Can I use AI to screen resumes under GDPR?

Yes, but with conditions: candidates must be informed that AI is involved, a human must make the final hiring decision, and the tool's data handling must be compliant (lawful basis, no unauthorized retention, documented sub-processors). The EU AI Act adds documentation and bias-monitoring obligations on top of GDPR for AI systems used in hiring.

How long can I keep a candidate's CV?

As long as needed for the specific role, plus a short post-decision window — typically 30 to 90 days. To keep CVs longer for future roles (a 'talent pool'), you need explicit, separate consent and a defined retention period, usually no more than 12 months without renewal.

Do I need consent to process a CV the candidate sent me?

Most teams use explicit consent (a tick-box on the application form), because it is the cleanest legal basis. 'Legitimate interest' is defensible for unsolicited applications to a specific role, but requires a documented assessment. Whichever you choose, document it in your privacy notice.

What happens if a candidate asks me to delete their CV?

Under GDPR Article 17, you generally have to delete it within 30 days unless you have a strong legal basis to keep it (active employment, ongoing legal proceedings). Document the request and the deletion. If the CV is in multiple systems — ATS, email, Drive, an AI tool — you need to delete from all of them.

Are AI resume screeners GDPR-compliant by default?

No vendor is compliant by default — compliance is a property of how you use the tool plus the tool's own data handling. The minimum bar: in-session processing without long-term storage, no training on candidate data, an EU data processing location or proper transfer mechanism, and a Data Processing Agreement. HR AI Assistant is built around these constraints.

GDPR-Compliant CV Processing: What HR Teams Need to Know in 2026

GDPR is six years old, the EU AI Act is now in force, and most HR teams are still running CV pipelines that would not survive a serious audit. This is a practical guide — not legal advice — to what compliant CV processing actually looks like in 2026, including the AI-screening question that is now the biggest exposure point for recruiters.

What GDPR actually requires for CV processing

A CV is personal data the moment it lands in your inbox. That triggers six core obligations under GDPR (Articles 5 and 6):

Lawful basis. You need a legal reason to process the CV — most commonly the candidate's consent, or "legitimate interest" in evaluating them for a role they applied to.
Purpose limitation. A CV submitted for role A cannot be silently used for role B six months later without a new consent or a clearly disclosed talent-pool basis.
Data minimization. Collect what you need for the hiring decision. Photos, dates of birth, marital status, and national ID numbers usually fail this test.
Accuracy. Candidates have the right to correct information you hold about them.
Storage limitation. A CV cannot live in your inbox forever. Define a retention period and stick to it.
Integrity and confidentiality. Encryption in transit and at rest, access controls, audit logs.

For HR specifically, the parts that get teams in trouble are purpose limitation, retention, and increasingly AI involvement — covered separately below.

Lawful basis: consent vs. legitimate interest

There are two practical options for processing inbound CVs:

Consent. The candidate ticks a box that explicitly says "I agree that my CV will be processed for the purpose of evaluating my application for [role]." This is the cleanest path, and the one that aligns with the EU's general direction.
Legitimate interest. Arguably available when a candidate proactively submits a CV for a specific role — they have a clear expectation it will be read. This is more fragile and requires a documented Legitimate Interest Assessment (LIA).

Most modern HR teams use consent, because it is both clearer to candidates and easier to defend. The consent text needs to:

Name the purpose (evaluating this specific role).
Name the controller (your company).
Reference the privacy notice with full detail.
Be separable from other consents (no bundling with marketing).
Be revocable as easily as it was given.

Retention: the most common compliance failure

Most HR teams have a CV retention policy on paper and a practice that ignores it. The realistic baseline:

Active hiring process: as long as the role is open + 30 to 90 days for ongoing evaluation.
Rejected candidates, no future-roles consent: delete within 30 days of decision.
Rejected candidates with explicit talent-pool consent: typically up to 12 months, with renewal.
Hired candidates: the CV becomes part of the employment record under different rules.

If you cannot say with confidence what your retention policy is and that it is automatically enforced, that is the first thing to fix. Manual deletion never happens reliably.

Data minimization in practice

A compliant European CV process collects: name, contact info, work history, education, skills, links the candidate chose to share. It does not require: photo, date of birth, marital status, national ID number, religion, political affiliation. If the CVs you receive include this data, that is largely outside your control — but the test is whether you use or retain it.

A clean rule of thumb: redact or ignore protected characteristics during screening. AI tools can help here — a good screener evaluates skills and experience, not photos and personal data.

The EU AI Act and AI-driven screening

This is the big change in 2026. The EU AI Act classifies AI systems used to "evaluate, screen, or filter job applicants" as high-risk. That means:

Transparency obligations. Candidates must be told that AI is part of the decision.
Human oversight. A human, not the model, must make the final accept/reject call.
Documentation. You need records of the system, its purpose, and how it is monitored.
Bias monitoring. Demonstrable testing for adverse impact on protected groups.

Practically, this means:

Add a sentence to your privacy notice and consent flow: "AI may be used to assist in evaluating your application. Final decisions are made by a human recruiter."
Keep the recruiter — not the model — as the formal decision-maker. Do not auto-reject based on a score.
Use tools that produce written rationales for their scores, so the human review is meaningful.

Practical setup checklist

A compliant inbound-CV pipeline for a European HR team:

Application form with explicit consent checkbox, separated from any marketing consent.
Privacy notice linked from the form, naming the AI screening tool if used.
Storage in a system with access controls (not a shared inbox or Google Drive folder).
Retention rules enforced by automation — calendar reminders are not enforcement.
Right-to-access process. When a candidate asks "what do you have on me," you can answer in 30 days.
Right-to-deletion process. Same — 30-day SLA, automated where possible.
Vendor due diligence. For every external tool that touches CVs (ATS, AI screener, video interview tool), a Data Processing Agreement (DPA) and a clear understanding of where the data is processed.

What to ask an AI resume-screening vendor

If you are buying an AI screening tool, the GDPR-relevant questions:

Where is the data processed? EU, US, somewhere else?
Is it stored, and for how long? The strongest answer is "in-session only, never written to long-term storage."
Are CVs used for training? This must be a clear "no" for any vendor you trust with candidate data.
What's in the DPA? Sub-processor list, data location, breach notification SLA.
Does it document its scoring rationale? Required for meaningful human oversight under the EU AI Act.

HR AI Assistant is built around these answers: CVs are processed in the user's session, are not retained on our servers, are not used for training, and every score comes with a written rationale that makes human review substantive.

Common mistakes worth fixing this week

If you are responsible for an HR pipeline, here are the highest-impact fixes:

Move CVs out of shared email inboxes. No access controls, no audit log, no retention. This is the most common single failure mode.
Add the AI sentence to your privacy notice. It takes a paragraph. It is required as of 2026.
Set a calendar to actually delete rejected CVs. Or automate it. The "we'll get to it" plan does not survive an audit.
Document your lawful basis. One paragraph per processing activity. Auditors ask for this first.

The honest summary

Compliant CV processing is not particularly hard, but it does require explicit choices: a lawful basis you can name, a retention policy you actually enforce, and AI tooling that supports — not replaces — recruiter judgment. The teams that get this right also tend to have better candidate experience, because the disciplines that satisfy regulators (clarity, speed, professionalism) are the same ones candidates appreciate.

This article is a practical overview, not legal advice. For decisions with real exposure, talk to a lawyer or DPO who knows your jurisdiction.