Legal bases, transparency, transfers, and contracts, explained for HR teams.
In recruitment, we process personal data every day. The framework is simple if we get down to earth. At Mainder, we see three pillars: choosing the right legal basis, informing and respecting rights, and monitoring transfers and contracts with suppliers.
On legal grounds: if the person has applied for a specific vacancy, we may process their data for "pre-contractual measures," but only for that process and for the necessary time; it is not used to store it "just in case" in the future. Consent is valid when it is freely given, informed, and easy to withdraw; it should not be a condition for applying, and it is best used for talent pools and to retain CVs after the application process closes. Legitimate interest applies to proactive searches and networking if we conduct an internal test (LIA,Legitimate Interest Assessment), we inform you upon initial contact and provide a clear avenue for objection; be careful not to expand use without warning. The legal obligation applies to verifications required by law (for example, accreditations or compliance with equality and non-discrimination) and is limited to what is strictly necessary.
Transparency and candidate rights: The privacy notice should explain who we are and how to contact us, what we use the data for and on what basis, who we share it with, whether transfers will occur outside the EEA and with what safeguards, how long we retain the information, what rights the individual has (access, rectification, erasure, restriction, objection, and portability) and how to exercise them, as well as the contact information of the DPO, if applicable. If we use automated decision-making, we should clearly explain what the system does, why it may affect the application, and how to request human review. As an operational rule, we should respond to rights requests within one month and document the process.
International transfers and the US framework: We first check for "adequacy" (EU-recognized country). If not, we use Standard Contractual Clauses (SCCs) with a transfer impact assessment (TIA) and complementary measures if the risk warrants it. With suppliers in the US, we can rely on the EU-US Data Privacy Framework if the entity is certified; if not, we revert to SCCs and TIAs. We keep a simple record of transfers and conduct periodic reviews.
Data Processing Agreements (DPAs) with suppliers: Every supplier that processes data on our behalf must sign a contract detailing the purpose, duration, data categories, security measures, subprocessor rules, rights assistance and DPIAs, breach notification, reasonable audits, and the fate of the data upon termination of the service (return or verifiable deletion). Common red flags include: the supplier claims to be “responsible” for data reuse, reserves vague uses such as “service improvement” without limits, denies audits or notification periods, fails to identify subprocessors or countries of processing, or moves data outside the EEA without a valid basis.
Retention and minimization: Collect only what is necessary to evaluate the application and set clear deadlines. As a guide, retain CVs and process notes for the duration of the process plus a reasonable period to defend against claims; if we want to maintain a talent pool, use renewable consent and delete when the deadline expires or when consent is withdrawn. For interview videos and technical tests, consider shorter deadlines and anonymization when aggregate analysis is sufficient.
If you want to operate with peace of mind, consider this order: adequate and documented legal basis, clear notification to the candidate, proof that you're fulfilling your rights in a timely manner, transfers with guarantees, and DPAs without loopholes. At Mainder, we can help you review your recruiting workflow with a practical and compliance-by-default approach.
And you, how do you justify your legal basis for proactive searches today? What simple explanation do you give to a candidate if there's automated support in the screening process? What's your elimination criteria for talent pools and video interviews?
+250 clients
Automate tasks, find top talent faster, and scale your recruiting processes with Mainder.
