Recruitment and GDPR: Safeguarding Your Decisions Against CNIL Inspections

Recruitment is among the CNIL's top inspection priorities. From automated screening and social media sourcing to CV retention, every step involves your responsibility. Retention limited to two years in an active database then five years in an archive, mandatory human oversight for AI decisions, informing candidates: these are the practical rules to secure your recruitment processes without hindering your sourcing efforts.

‍

With the CNIL's announced priority audits, the hiring process is under scrutiny. In an economic climate where recruiters are swamped with CVs for a single position while their teams have less time, using screening software and AI has become a natural reflex to save time. For professionals in the sector, the challenge is not to hinder innovation or sourcing, but to ensure that candidate data management remains under control. How can you integrate these regulatory obligations without slowing down your processes or undermining the final decision? Here are the keys to aligning performance with best practices.

‍

‍

Why Recruitment is Under the CNIL's Scrutiny

‍

‍

GDPR compliance in human resources is no longer a secondary issue. If the CNIL is taking a close interest in recruitment — whether managed in-house or outsourced to external firms — it's largely due to the systematic automation of processes and the use of interconnected recruitment platforms.

‍

The current workforce streamlining could increasingly prompt recruiters to rely on algorithms to screen and evaluate profiles. It is precisely this invisible technological shift, and the associated risks of discrimination, that explain the supervisory authority's attention. To calmly anticipate these checks and map all these data flows, equipping oneself with GDPR compliance software tailored to business challenges has become essential.

‍

‍

Candidate Sourcing and Evaluation: The Right Approach

‍

‍

The profile search and selection phase requires agility, but it also demands respect for the boundary between professional and private life.

‍

Social Media Screening: Where Private Life Ends

Consulting a public LinkedIn profile is legitimate if it provides professional insight into the role. However, delving into a candidate's personal Facebook or Instagram account crosses the boundary of their private life. Also, be careful about data capture: simple online viewing is permitted, but extracting or "scraping" this information into your ATS via a sourcing tool constitutes indirect collection. The operational solution? Configure your tool to send an automatic notification to the candidate (mentioning their rights and your retention periods) as soon as their profile is imported.

‍

The Interview: Preserving the Human Element Without Infringing on Private Life

A job interview is first and foremost a meeting between two individuals. Discussing, sharing, and seeking to establish a climate of trust is essential for understanding a personality. Regulatory vigilance should not dictate the exchange; it simply encourages ensuring that questions touching on purely private matters (family situation, personal projects) do not become part of the evaluation criteria, even under the guise of "breaking the ice." Finding the right balance allows for a warm exchange while ensuring fairness in the final decision.

‍

The IKEA Case: When Background Checks Become a Crime

This case resonated widely. The French subsidiary was heavily convicted for implementing a system of "spying" on its candidates and employees, going as far as consulting police files or banking records via private investigators. This extreme case highlights a golden rule: informal or disproportionate background checks are a crime, and the search for information must be strictly limited to declared professional skills.

‍

‍

CV Retention Period: From Active Database to Archiving

‍

‍

Once contact is established or the process is complete, document management follows a precise schedule based on the legal framework. This is an opportunity to clean up your databases to focus on the most relevant profiles.

‍

The 2-Year Rule for CV Retention

For an unsuccessful candidate, the retention of their file in your daily tool cannot exceed two years after the last contact (an email exchange, an interview, or a profile update by the candidate themselves). After this period, the data must be erased, unless the person has explicitly requested to remain in your talent pool.

‍

5-year archiving to secure proof

The company or firm has a legitimate interest in transferring these files to an intermediate archive database for 5 years. This access must be highly restricted and compartmentalized: it serves exclusively as evidence should a candidate challenge the process for discrimination, aligning with the statute of limitations for civil action.

‍

‍

AI and Automated Candidate Screening: Humans Must Remain in Control

‍

‍

The integration of artificial intelligence is no longer limited to simple keyword filtering. It now intervenes upstream (voice agents for pre-qualification), during (semantic analysis tools for interviews), and downstream (predictive skills scoring).

‍

However, automated candidate screening faces a major legal and ethical limitation: a candidate cannot be excluded from the process by a machine without a recruiter or consultant validating the decision. Supervision cannot be a mere automatic validation of an AI-generated report.

‍

The Amazon Case: The Algorithm That Penalized Women

In the late 2010s, the company had to abandon a recruitment algorithm that, having been trained on a history of predominantly male applications, had independently learned to penalize profiles containing the word 'woman'. This example illustrates why the human eye remains irreplaceable for detecting and correcting technological biases.

‍

Scraped CV Databases: AI Does Not Legitimize Unauthorised Data Collection

More recently, European authorities reprimanded platforms that used algorithms to 'rate' professionals by automatically scraping their public data from the web without their consent. AI does not legitimize indiscriminate data collection: candidates must always retain control over how their profile is indexed and evaluated.

‍

Transparency and Explainability of AI Tools

Transparency is essential: candidates must be informed of the use of an AI tool, and the employer (or their consulting firm) must be able to explain the logical criteria that guided the software. Recruiters and DPOs must work together to audit their third-party tools and manage their end-to-end compliance daily.

‍

‍

From candidate to employee: ensuring GDPR continuity

‍

‍

For recruitment agencies, the direct mission often ends at hiring, but for internal HR, it simply shifts focus. The company then applies specific GDPR rules to employees for payroll management, social benefits, or access to premises.

‍

This is where a crucial concept comes into play: the contractual qualification of data flows. When an agency transmits a file to its client company, both entities must clearly define their roles via a data sharing agreement (Data Sharing Agreement or sub-processing clauses). Are they joint controllers or separate controllers? Establishing this framework is essential to determine who manages the candidate's information and the exercise of their rights.

‍

Once the employee is onboarded, the golden rule becomes compartmentalization: information collected for internal management must never be reused for other purposes. Compliance is not a static project; it's a management habit. This is the whole point of a governance platform like Adequacy, which automates two-year purge alerts and centralizes your records without burdening your teams' daily work.

‍

‍

FAQ - Recruitment and GDPR: Practical Field Questions

‍

‍

How to calculate the start of the 2-year CV retention period?

The last contact corresponds to the last positive interaction with the candidate: receiving their application, an email from them to follow up, a phone interview, or their last login to their candidate area (or the agency's CV database) to update their profile.

‍

Can a candidate demand the immediate erasure of their CV?

Yes, by virtue of their right to erasure. If they object to you keeping their profile in your databases, you must remove it from the active pool without delay. However, you may restrict processing and retain a secure copy in an intermediate archive only if it is deemed necessary due to a proven risk of litigation related to that recruitment session.

‍

How to manage the introduction of an algorithmic sorting or scoring tool?

This is a point to discuss promptly with your DPO. As soon as software analyzes or classifies profiles, it processes personal data and must simply be listed in the company's tool inventory. This is an opportunity to formalize the rules of the game: confirm who has access to the results and ensure that human oversight always has the final say on the selection.