Recruitment agencies: destroying candidate profiles
A recruitment agency or executive-search firm gathers the most complete profiles of people there are: CVs, cover letters, assessment results, references, salary expectations and sometimes a copy of an identity document or diploma. You may not keep that data forever, because a candidate has a right to be forgotten once the purpose has been served. This guide shows how long you keep candidate profiles, what the four-week rule and the talent pool mean and how to destroy the rest confidentially.
The quick answer: a rejected candidate's data you keep in principle for four weeks, or up to a year with consent for a talent pool. A placed candidate moves to the employer's administration or your own tax administration. Assessments and references you treat separately. What may go disappears confidentially and with a certificate.
Why candidate profiles need care
A candidate profile is not a loose CV, but a file full of personal information. Alongside work experience and education it often holds an assessment, a personality test, references, salary expectations and sometimes sensitive background. Assessment results and references touch on someone's performance and sometimes their health or personal situation. That makes a profile more sensitive than it seems, and the GDPR requires storage limitation and an appropriate level of security.
Keeping data because a candidate might come in handy one day is not a valid ground without consent. Whoever keeps a profile without a purpose keeps personal data that should have gone. That is exactly what the four-week rule and the talent pool try to prevent.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the completion of the procedure.
| Part | Starting point | Period |
|---|---|---|
| Administration and invoicing | Tax retention obligation | 7 years |
| Rejected candidate | Four-week rule | 4 weeks |
| Talent pool | With consent | up to ~1 year |
| Assessments and references | Sensitive data | destroy finely |
| Placed candidate | To employer or administration | transfer |
| Working notes and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a final legal ruling. The general line for applicant data is in applicant data retention and destruction. When in doubt about a specific file, consult your privacy adviser.
The four-week rule and the talent pool
For a rejected candidate the common line is that you delete the data four weeks after the procedure ends. If you want to keep the profile longer for a possible future role, that is only allowed with the candidate's consent, usually up to a year. Record that consent and remove the profile as soon as the period expires or the consent is withdrawn. That way you keep only profiles that may be there on a valid ground.
In executive search and headhunting you sometimes work with longer-running profiles of people who did not apply themselves. There too you need a legal basis, inform the candidate and review the data periodically. A profile no one looks at any more and for which there is no ground left should be cleared out.
Assessments, references and the client
Assessment results, personality tests and references are the most sensitive part of a profile. Keep them recognisably separate, limit access to whoever needs them and destroy them at a fine level once their purpose has been served. If you work on behalf of an employer, you are often a processor and record the arrangements about keeping and destroying in a processor agreement. Match your periods to those arrangements.
How to handle it in 6 steps
- Split the file into administration, candidate profile, assessments and talent pool.
- Delete rejected candidates after four weeks, unless there is consent.
- Manage the talent pool on the basis of consent and a fixed end date.
- Treat assessments and references separately and at a fine destruction level.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Candidate profiles are destroyed confidentially, because they contain CVs, assessments and sometimes identity and diploma data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old applicant-tracking server or backup with candidate profiles belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and your client that you acted carefully. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Candidate profiles to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping rejected candidates just in case. After four weeks the purpose lapses without consent.
- Filling the talent pool without consent. Keeping longer requires a valid ground.
- Treating assessments and references as ordinary paper. That is sensitive data.
- Throwing away unshredded. A CV with personal data on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long may a recruitment agency keep a CV?
For a rejected candidate the common line is four weeks after the procedure ends, or up to a year with the candidate's consent for a talent pool. After that you clear the data out, unless there is another valid ground.
May I keep candidates in a talent pool?
Only with the candidate's consent and for an agreed period, often a year. Record the consent, remind the candidate and remove the profile as soon as the consent expires or is withdrawn.
Are assessments and references sensitive data?
Assessment results, personality tests and references are sensitive data and sometimes special-category personal data. Treat them separately, limit access and destroy them at a fine level as soon as they are no longer needed.
How do I destroy candidate data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A recruitment agency manages complete candidate profiles, with assessments and references mixed in. Delete rejected candidates after four weeks, manage the talent pool on the basis of consent and transfer placed candidates. Treat assessments and references separately and match your periods to the client. What may go you have destroyed confidentially at a fine level, with a certificate as proof. That way you keep nothing too long and respect your candidates' right to be forgotten.
Read also: mortgage advisers: destroying client files, market research agencies: destroying respondent data, printers: destroying variable data and the GDPR retention periods cheatsheet.
Have candidate profiles collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.