing candidate data must be justified by a lawful basis under GDPR Article 6. In recruitment, the two most relevant bases are legitimate interest and consent. Most employers get this wrong β€” and that mistake creates operational risk throughout the process.

Legitimate Interest: The Right Default for Active Recruitment

Legitimate interest (Article 6(1)(f)) allows you to process candidate data without explicit consent when you have a genuine, documented business reason, the processing is necessary, and it does not override the candidate's fundamental rights.

This applies to:

  • Reviewing CVs and applications from candidates who actively applied
  • Conducting structured interviews and reference checks
  • Assessing candidates against defined role criteria
  • Communicating application status updates

To rely on legitimate interest, document a Legitimate Interests Assessment (LIA) β€” a short internal record confirming the business purpose, necessity, and balanced consideration of candidate rights. This is item 2 in your compliance checklist.

Consent under GDPR must be freely given, specific, informed, and unambiguous. No pre-ticked boxes. No bundled agreements. No implied acceptance.

Consent is appropriate only for:

  • Retaining a candidate's CV beyond the active hiring process for future roles β€” governed by talent pool retention rules
  • Adding candidates to a talent pool or job alerts list
  • Processing sensitive personal data (health, disability, criminal convictions) where no other basis applies
⚠️
Common Mistake

Many employers use consent as their default lawful basis for all recruitment data. This is incorrect and operationally risky. If a candidate withdraws consent mid-process, you may be obligated to stop evaluation entirely. Legitimate interest is almost always the stronger basis for core recruitment activities. This is mistake #1 in the 8 most common errors.

What Personal Data Can You Legally Collect?

GDPR's data minimisation principle is clear: collect only what is adequate, relevant, and limited to what is necessary for the recruitment purpose. Anything beyond that must be disclosed in your candidate privacy notice.

Permissible Candidate Data

  • Full name, email address, phone number, city/country
  • Work history, education credentials, professional qualifications
  • Skills, languages spoken, portfolio or work samples
  • Interview notes and structured assessment scores
  • References (with appropriate prior notice to referees)
  • Right-to-work status (where legally required β€” see regional obligations)

Special Category Data β€” Strict Controls Required

GDPR Article 9 imposes stricter obligations on health/disability status, racial or ethnic origin, religious beliefs, sexual orientation, and criminal conviction records. Only collect this data when there is a clear, documented legal basis. If in doubt, rely on the lawful basis guidance above.

Data You Should Not Collect

  • Date of birth (unless legally required for the specific role)
  • Marital status or nationality (unless legally necessary)
  • Photographs (unless operationally justified)
  • Social media profiles unrelated to the role

What Must Your Candidate Privacy Notice Include?

A recruitment-specific candidate privacy notice is a legal requirement under GDPR Articles 13 and 14. It must be provided at the point of data collection β€” on your application form or careers page. A general website privacy policy does not satisfy this obligation.

Your notice must include:

  1. Identity of the data controller β€” your company's legal name and registered address
  2. DPO contact details β€” if a Data Protection Officer is required or appointed
  3. Purposes of processing β€” recruitment assessment, background checks, talent pooling
  4. Lawful basis for each processing activity β€” see the lawful basis section
  5. Categories of personal data collected β€” aligned to your data collection policy
  6. Data retention periods β€” refer to the retention framework table
  7. Third-party sharing β€” recruiters, ATS providers, background check firms β€” all governed by a Data Processing Agreement
  8. International data transfers β€” see cross-border transfer mechanisms
  9. Candidate rights β€” access, rectification, erasure, restriction, portability, objection
  10. Right to complain β€” to the relevant supervisory authority (ICO, DPC, etc.)
  11. Consequences of not providing data β€” e.g., inability to progress the application
πŸ’‘
Pro Tip

Use a layered notice. Place a short, plain-language summary on the application page with a clearly labelled link to the full notice. Drafting and publishing this notice is item 3 in the compliance checklist.

How Long Can You Keep CVs and Interview Notes?

GDPR does not set a fixed retention period. The storage limitation principle (Article 5(1)(e)) requires data be kept no longer than necessary. Most Data Protection Authorities consider 6 to 12 months reasonable for unsuccessful candidates. Talent pool retention requires separate consent and a documented renewal process.

Data TypeRecommended RetentionNotes
Unsolicited CVs (no active role)Immediate deletion / max 30 daysNo active purpose to justify retention
Unsuccessful applicants (applied for a role)6–12 months post-decisionAllows for appeals; aligns with ICO guidance
Interview notes & assessments6–12 months post-decisionRetain for equal opportunity defence if needed
Talent pool (consented)12–24 months (consent duration)Must renew consent; document re-confirmation
Successful hire β€” pre-employment recordsEmployment + statutory periodBecomes part of the employment file
Background check resultsRecord check completed onlySensitive β€” see special category data rules
πŸ’‘
Pro Tip

Configure automated deletion schedules in your ATS β€” governed by a Data Processing Agreement with the provider. Greenhouse, Lever, and Workable all support retention settings. Relying on manual deletion is mistake #3 in the most common GDPR errors.

Can You Record Remote Video Interviews?

Yes β€” with prior informed consent from the candidate. The consent must be given before the recording begins, not collected mid-session. This is distinct from the legitimate interest basis used for the interview itself.

  • Include a recording notice in the interview invitation email
  • Verbally confirm and record consent at the session start
  • State the specific purpose β€” using recordings to train AI models requires separate explicit consent
  • Set a retention limit: delete recordings within 30–90 days of the hiring decision
  • Ensure your video platform (Zoom, Teams, Google Meet) has a signed DPA with your organisation
⚑
Why It Matters

AI interview analysis tools that score candidates on tone, facial expression, or speech patterns trigger GDPR Article 22 on automated decision-making. You must inform candidates, ensure human oversight, and obtain explicit consent. Failing to disclose this is mistake #5 in the 8 most common errors.

Cross-Border Data Transfers: What's Required

When EU/EEA candidate data moves outside the EEA β€” to the US, Australia, India, or Canada β€” GDPR Chapter V safeguards are required. For most SMEs, the primary mechanism is Standard Contractual Clauses (SCCs). Any staffing agency handling this data also requires a signed Data Processing Agreement.

Post-Schrems II (2020), signing SCCs alone is not enough. You must also complete a Transfer Impact Assessment (TIA) to evaluate whether the receiving country's surveillance laws undermine SCCs. This is step 8 in the compliance checklist.

ScenarioMechanism RequiredNotes
EU employer using US-hosted ATSSCCs or DPF certificationVerify ATS provider's Data Privacy Framework status; DPA required
US employer, EU candidate data in USSCCs recommendedUS employer is data controller; SCCs govern the transfer
UK employer β†’ Indian staffing agencyUK IDTA + DPA with agencyBoth UK GDPR and EU GDPR may apply simultaneously
Australian employer with EU candidatesSCCsAustralia has no EU adequacy decision; see Australia regional notes
Staffing agency in India/PhilippinesDPA + SCCs if EU data involvedAgency is a data processor; written DPA is mandatory under Article 28

Data Processing Agreements: A Mandatory Requirement

GDPR Article 28 mandates a written DPA with every third party that processes personal data on your behalf. In remote hiring, this includes recruitment agencies, ATS platforms, background check services, video interview tools, and any HR system touching candidate data.

A valid DPA must specify:

  • Subject matter, duration, and nature of the processing
  • Types of personal data and categories of data subjects
  • Processor obligations: act only on instructions; implement appropriate security; support your compliance obligations
  • Sub-processing restrictions: processor must obtain your authorisation before engaging sub-processors β€” see mistake #8
  • Data deletion or return requirements β€” tied to your retention schedule
  • Audit rights for you as the data controller
⚠️
Common Mistake

Most SMEs sign agency or recruiter contracts that contain nothing about data protection. Before sharing any candidate CV with a third-party recruiter or staffing provider, verify that a DPA is in place. If the provider cannot produce one, do not share candidate data with them. This is the most prevalent structural gap in the hiring model risk comparison.

GDPR Risk Profile: Remote Hiring Models Compared

Different hiring models carry different compliance complexities. Understanding your model's risk profile helps you build the right infrastructure from the start β€” and informs how thoroughly to apply the compliance checklist.

Hiring ModelGDPR RiskKey RequirementsCommon Failure Points
Direct hire (in-house)ModeratePrivacy notice, lawful basis, retention schedule, ATS DPANo formal privacy notice; no deletion schedule
Recruitment agency (contingency)Moderate–HighDPA with agency, defined data handling instructionsNo DPA; agency distributes CVs without authorisation
Remote staffing provider / EORHighDPA, SCCs, sub-processor review, onboarding data protocolsMulti-jurisdiction gaps; no sub-processor audit
Freelancer platforms (Upwork, Toptal)LowerPlatform DPA; limited additional obligationsDownloading candidate data to non-compliant systems
Internal talent pool / communityHighExplicit consent, renewal schedules, easy withdrawalConsent expires without renewal; data never deleted
⚑
Why It Matters for Managed Remote Staffing

When you engage a dedicated remote staffing provider, data flows through multiple parties. A provider that proactively maintains DPAs with its sub-processors, operates documented data handling procedures, and can demonstrate compliance on request significantly reduces your exposure as the data controller.

The 8 Most Common GDPR Mistakes in Remote Hiring

  • Defaulting to consent as the lawful basis for all recruitment data. Use legitimate interest for active hiring; reserve consent for talent pooling only.
  • No recruitment-specific candidate privacy notice. Your general privacy policy does not satisfy Article 13. See what the notice must include.
  • CVs stored indefinitely in shared folders with no deletion schedule. Implement automated retention rules in your ATS.
  • No DPAs with recruitment agencies, ATS providers, or HR platforms. Audit your vendor contracts immediately. Review the DPA requirements.
  • Recording interviews without advance disclosure. Consent must precede the recording. See the full recording guidance.
  • Not responding to erasure requests within one month. Assign a named owner. This is step 9 in the compliance checklist.
  • Relying solely on SCCs without a Transfer Impact Assessment. Post-Schrems II, the TIA is mandatory. See the cross-border transfer guide.
  • No sub-processor audit of ATS or HR platforms. Your platforms may embed third-party AI tools that constitute sub-processors β€” covered under your DPA obligations.

GDPR Compliance Checklist for Remote Hiring

Pre-Launch Compliance Audit
  1. Document your lawful basis for each data processing activity β€” legitimate interest for active recruitment, consent for talent pooling
  2. Complete and store a Legitimate Interests Assessment (LIA) β€” required to rely on legitimate interest
  3. Draft and publish a recruitment-specific candidate privacy notice, separate from your general privacy policy
  4. Audit your application form: strip unnecessary fields per the data minimisation rules; add privacy notice link; add a separate, unticked talent pool opt-in
  5. Configure automated data retention and deletion settings in your ATS
  6. Execute Data Processing Agreements with all agencies, ATS providers, background check firms, and video interview platforms
  7. Confirm cross-border transfer mechanisms for all non-EEA systems β€” SCCs or DPF certification
  8. Complete Transfer Impact Assessments for key international data flows and document them
  9. Assign a named owner for data subject rights requests; establish a response process and internal SLA
  10. Train hiring managers and HR staff on data minimisation, retention rules, and escalation procedures
  11. Review sub-processor lists of your ATS and HR platforms annually β€” governed by your DPA audit rights
  12. Maintain a Records of Processing Activities (ROPA) document if processing at scale β€” especially relevant for the EOR/remote staffing model

Regional Considerations: US, UK, Australia & Canada

GDPR sets the global benchmark. Each major hiring region layers its own framework on top of it.

πŸ‡ΊπŸ‡Έ

United States

No federal GDPR equivalent, but California's CPRA/CCPA creates meaningful obligations. US companies hiring EU-resident candidates are directly subject to GDPR and should designate an EU representative under Article 27 if they lack an EU establishment.

πŸ‡¬πŸ‡§

United Kingdom

UK GDPR mirrors EU GDPR with post-Brexit amendments. The ICO is the supervisory authority. UK companies hiring EU-resident candidates must comply with both simultaneously. International transfers from the UK use the IDTA rather than EU SCCs.

πŸ‡¦πŸ‡Ί

Australia

The Privacy Act 1988 applies to businesses above AU$3M turnover. Australia has no EU adequacy decision β€” SCCs are required for EU-to-Australia transfers. The Privacy Act is undergoing significant reform; monitor for updates through 2026.

πŸ‡¨πŸ‡¦

Canada

PIPEDA governs private sector data federally. Quebec's Law 25 (2023) introduced GDPR-level requirements. Canada holds an EU adequacy decision, simplifying EU-to-Canada transfer requirements. Canadian employers still need GDPR compliance for EU candidate data.

Frequently Asked Questions

Does GDPR apply to my US-based company if we hire remote employees in the EU?

Q

Yes. GDPR applies to any organisation processing personal data of EU-resident individuals β€” regardless of where the organisation is headquartered. See the full applicability breakdown for your specific scenario.

What is the correct lawful basis for processing candidate data in recruitment?

Q

For active recruitment β€” reviewing applications, interviewing, making hiring decisions β€” the correct basis is legitimate interest under Article 6(1)(f). Consent is appropriate only for talent pools or special category data.

How long can I keep a candidate's CV under GDPR?

Q

Most Data Protection Authorities consider 6 to 12 months reasonable for unsuccessful applicants. Unsolicited CVs should be deleted within 30 days unless the candidate has consented to retention. See the full retention framework table.

Do I need a Data Processing Agreement with my staffing agency?

Q

Yes β€” mandatory under GDPR Article 28. Any third party processing candidate personal data on your behalf must have a signed DPA before any data is shared. Review the full DPA requirements and check your hiring model's risk profile.

Can I use Standard Contractual Clauses for all international data transfers?

Q

SCCs are the most widely used mechanism for transfers from the EU to non-adequate countries. However, post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment (TIA). See the cross-border transfer scenarios table.

What candidate rights exist under GDPR, and how quickly must I respond?

Q

Candidates hold rights to access, rectification, erasure, restriction, and objection. You must respond within one calendar month, extendable by two further months for complex cases. Managing these requests is step 9 in the compliance checklist.

Is it legal to use AI screening tools on candidate applications?

Q

Subject to GDPR Article 22 on solely automated decision-making. If your AI tool makes or materially influences a hiring outcome without human review, you must inform candidates and ensure explainability. Biometric or behavioural scoring constitutes special category data and requires explicit consent.

Does GDPR apply if I only hire freelancers or contractors?

Q

Yes. GDPR does not distinguish between employment types. Collecting a contractor's name, contact details, portfolio, and right-to-work documentation is personal data processing carrying the same obligations: lawful basis, privacy notice, data minimisation, retention limits, and transfer safeguards.

Recommendations by Company Stage

10–30 people

Agency or Consultancy β€” First Remote Hires

Immediate priorities: a recruitment-specific candidate privacy notice and a DPA template for agencies. Use an ATS with GDPR controls built in (Workable or Recruitee). Set a 6-month retention policy for unsuccessful candidates. This delivers 80% of compliance coverage with 20% of the effort.

30–100 people

eCommerce or Tech Company Scaling Internationally

Audit your ATS sub-processors per your DPA obligations, implement SCCs for non-EEA data flows, and complete TIAs for primary transfer relationships. Assign a dedicated data subject rights owner (step 9 in the checklist). Review all recruitment agency contracts and insert DPAs where missing.

100–200 people

SaaS or Financial Services β€” Global Remote Workforce

You need a structured GDPR programme, not individual controls. Appoint a DPO or engage an external DPO-as-a-service provider. Maintain a ROPA document covering all hiring models in use. Conduct annual DPIAs for high-risk processing. At this scale, GDPR compliance is a trust asset and competitive differentiator.

Build a Compliant Remote Team with Confidence

Zedtreeo handles the infrastructure of remote staffing β€” including documented data handling, signed DPAs, and compliant sourcing processes β€” so you can focus on running your business.

Talk to Our Team

Last updated February 2026. General informational purposes only. Not legal advice β€” consult a qualified data protection professional for your specific circumstances.