//
A practical guide for recruitment agencies and in-house recruiters on how long you're allowed to keep applicant data, when consent is required, and which rules you can't afford to miss. Including the 2025 updates to the Dutch NVP Recruitment Code.
In short
The Dutch Data Protection Authority's guideline is that applicant data must be deleted within 4 weeks of completing the recruitment process. With explicit candidate consent, data may be retained for a maximum of 1 year, for example in a talent pool. After that year, you must actively request renewed consent. Silent extension is not permitted. Hired candidates fall under different rules: their data may be kept up to 7 years after end of employment due to tax obligations.
Short answer: most recruitment agencies hold candidate data longer than strictly allowed, often without realizing it. A well-configured ATS with automated retention tracking and re-consent flows solves this without taking up recruiter time.
Why this article
Retention enforcement is tightening. The Dutch Data Protection Authority actively audits, with fines up to 4% of annual turnover. At the same time, many recruiters believe that "we're just doing our job" is sufficient grounds to keep profiles for years. It isn't.
Below: per data type which retention period applies, how to set up legally sound consent, and what the 2025 update of the NVP Recruitment Code changed.
What counts as "applicant data"?
Much broader than recruiters typically think. Under GDPR, all personal data collected during a recruitment process counts:
CV and cover letter
Interview notes and observations
Assessment results and test scores
Pre-employment screening and reference checks
Email and WhatsApp correspondence with the candidate
LinkedIn profile information stored in your ATS
Notes in your CRM or ATS, including handwritten
Video interviews and transcripts
Two common mistakes: WhatsApp messages get forgotten because they don't sit in the ATS, and internal notes ("doubts about motivation", "wants higher salary") are seen by recruiters as their "own" data. They aren't. Those also fall under retention rules and must be made available on request.
The three core periods
Period 1: 4 weeks (default)
For rejected candidates: 4 weeks after completing the recruitment process, all data must be deleted or anonymized. The Dutch Data Protection Authority states this in its practical guideline. GDPR itself names no specific period but refers to the principle of storage limitation (article 5(1)(e) GDPR).
Important: "completion of the recruitment process" means the moment the candidate is rejected, not the moment the vacancy is filled. A candidate rejected in round 2 has a completion moment earlier than the hired candidate.
Period 2: 1 year (with consent)
If the candidate explicitly consents to longer retention, you may keep data for a maximum of 1 year after the recruitment process ends. This is the basis for talent pools.
Four requirements for valid consent:
Voluntary. Not a condition for applying. A candidate must be able to refuse without consequences.
Specific. "For future applications at our agency" is valid, "for marketing and any other purpose" is not.
Informed. The candidate must know what data you keep, why, and for how long.
Demonstrable. You must be able to prove consent was given. A timestamped form checkbox with IP log is sufficient, a verbal agreement is not.
Period 3: 7 years (hired candidates)
Hired candidates fall under different rules. Dutch tax authority requirements demand that certain data (payroll, identity, contract) be kept for 7 years after end of employment. Other personnel data has shorter periods, typically 2 years.
What changes with the 2025 NVP Recruitment Code?
The Dutch Association for Personnel Management & Organization Development published an updated Recruitment Code in September 2025. The code has no formal legal status, but is used by courts and the Data Protection Authority to assess whether an employer acted carefully.
Three changes relevant to retention:
Actively request renewed consent. After 1 year you must explicitly ask whether the candidate wants to remain in the pool. Silent extension is not permitted. If the candidate doesn't respond, you delete the data.
Rules on AI use. If you deploy AI for screening, ranking or matching, the candidate must be informed. This affects retention indirectly: AI outputs (scores, rankings) are also personal data and fall under the same retention periods.
Salary transparency. Not directly a retention issue, but relevant to your process: salary range must appear in the vacancy text.
Re-consent: how to ask again
The end of the retention year is where many agencies most often break the rule. Three practical options:
Option A: automated email request. A week before the retention period ends, the candidate receives an email with a clear question and two buttons ("Yes, keep my data for another year" or "No, delete my data"). The choice is logged with timestamp.
Option B: candidate portal. The candidate logs into a portal and manages which data is kept and for how long. Works well for agencies that already have a portal, poorly for agencies without a login system.
Option C: manual outreach. For high-value candidates, a personal call or email can be more effective than automation. Documentation is then critical, since consent must be demonstrable in an audit.
Many ATS systems (including Bullhorn, Ubeeo, and modern tools working with Spadework's automation layer) automate this process including anonymize-on-no-response.
Retention periods by data type
Data type | Retention period | Condition |
|---|---|---|
CV and cover letter of rejected candidate | 4 weeks | None |
CV and cover letter in talent pool | 1 year | Explicit consent |
Interview notes of rejected candidate | 4 weeks | None |
Assessment results | 4 weeks | None, regardless of outcome |
Reference checks | 4 weeks | None |
Email and WhatsApp of rejected candidate | 4 weeks | None |
ID document of hired candidate | 5 years after end of employment | Employer obligation |
Payroll data of hired candidate | 7 years after end of employment | Tax obligation |
General personnel data | 2 years after end of employment | Employer obligation |
Public sector applicant data | 1 month (rejected) / 1 year (pool) | Pool requires consent |
What if you don't handle it correctly?
Three risks, increasing in severity:
Candidate complaint. Candidates can file complaints via the Data Protection Authority or a privacy lawyer. This often starts with an access request (article 15 GDPR): the candidate asks for all data you hold about them. You have 4 weeks to deliver completely, including notes and emails.
Fine from the Data Protection Authority. Maximum 4% of annual turnover or 20 million euros, whichever is higher. In practice the DPA imposes fines of 50,000 to 500,000 euros for medium-severity breaches.
Reputational damage. In the era of LinkedIn and review sites, GDPR breaches are publicly visible. Agencies scoring poorly here lose candidates and clients.
FAQ
Can I keep a candidate in my database without consent as a "future contact"?
No. Without explicit consent, you must delete all data after 4 weeks. "Future contact" is not a legal basis.
What if a candidate applies via LinkedIn themselves and I save their public profile?
You may consult a public LinkedIn profile, but the moment you save it in your ATS it falls under GDPR. The same rules apply: 4 weeks on rejection, 1 year with consent.
What does "anonymize" actually mean?
Anonymizing means data can no longer be traced back to a person. Remove name, contact data, photo and all identifiable details. Statistical data (e.g. "we received 200 applications in March") may be kept, provided it can't be traced to individuals. Pseudonymizing (such as a number instead of a name, but with a key) is not anonymizing and still falls under GDPR.
Does the 4-week rule apply to open applications too?
Yes. For open applications without a specific vacancy, "completion" is the moment you informed the candidate that nothing suitable is currently available. The 4-week clock starts from that moment.
What about candidates I find through sourcing who haven't applied?
Sourcing public profiles is allowed, storing data in your ATS is not, unless you have a lawful basis. Standard practice: keep name and LinkedIn link in a short-lived sourcing list, reach out to the candidate, and only store in the ATS once the candidate responds and agrees to retention.
What about an ATS migration with legacy data?
Importing legacy data is a new processing event under GDPR. You must assess which data remains lawful (valid consent, within retention period) and discard the rest. Many agencies use a migration as the moment for a major data cleanup.
Sources
Dutch Data Protection Authority, guideline for recruitment and selection (autoriteitpersoonsgegevens.nl, 2024-2025)
GDPR articles 5, 6 and 15 (official text via wetten.overheid.nl)
NVP Recruitment Code 2025, published September 2025
Dutch Tax Authority, employer retention obligations (belastingdienst.nl)
Bullhorn NL, GDPR practical guide for recruitment 2024-2025
Recruitmenttraining.pro, retention periods for applicant data 2026
Randstad, GDPR guidelines for recruitment process
GDPR Register Dutch Government, recruitment and selection
Want to know how GDPR-proof your current database is? Spadework offers a free database analysis where we map per candidate group which profiles are outdated, which fall outside retention periods, and which are still active.
