Skip to main content

GDPR Tools for Companies

Included in:
  • SmartStart
  • SmartRecruit


SmartRecruiters is committed to helping our customers ensure compliance with local compliance regulations. Our GDPR compliance tools provide the ability to manage candidates' personal information and consent to the use of that information for recruiting purposes. 


SmartRecruiters' GDPR tools helps companies to:

SmartRecruiters also helps companies ensure compliance by providing candidates with the ability to manage their applications, personal information and consent

Privacy Policies

Candidates need to understand how companies and SmartRecruiters will use their personal information before consenting to that use. 

  • By default, SmartRecruiters also adds its own privacy policy and candidate Terms of Use to every job application. 
  • Using SmartRecruiters's Global Compliance tool, companies can add their own privacy policies to job applications. For any job with an applicable privacy policy, SmartRecruiters links to the policy on the application.

On the application, candidates can click to review each privacy policy before explicitly agreeing to the terms. Companies who have built a custom application experience using our Application API can GET the privacy policies for a particular job from the /postings/:uuid/configuration endpoint.

Collecting consent

During the application process, all candidates who apply to a SmartRecruiters job ad have the opportunity to review the job's privacy policies and explicitly provide consent to those policies:


Candidates who submit their resume/info via the Field Recruiting App also have the opportunity to review applicable policies before submitting their interest:

iOS Android
FRApp_Consent_iOS.png FRApp_Consent_Android.png

By checking the consent box on a job’s application or when submitting their information via the Field Recruiting App, candidates can explicitly and actively agree to any privacy policies that apply to the job. 

In all cases, candidates who apply to a job must provide consent before they can submit the application. Candidates who are referred will also be asked to provide consent when they complete the application. 

Referrers are also asked to confirm that they have permission from the candidate to submit their information:ReferralConsent.png

SmartRecruiters does not collect consent for candidates added by external recruiting agencies.

Application API and consent

Companies and partners who have built a custom application experience using our Application API should also ensure that they present candidates with the appropriate privacy policies and collect the candidate's consent. Make sure to specify the candidate's consent by setting the consent property to true in a POST request to the /postings/:uuid/candidates endpoint. The property is false by default.

Managing consent

Consent is stored on the candidate profile. Recruiters can check the candidate’s profile to verify whether they’ve provided consent for the use of their application.  


Candidates who’ve applied numerous times, to different jobs at your company, will provide consent on each application. You’ll be able to see the date for the most recent record of collected consent. 

Candidates can withdraw this consent from a particular company at any time.


Requesting consent

Since candidates who apply must provide consent, if you see on a candidate’s profile that they have not provided consent, it’s likely because they were added to SmartRecruiters by some other method, such as manually by a recruiter, or via some kind of integration (e.g., LinkedIn). 

Anyone with full access to a candidate can request consent by clicking Request Consent on the candidate’s profile.RequestConsent.png

The date of request is noted on the candidate profile. SmartRecruiters supports only one pending request, so if the candidate has not yet provided consent, you’ll be unable to re-request. 


The candidate will receive this request email:

Hi [Candidate First Name],

We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes.

[Review policy]

You can view, update, or delete your profile at any time.

Thank you, 
[Company] Recruiting Team

Clicking Review Policy will take the candidate to their Candidate Portal, where they can review the job's privacy policies, and accept or decline to provide consent.


Declining to provide consent is essentially identical to the candidate deleting their profile at your company. If they decline, SmartRecruiters will delete their candidate profile at the company and all applications associated with that profile. 

Candidates who are added to SmartRecruiters, e.g., via Add Candidate, aren’t automatically notified, so if a company is subject to GDPR, someone on the hiring team with full access to the candidate will need to request consent.

It's important to remember two things when requesting consent:

  • Consent is associated with a candidate's profile, not their applications. If the candidate has already consented, there's no need to re-request consent when adding the candidate to another job.
  • When someone on a job's hiring team requests consent from a candidate, and the GDPR retention rule is active for that job, the candidate's profile will be deleted if the candidate declines the request or fails to respond to the request. 

For example:

  1. Candidate applies to Job A, and provides consent in the application.
  2. Recruiter on Job A reassigns candidate to Job B, and requests consent.
  3. Candidate does not respond to the request, because they have already provided consent.
  4. The company has the GDPR retention setting active. After 30 days, the candidate's profile is automatically deleted because they did not respond to the request, even though the candidate may still want to be considered for employment.

GDPR retention rule

In the event that a candidate doesn't provide consent when requested, companies who are subject to GDPR should delete the candidate's information. This can be done manually, or by activating the GDPR Settings option in the Global Compliance configuration that applies to the job associated with the candidate's application.


If activated for a particular configuration, candidates have 30 days from the date that consent was requested to provide consent for their application. (All candidates who apply must provide consent, so this setting is intended for candidates who enter SmartRecruiters by a method other than direct application.) 

If they do nothing, or decline, SmartRecruiters will delete their profile when the deadline arrives. 

Remember, Global Compliance configurations are applied based on the job’s location, not the candidate’s location. 

The GDPR setting overrides any other data retention rules. If the GDPR setting is not active, then SmartRecruiters will follow the data retention rule set in the configuration.