GDPR Compliance Guide for AI Recruitment Tools

Using AI in recruitment doesn't exempt you from data protection law. In the EU and UK, GDPR (and equivalent rules) apply to candidate data. Here's a concise guide to staying compliant when using AI recruitment tools.

Lawful basis: You need a lawful basis to process candidate data. For recruitment, legitimate interest or contract performance are commonly used. Be clear in your privacy notice what you collect, why, and how long you keep it.

Transparency: Candidates should know that AI is used in the process. Explain in job ads or application flows that interviews may be assessed with AI, and link to your privacy policy and any vendor (e.g. intrya) sub-processor information.

Data minimization: Only collect and retain what's necessary. AI tools should be configured to use only job-relevant data. Avoid storing unnecessary PII or keeping it longer than your retention policy allows.

Rights: Candidates have rights to access, rectification, erasure, and portability. Your AI recruitment vendor should support these- for example, by allowing you to export or delete candidate data on request.

Vendor due diligence: Choose providers that are transparent about data handling, offer DPAs, and can demonstrate compliance (e.g. SOC 2, GDPR-aligned processing). At intrya, we're built for enterprise and take data protection seriously.

Staying compliant protects candidates and your organization. If you'd like to discuss how intrya handles candidate data and supports GDPR compliance, get in touch for a conversation.