Legal Compliance 11 min read

Data Protection for Job Application Documents

An application is a dense package of sensitive data with a clear beginning and a legally required end. From collection to deletion, every step decides whether you stay compliant.

Share this article
Data Protection for Job Application Documents

A job application is an unusually dense package of personal data: a CV, references, a cover letter, often a photo, sometimes information about health or origin that no one asked for and that nonetheless emerges from the documents. It has a clear beginning – the receipt of the application – and, unlike many data holdings, a legally required end. Anyone who receives applications processes these data as a controller and bears the obligations of the GDPR across the entire lifecycle: from collection through storage to deletion. This article follows that path chronologically and sets out what applies legally at each stage – with an emphasis on the point most often overlooked in practice: the orderly end of storage.

An Application as a Data Package With an Expiry Date

The principle that governs the entire handling of applicant data is storage limitation under Article 5 GDPR: personal data may be kept only for as long as is necessary for the purpose. With an application, this purpose is narrowly defined – the decision on filling a position. Once that decision has been made, the original purpose falls away for rejected applications, and the data may not be left lying around indefinitely.

Alongside this stands data minimisation: at the point of collection, only what is genuinely necessary for the selection should be recorded. Together, the two principles give the application record its lifecycle – a beginning limited to what is necessary, and an end not left to chance. Those who consider this lifecycle from the outset avoid the most common complaint in this area: documents that still sit in mailboxes, drives and applicant-tracking systems years after a rejection.

What May Be Collected – and What May Not

At the outset stands the question of which data may be collected at all. The benchmark is necessity for the specific position. Name, contact details, qualifications, professional experience and references are regularly necessary. Not necessary – and therefore not permissible to ask for – are details that have nothing to do with suitability: marital status, pregnancy, religious or political belief, trade union membership, or health data without a concrete connection to the role. Many of these characteristics are also protected under anti-discrimination law, so collecting them is sensitive not only in data protection terms but also in discrimination terms.

Closely linked to collection is the matter of which questions an employer may permissibly put. Permissible are only questions in which there is a legitimate, defensible interest with regard to the specific position. Where a question is impermissible – about a pregnancy, say – the applicant need not answer truthfully, and no disadvantage may arise for them from this. This labour-law limit largely coincides with the data protection principle of necessity: what may not be asked may also not be collected and stored.

Particular caution applies to special categories of personal data under Article 9 GDPR. Their processing is in principle prohibited. The problem in the application context is that such data are often supplied unintentionally – for instance an indication of a disability in the documents, or inferences about origin and religion from a photo. Controllers should not actively collect such information and, where it arrives unrequested, should not make it the basis of the decision.

On What Basis Applicant Data Are Processed

Every processing needs a legal basis. For applications, the closest one lies in the initiation of an employment relationship: under Article 6(1)(b) GDPR, processing is lawful where it is necessary to take steps at the request of the data subject prior to entering into a contract – and an application is precisely that. For processing beyond this, legitimate interest under point (f) may serve, provided a balancing exercise supports it.

National employment-data rules may add detail in some jurisdictions, but their relationship to the GDPR is not always settled. The Court of Justice of the European Union has held that general national clauses do not constitute a "more specific rule" within the meaning of Article 88 GDPR and therefore conflict with the directly applicable Regulation, which has cast doubt on broadly worded national provisions in this field. The practical consequence is the same across jurisdictions: those who want to document the legal basis cleanly should rest the processing of applicant data primarily on the pre-contractual step and check the current state of national law rather than rely on a broad special provision alone.

Whatever basis is chosen, the processing must remain confined to the application purpose. Data collected in the course of an application may not, without more, be reused for other purposes – such as marketing or building a permanent candidate profile. Such a change of purpose would itself require its own basis. The legal basis is therefore not only a question of whether but also of what for.

The Duty to Inform Applicants

With collection arises a duty that often gets lost in the daily routine of recruiting: informing the data subject under Article 13 GDPR. As soon as a company receives an application, it processes personal data and must inform the applicant about it – who is responsible, for what purpose and on what basis the processing takes place, how long the data are stored and what rights exist. This information must be available at the time of collection, not only on request, and it must be intelligible and easily accessible.

In practice, a separate privacy notice for applicants is advisable, distinct from the general privacy notice of the website. The most common mistake is to refer applicants in a blanket way to the general notice, which does not reflect their particular case – retention periods, talent pool, any automated pre-selection. A tailored applicant privacy notice states the storage duration depending on the outcome, points out that a photo is voluntary, and explains whether and how AI is used in screening and that a human makes the final decision.

The duty to inform is not an end in itself. It makes the processing comprehensible to the data subject and is at the same time the precondition for applicants to exercise their further rights – access, rectification, erasure and objection – at all. Those who are transparent from the start avoid queries and complaints and incidentally document their own compliance. Transparency at the beginning thus eases the orderly end.

How Long Documents May Stay

How long may I keep application documents?

This is the most frequently asked question – and one to which there is no rigid statutory figure. The GDPR names no concrete period but requires deletion once the purpose falls away. In practice a benchmark has nonetheless formed that derives not from data protection law but from discrimination law: after a rejection, a rejected person may assert claims under anti-discrimination law, for which a limitation period applies; a retention period oriented on that limitation period, plus a reasonable buffer for any proceedings, gives the common practice. How long that is depends on the jurisdiction, since the relevant limitation periods differ from one country to another.

The classification matters: such a retention period is not a statutory figure but a defensible practice tied to the limitation regime. The purpose remains decisive. As long as a procedure is running, the documents of all applicants may be kept for it; once it is concluded, the period begins for the rejected applications, after which deletion is due. Those who wish to keep data longer need a separate ground for it – and that regularly lies only in consent.

Behind the short measure stands a tangible reason. Every additional month in which application documents are kept enlarges the volume of sensitive data that could be exposed in a security incident. A holding of old, long-unneeded applications is an unnecessary risk – it brings no further benefit but can cause considerable harm in the event of a data breach. Prompt deletion is therefore not only a duty flowing from storage limitation but also an effective measure of risk reduction.

Talent Pool: Keeping Data Only With Consent

Employers often wish to retain the documents of promising but currently unsuitable applicants for future positions. This is permissible, but not without preconditions. Since the original purpose falls away with the rejection, further storage needs a new basis, and that is as a rule the explicit consent of the data subject under Article 7 GDPR. This consent must be freely given, informed and demonstrable, and it can be withdrawn at any time.

In practice this means: the data subject is asked whether their documents may remain in the talent pool for a limited period; they are told for what purpose and for how long; and withdrawal is as simple as granting. A tacit or unlimited inclusion in a talent pool is not permissible. Here too storage limitation applies: after the agreed period, one must ask again or delete.

Receiving and Storing Securely

How are application documents transmitted and stored securely? Applications contain a concentration of data worthy of protection, which is why Article 32 GDPR requires a level of protection appropriate to the risk – on receipt as well as in storage. The common route – the application as an unencrypted email attachment to a general address – is problematic in several respects: the transmission is protected only segment by segment, the documents remain permanently in the mailbox, and the circle of recipients is often wider than necessary. Why email is unsuitable for this is explored in Sending Personal Data Securely: What the GDPR Requires; the handling of the documents as documents is covered in Sending Confidential Documents Securely – Step by Step.

Preferable is a protected intake channel through which applicants submit their documents in encrypted form, without sending them unsecured by email – for instance a secure inbox that receives the content in protected form. The same principles apply to subsequent storage: encrypted filing, a narrow and authorised circle of access and – where a provider's applicant-tracking system is used – a data processing agreement under Article 28 GDPR. The fewer copies exist in the fewer places, the easier complete deletion becomes at the end.

Special Cases: Photo and Automated Pre-Selection

Is a photo permissible or required?

A photo is not legally required, and an employer may not demand one. It is voluntary: applicants may attach one but need not. The reason lies less in data protection alone than in its interaction with discrimination law – a photo allows inferences about characteristics that are irrelevant to suitability and protected under anti-discrimination law. Those who take the privacy-friendly route do not make the photo a requirement and treat a voluntarily attached one with restraint.

AI is increasingly used in pre-selection – for instance to screen and sort incoming applications. With this, the application process touches on Article 22 GDPR, which restricts decisions based solely on automated processing that produce a significant effect. A fully automated rejection without human involvement falls into this area and is permissible only under narrow conditions. What matters is genuine, substantive human control, not the mere rubber-stamping of a system recommendation. The further data protection requirements for the use of AI are covered in AI and Data Protection: The Legal Challenges.

Retention at a Glance

The following overview orders the typical constellations and makes clear that the duration is to be determined not in a blanket way but by occasion:

Constellation Legal basis Orientation for the duration Trigger for deletion
Ongoing procedure pre-contractual step (Art. 6(1)(b)) for the duration of the procedure conclusion of the procedure
Rejected application pre-contractual step / legitimate interest a limited period after rejection, tied to the local limitation regime expiry of the period after rejection
Inclusion in the talent pool consent (Art. 7) as long as consented, no longer than appropriate withdrawal or expiry
Hiring transition into the personnel file under the rules applying to personnel data separate assessment

Checklist: Ready to Delete

The following short list checks whether the handling of applicant data holds across the lifecycle – with particular regard to the orderly end:

  • Is it documented on what legal basis applicant data are processed?
  • Are only necessary data collected, and are special categories avoided?
  • Are retention periods defined and justified per constellation?
  • Does a deletion routine exist that reliably takes effect after the period expires – across all storage locations?
  • Is there freely given, withdrawable consent for the talent pool?
  • Are applications received through a protected channel and stored in encrypted form?
  • Where an applicant-tracking system is used, is there a data processing agreement?

If a point remains open, it belongs resolved before the next application arrives.

Conclusion

Data protection for application documents is less a question of individual prohibitions than a question of the orderly lifecycle. At the beginning stands the limitation to what is necessary; in the middle, a clean legal basis and an appropriate level of protection on receipt and in storage; at the end, timely and complete deletion – or, where wished and consented to, the deliberate transition into a talent pool.

The decisive and most frequently neglected point is the end. A defined deletion concept that reliably takes effect after the periods expire protects not only the rejected applicants but also the employer – against the charge of having kept data without purpose and without basis. Those who think the lifecycle through to its end turn a legal obligation into a reliable routine.

Share this article
Newsletter

Always up to date.

New articles on data protection, compliance and secure file sharing – delivered straight to your inbox. No spam, unsubscribe any time.

Discover all features

Get blog updates

Sign up and never miss a new post.

By subscribing, you agree to our Privacy Policy.