LeadGrid

How long can you keep a candidate in your talent pool? The GDPR rules explained

Rejected candidates, near-misses, future fits: how long can you legally hold their data in a talent pool under GDPR? Here is the exact answer.

recruitmentguidesBy Ralf Klein 路 4 min read
Recruiter conducting a professional job interview in a modern office
Photo by Resume Genius on Pexels

A candidate applied, made it to the final round, and did not get the job. You want to keep them on file for the next opening. That instinct is right. The execution needs to be deliberate, because under GDPR, "keeping someone on file" is a processing activity with a legal basis and a retention limit.

Here is what the rules actually say.

The default: four weeks after rejection

When a candidate applies for a specific role and you reject them, you may keep their data for four weeks after the rejection. This covers the period in which the candidate might file an objection or request access to their file.

After those four weeks, if you have no other legal basis, the data must be deleted.

No consent, no active pipeline, no open role: delete.

Keeping a candidate longer, in a talent pool, requires explicit, informed consent. Not implied consent. Not a pre-ticked box. Not a blanket line buried in your privacy policy.

The candidate must actively agree to:

  • being kept in a talent pool
  • for a specific retention period you name upfront
  • for a purpose you describe clearly (future roles, not general marketing)

Standard practice in the Netherlands and across the EU is a maximum of one year with a single consent. After a year, you either re-ask for consent or delete the record. Some organisations set the window at two years, which is defensible if the role type has a slow hiring cycle, but one year is the safer default.

A compliant talent pool opt-in has three components:

  1. What you are storing. CV, contact details, interview notes, assessment scores. Be specific.
  2. Why. Future vacancies at your organisation that match their profile.
  3. How long. One year from the date of consent. Not "for the foreseeable future."

Add a clear opt-out mechanism. The candidate can withdraw consent at any time, and withdrawal must be as easy as giving consent.

If you are using a recruitment tool or ATS, check whether it logs consent timestamps and sends automatic deletion reminders when the retention period expires. Manual tracking in a spreadsheet is a compliance liability at any scale.

Near-misses and talent pools in practice

The talent pool rule applies equally to:

  • Candidates who were rejected outright
  • Candidates who were a good fit but lost to a stronger hire
  • Candidates who withdrew their application mid-process

The legal basis does not change based on how close they came. If they are no longer in an active process, you need consent or you delete.

One nuance: if the candidate sent an open application with no specific role attached, the implied expectation is that you are storing it for future consideration. That context alone does not constitute valid GDPR consent, but it does make the opt-in conversation easier.

The Dutch Autoriteit Persoonsgegevens position

The Dutch data protection authority (AP) has published guidance confirming that talent pool storage requires explicit consent and recommends a maximum retention period of one year. They have actively fined organisations for retaining candidate data without a valid legal basis.

If you operate across EU borders, the rules are consistent. GDPR applies uniformly. Local DPAs may differ slightly on enforcement emphasis, but the consent and retention requirements are the same.

What to build into your process

Three practical steps that eliminate most compliance risk:

At rejection: send a single, clear email asking whether the candidate wants to join your talent pool. Include what that means, how long their data will be kept, and a one-click opt-in.

On consent: log the date and what was consented to. Your ATS or CRM should do this automatically. If it does not, that is a tooling problem worth solving.

At expiry: automated reminder when the consent window lapses. Either re-request consent or trigger a deletion workflow.

This is not complex to implement. It is easy to skip. Skipping it is what creates the compliance exposure.

The short version

Rejected candidate, no consent: delete after four weeks. Talent pool with consent: up to one year, then re-ask or delete. Log everything. Opt-out must be simple.

That is the whole rule. The rest is implementation.

Share:
Free forever. No credit card.
Sales + recruitment in one grid
Start free