ATS Compliance, GDPR & Data Security Guide
ATS compliance refers to the legal, regulatory, and security requirements that applicant tracking systems must meet when collecting, processing, and storing candidate personal data. In 2026, this includes GDPR data subject rights, configurable retention periods, EU AI Act transparency requirements for AI-powered screening, and SOC 2-aligned infrastructure security. Any ATS that handles candidate data is subject to these obligations.
GDPR Requirements for Hiring Software
Lawful Basis for Processing
You need a lawful basis to process candidate personal data. For active job applicants, this is typically “legitimate interest” — you have a legitimate need to evaluate candidates for an open role. For talent pools or speculative applications, you need explicit consent.
Your ATS should clearly distinguish between active candidates (legitimate interest) and talent pool candidates (consent-based). Consent records need to be stored and auditable. CurriculoATS handles this through pipeline-based processing — candidates in active job pipelines are processed under legitimate interest, while talent pool additions require documented consent.
Right to Erasure
Candidates have the right to request deletion of their personal data at any time. You must process these requests “without undue delay” — typically within 30 days.
Your ATS needs a mechanism to find all data associated with a candidate (applications, notes, scoring data, communication history) and delete it completely. This is harder than it sounds if candidate data is scattered across integrations, email threads, and exported spreadsheets.
Data Subject Access Requests (DSAR)
Candidates can request a copy of all personal data you hold about them, the purposes for processing, and who it has been shared with. Response deadline: 30 days.
Your ATS should support data export for individual candidates — not just bulk CSV dumps, but candidate-specific data packages. This includes application data, scoring results, notes from reviewers, and any automated decision-making outputs.
Data Retention Periods
| Candidate Status | Recommended Retention | Rationale |
|---|---|---|
| Rejected candidates | 6 months | Covers discrimination claim filing periods in most jurisdictions |
| Talent pool (with consent) | 12 months | Consent should be refreshed annually; stale profiles lose relevance |
| Hired employees | Duration of employment + 7 years | Employment law, tax records, and legal liability requirements |
| Withdrawn applications | 30 days | Minimal retention for audit trail; candidate withdrew interest |
| Interview notes | Same as candidate record | Notes are personal data about the candidate; same rules apply |
These are guidelines, not legal requirements — retention periods vary by jurisdiction. The key principle is data minimization: do not keep candidate data longer than necessary for the purpose it was collected. Your ATS should make it easy to configure these periods and automate deletion when they expire.
AI in Hiring Is High-Risk
What the EU AI Act Means for ATS Platforms
The EU AI Act, which entered into force in 2024 with phased compliance deadlines through 2026, classifies AI systems used for “recruitment and selection of natural persons” as high-risk. This applies to any ATS that uses AI for candidate screening, scoring, or ranking.
High-risk classification means the AI system must provide transparency into how decisions are made, support human oversight (humans must be able to review and override AI decisions), maintain data quality standards, and implement bias monitoring and mitigation.
CurriculoATS meets these requirements through its signal-based scoring approach. Each candidate’s Impact Score shows the factors that contributed to the score. Hiring managers always review AI recommendations before taking action — the system ranks and recommends, but humans decide.
SOC 2 and Infrastructure Security
- Encryption at rest — all candidate data encrypted with AES-256. Database backups are encrypted with separate key management.
- Encryption in transit — TLS 1.3 for all data transmission between browsers, APIs, and backend services. No unencrypted data ever leaves the platform.
- Role-based access controls — configure who can view, edit, and delete candidate data. Hiring managers see their roles only. Admins manage access policies.
- Audit logging — every action on candidate data is logged: who viewed it, when, what changed. Essential for GDPR accountability and security investigations.
- SOC 2-aligned infrastructure — CurriculoATS is hosted on infrastructure with SOC 2 Type II certification. Security reviews and penetration testing are conducted regularly.
- No data selling — CurriculoATS does not sell, share, or monetize candidate data with third parties. Candidate data is used exclusively to facilitate the hiring process for the employer who collected it.
What to Ask Your ATS Vendor
- Where is candidate data stored? — jurisdiction matters for GDPR. Data stored in the EU has different rules than data stored in the US. Ask about data residency options.
- What happens to my data if I cancel? — good vendors export your data and delete it within 30–90 days. Bad ones hold it indefinitely or charge export fees.
- Do you sell or share candidate data? — some ATS platforms monetize candidate data through job boards or advertising networks. Read the privacy policy carefully.
- How do you handle data subject requests? — ask for a demo of their DSAR workflow. If it involves emailing support, that is a red flag.
- What is your breach notification process? — GDPR requires notification within 72 hours. Ask what the vendor’s internal timeline looks like.
- How does your AI screening handle bias? — if they cannot explain how their AI avoids discriminatory outcomes, they probably have not thought about it. Read the ATS Buyer’s Guide and our questions to ask your ATS vendor for a full vendor evaluation checklist.
Is CurriculoATS GDPR compliant?
CurriculoATS is built with GDPR alignment as a core design principle. This includes lawful basis for processing (legitimate interest for active candidates, consent for talent pools), configurable data retention periods, automated deletion workflows, and DSAR support. We process candidate data to facilitate hiring, not to sell it.
How long does CurriculoATS retain candidate data?
Default retention periods follow regulatory best practices: rejected candidates are retained for 6 months (for compliance audit trails), talent pool candidates for 12 months (with consent), and hired candidate records for 7 years (employment law requirements). All retention periods are configurable by the employer.
Does the EU AI Act affect ATS systems?
Yes. The EU AI Act classifies AI systems used in employment and recruitment as high-risk. This means ATS platforms using AI for candidate screening must meet requirements around transparency, human oversight, data quality, and bias monitoring. CurriculoATS provides transparency into scoring criteria and supports human-in-the-loop review for all AI decisions.
What security certifications does CurriculoATS have?
CurriculoATS follows SOC 2-aligned security practices including encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, audit logging, and regular security reviews. Data is hosted on infrastructure with SOC 2 Type II certification.
Can candidates request deletion of their data?
Yes. Under GDPR and similar regulations, candidates have the right to request erasure of their personal data. CurriculoATS supports data subject access requests (DSARs) and provides tools for employers to process deletion requests within the required timeframes.
What should I ask an ATS vendor about security?
Key questions include: Where is candidate data stored and in which jurisdiction? What encryption standards are used? How are data retention periods configured? What happens to data when I cancel? Do you sell or share candidate data? What is your breach notification process? Can candidates exercise their GDPR rights through the platform?