The General Data Protection Regulation affects every stage of the hiring process — from job advertisements to reference checks. Yet many HR teams still treat GDPR as an IT or legal concern rather than an operational one. The reality is that the biggest GDPR risks in recruitment happen at the point where resumes are shared internally — a process that most organisations haven't systematically addressed.
This guide explains the GDPR provisions most relevant to hiring, where the common compliance gaps are, and how resume redaction supports a more defensible recruitment process.
⚠️ This article is for informational purposes only. Always consult your DPO or legal counsel for formal compliance advice specific to your organisation.
GDPR Article 5 sets out six core principles for processing personal data. Three of these are directly relevant to how resumes are handled in recruitment:
Data collected for one purpose cannot be used for another. A resume submitted for a specific vacancy should not be retained indefinitely or shared for unrelated purposes without explicit consent from the candidate.
Only data that is "adequate, relevant and limited to what is necessary" for the processing purpose should be collected and shared. When a panel needs to assess skills and experience, the candidate's home address and phone number are not necessary for that assessment.
Personal data should not be kept longer than necessary. Unsuccessful candidate resumes should be deleted after a defined retention period — typically 6-12 months — or immediately after a decision is made if no future vacancies are anticipated.
The most common GDPR gap in hiring: a recruiter receives a resume, then forwards the full document — including name, address, phone number, email, LinkedIn, and often a photo — to a hiring panel of five or more people. Each of those people now holds a copy of that personal data, potentially across multiple devices and email accounts.
This is a data minimisation problem. The panel doesn't need most of that information to assess the candidate. By distributing a de-identified version, you limit the personal data footprint to what's actually necessary for the hiring decision.
Under GDPR Article 17, candidates have the right to request deletion of their personal data. If a recruiter has forwarded a full resume to ten people internally over email, honouring an erasure request becomes operationally complex — you need to locate and delete every copy.
De-identified resumes distributed to the panel contain no personal data — there's nothing to erase. The original resume, held only by the recruiter, is the single point of deletion.
GDPR Article 9 creates heightened protections for "special category" data — including racial or ethnic origin, religious beliefs, health data, and biometric data. Resumes sometimes include signals that fall into these categories:
Processing special category data requires explicit consent or one of the other specific legal bases under Article 9(2). For most hiring processes, the safest approach is to remove these signals before internal distribution.
Redacting resumes before internal distribution directly addresses several of the gaps above:
NullifyCV processes resumes entirely in the browser — no data is sent to any server. This means NullifyCV itself does not process personal data as a controller or processor, which simplifies your data flow documentation.
Document how resumes are received, stored, redacted, shared, and deleted. Include retention periods and the legal basis for processing. Your DPO should review and sign off on this policy.
Make redaction a standard step in your recruitment workflow — not an optional extra. The person who receives applications (recruiter or HR coordinator) redacts before passing to the panel. This creates a clean separation of roles.
NullifyCV generates a downloadable audit log for each processed resume — documenting what was removed, with what confidence, and when. These logs are your evidence of systematic data minimisation practice.
Define how long you retain unsuccessful candidate resumes and automate deletion where possible. 6 months is a common standard for EU employers — long enough to revisit a candidate for a new role, short enough to limit data exposure.
De-identify resumes before internal distribution. Free, private, browser-side processing.
Try NullifyCV free →No tool can make a process fully GDPR compliant on its own — compliance depends on your entire data handling practice, legal basis for processing, privacy notices, retention policies, and more. NullifyCV supports data minimisation consistent with Article 5(1)(c). Consult your DPO for a formal assessment.
Your privacy notice should describe how you process candidate data, including internal distribution practices. Redacting before distribution generally reduces rather than increases compliance risk — but your DPO should confirm the appropriate disclosure for your jurisdiction.
Most employers rely on legitimate interests (Article 6(1)(f)) or the performance of a contract (Article 6(1)(b)) as the legal basis for processing candidate resumes. Your DPO should document the legal basis in your Records of Processing Activities (RoPA).