Who this is for: Admins at agencies storing European applicant data. Takes 5 minutes to configure.
What GDPR compliance means in Recruiterflow
If you operate in the EU or store data for European citizens, GDPR rules apply to your candidate database. Recruiterflow has built-in controls to help you handle candidate data legally with minimal manual work—you just need to set your retention policy.
How to set up GDPR compliance
GDPR compliance in Recruiterflow centers on one core decision: what happens to candidate data when they're no longer relevant to you? Here are your options.
Step 1: Open GDPR settings
Navigate to Settings > General Settings
Step 2: Choose your legitimate interest expiration period
This is how long you want to keep candidate data after you disqualify them. Legal guidance typically suggests 1–3 years, but your organization's retention policy may differ. Choose a timeframe that matches your compliance framework.
Important: The countdown starts when there is no activity on the profile for the defined time period as seen in the image below.
Step 3: Choose what happens at expiration
You have three options:
Option A: Anonymize data
Recruiterflow deletes all personally identifiable information—names, email, phone, location. Notes and internal data remain but are detached from the candidate's identity. This is the simplest approach.
Option B: Ask for opt-in (recommended)
Recruiterflow automatically emails expired candidates asking them to re-consent to storing their data.
If they opt in: The countdown resets and data is kept for another cycle.
If they opt out or don't respond: Data is automatically deleted.
This approach ensures you only keep data from candidates who want you to have it.
Option C: Auto-delete profile
All candidate data—including profiles, notes, scorecards, and attachments—is permanently deleted. Use this if your compliance policy requires complete removal.
Practical example
You're a UK recruitment agency that doesn't rehire from the same candidate pool more than once a year. Here's how you'd set this up:
Set legitimate interest expiration to 12 months.
Choose Option B (opt-in) so candidates can opt back in if you reach out to them later.
When you mark candidates as disqualified, the clock starts. At 12 months, Recruiterflow sends them an opt-in email. Those who respond stay in your system; others are removed.