Applicant data retention and destruction: periods and approach under the GDPR
Applicant data falls under the GDPR from the moment a candidate applies. The main rule is short. After the procedure ends you keep a rejected candidate's data for about four weeks and then you destroy it. If you want to keep it longer, you ask for consent, usually up to a year. Below you can read what counts as applicant data, which periods apply and how to clear it out in confidence.
Recruitment produces a lot of personal data. A CV, a cover letter, an assessment, references and your own notes from the interviews. That data should not sit endlessly in a mailbox or a filing cabinet. The GDPR requires storage limitation, so you do not keep it longer than needed. At the same time you sometimes want to keep a strong candidate in view for a later vacancy. This article shows how to arrange both neatly without breaking the law. We cover the periods, the role of consent and the practical steps to clear out applicant data on paper and digitally in confidence.
What is applicant data?
Applicant data is all the personal data you receive or create yourself during a recruitment process. It covers the CV, the cover letter, contact details, education and work history, the outcome of an assessment or online test, references obtained and the notes your recruiter or manager makes during the interviews. Correspondence by email or LinkedIn counts too. Sometimes that data touches a special category, for example when a candidate mentions something about health or when you ask for a certificate of good conduct. A copy of an identity document is something you should not ask for in the application stage, that comes only at hiring. The more sensitive the content, the more carefully you handle retention and destruction. An overview of the wider context of confidential clearing-out is in our article on data destruction.
The standard period: four weeks
The Dutch data protection authority uses as a guideline that you may keep a rejected candidate's data for up to four weeks after the end of the recruitment procedure. That short period gives you room to explain a rejection or answer a question from the candidate. After that there is no longer a legal basis and you must destroy the data. Four weeks is not a hard statutory figure, but a widely accepted norm that shows you take storage limitation seriously. Keeping it too long without reason is a breach, even if you never look at the data again. So plan the clear-out straight away once a vacancy is filled, so that rejected applications do not linger for months. A fixed moment each quarter when you review completed procedures prevents old CVs from piling up in your system.
Keeping it a year with consent
If you want to keep a candidate in view longer, that is allowed up to a year after the end of the procedure, provided the candidate gives explicit consent for it. You usually ask for that consent in the rejection, in the same email. The candidate must be free to say no and to withdraw the consent at any time. A rejection may not depend on giving consent, because then it is not freely given. Record when and for what the consent was given, because without that proof you stand weak in an inspection. The year is a maximum, not a default. If you no longer need the data earlier, clear it out earlier. If the year passes without a new vacancy following, you destroy the data anyway.
The talent pool
Many employers keep interesting candidates in a talent pool. That too is allowed only with consent, and with the same care as the one-year option. Tell the candidate clearly what you keep, why and for how long. The consent must be specific to the talent pool, not hidden in general terms. Reconfirm the consent periodically, for example yearly, so the pool does not stay full of people who lost interest long ago. Give the candidate an easy way to opt out and handle such a request right away. A talent pool without maintenance automatically becomes a collection of expired data that you may no longer keep and that works against you in an inspection.
When does the period start?
The period starts at the end of the recruitment procedure. That moment is reached once you have filled the vacancy or sent the candidate a rejection. With an open application without a concrete vacancy the period starts at the moment you have assessed the application. Keep track of that start moment per candidate, so you later know exactly when the four weeks or the year expire. A fixed field in your recruitment system with the end date of the procedure makes clearing out later a good deal easier. Some systems can automatically schedule a reminder or a deletion on that date, which greatly reduces the chance of forgotten data. If you do not have that, set a recurring task in your calendar yourself.
A short retention table
| Data | Retention period | Note |
|---|---|---|
| CV and cover letter (rejected) | 4 weeks after end of procedure | GDPR storage limitation |
| CV with candidate's consent | Up to 1 year after end of procedure | Consent, freely withdrawable |
| Assessment and test results | 4 weeks, or 1 year with consent | Follows the application |
| References and notes | 4 weeks after end of procedure | GDPR storage limitation |
| Talent pool | As long as consent applies | Reconfirm periodically |
| Application of hired candidate | Moves into personnel file | Own periods per document |
Applicant data is not yet a personnel file
A common misconception is that applicant data automatically falls under the periods of the personnel file. That is not so. As long as someone is not hired, the short applicant periods apply. If you do hire the candidate, only the relevant documents move into the personnel file and take on the retention periods that belong with it. The rejected applications from the same round keep the four-week period or the year. That distinction matters, because the personnel file has much longer periods that sometimes run up to seven years after employment ends. How to clear out a personnel file is in our guide on destroying the personnel file. Which periods apply there is in the GDPR retention periods cheatsheet.
Who may access applicant data?
Applicant data is confidential and should be accessible only to the people who really need it. In practice those are the recruiter and the manager involved. A CV that circulates in a shared mailbox or on a general drive that half the organisation can reach is a risk. Limit access in your recruitment system to the right roles and do not share CVs more widely than needed. Send a CV through a secure link in the system rather than as an attachment that gets forwarded unnoticed. The fewer people have access, the smaller the chance of a data breach and the easier you can later show that you handled the data carefully.
Where does applicant data sit?
Before you can clear out, you need to know where the data is. Applicant data rarely sits in one place. Think of your recruitment system or ATS, the mailbox with CVs as attachments, a shared drive with printed interviews, printed CVs on a desk or in a folder and single messages via LinkedIn or WhatsApp. Do not forget the copies colleagues printed for themselves during an interview round. Make a short inventory of all those places, because data you forget is exactly the data that lingers too long. Only once you have the full picture can you clear out fully, both digitally and on paper.
Destroying applicant data on paper
Printed CVs, printed assessments and handwritten notes do not belong with the waste paper. Throwing them out unshredded is a data breach you must report to the data protection authority. So shred paper applicant data to at least DIN 66399 P-4. Use P-5 if there is special data or a copy of an identity document among it. Collect the paper in the meantime in a sealed bin rather than an open waste basket, so a CV does not end up dangling halfway. A simple office shredder does not always reach the right level and produces no proof. With larger volumes or a yearly clear-out round, outsourcing to a destruction party is often more practical and more demonstrable.
Destroying digital applicant data
Clearing out digitally is more than dragging a file to the recycle bin. In your ATS you delete the profile and empty the recycle bin. Also check that the provider removes the data from back-ups within a reasonable period. In the mailbox you delete the messages with CVs as attachments, including the sent items folder. Your ATS provider is a processor, so a data processing agreement belongs there stating how and when data is removed. Dragging a file to the recycle bin is not the same as destruction, because the data often still sits on the disk. If applicant data is on an old laptop, phone or USB stick that you dispose of, you physically destroy that data carrier or have it done.
Withdrawing consent and the right to erasure
A candidate may withdraw their consent at any time and can ask for erasure of their data. If such a request comes in, you delete the applicant data without undue delay, unless there is a legal reason to keep it after all. For applicant data that exception is rare, because there is usually no tax or other retention obligation on it. Confirm to the candidate that the data has been deleted. A swift, tidy handling of such a request strengthens trust and prevents a complaint to the supervisor.
Demonstrable destruction with a certificate
The GDPR asks not only that you clear out, but also that you can show it. If you have applicant data on paper or on data carriers destroyed, ask for a certificate of destruction with the date, quantity and level. Note the destruction in your record of processing and describe in a short policy how and when you clear out applicant data. That way you turn a one-off action into a fixed working method you can show in a few minutes during an inspection. Keep the certificate for at least five years in your GDPR file, in a fixed place where it can be found. Proof you cannot present does not count in practice. More on this is in demonstrable destruction for the GDPR.
Sealed collection strengthens the chain
With outsourcing, the certainty already begins at collection. We collect your material within 20 km of Amsterdam, sealed, so the chain from your office to the destruction stays closed. There is no walk-in at a location and no separate call-out trip, because the work runs through pooled collection rounds. Because trips are pooled nationwide, you pay a fixed price with no surprises afterwards. Paper and data carriers can come in the same collection, each destroyed to the appropriate level. A closed chain means a CV never goes missing on the way, which makes the proof of careful destruction extra strong. So the care of your office carries through to the moment the data is illegible.
Common mistakes
- Keeping CVs too long. Without consent, four weeks after the procedure is the limit.
- Not recording consent. Keeping data a year without proof of consent is a breach.
- Clearing out only digitally. The printed CVs on the desk are often forgotten.
- Throwing it out unshredded. A CV with the waste paper is a notifiable data breach.
- No proof. Without a certificate you cannot show that you destroyed it.
Clearing out applicant data step by step
- Note per candidate the end date of the recruitment procedure.
- Ask for consent if you want to keep it longer than four weeks.
- Inventory all the places where the data sits, digitally and on paper.
- Destroy after the period to the right DIN level and delete the digital copies.
- Keep the certificate and note the destruction in your record of processing.
Have applicant data destroyed in confidence?
Tell us what you have and you get a fixed price. We collect it sealed within 20 km of Amsterdam, destroy it to the right DIN level and you receive a certificate as proof for your GDPR file.
Request a quoteFrequently asked questions
How long may I keep applicant data?
As a guideline four weeks after the end of the recruitment procedure. With the candidate's consent you may keep the data for up to a year.
May I keep a CV longer for future vacancies?
Only with the candidate's consent for a talent pool. You record that consent and reconfirm it periodically.
Is applicant data the same as a personnel file?
No. Only when you hire a candidate do the relevant documents move into the personnel file with their own retention periods. Rejected candidates keep the short applicant period.
How do I destroy applicant data on paper?
Shred it confidentially to at least DIN P-4, P-5 for sensitive data, with a certificate of destruction as proof for your GDPR file.
Conclusion
Applicant data asks for a short, tight approach. Keep a rejected candidate's data as a guideline four weeks, or up to a year if the candidate gives consent for it. Keep a talent pool only with explicit consent and periodic maintenance. Clear out afterwards, both digitally and on paper. Destroy in confidence to the right DIN level. Record the destruction with a certificate and a note in your record of processing. That way you meet the GDPR and are never empty-handed in an inspection or a question from a candidate.
See also: the pillar destroying the personnel file, how long to keep a personnel file, payroll records retention and destruction and the offboarding checklist.
Have applicant data destroyed? Request a quote via desnipperaar.nl or read how demonstrable destruction for the GDPR works. You receive a certificate as proof.