"How long can we keep them?" One of the most common GDPR questions in recruitment — and one of the worst answered. Spoiler: GDPR doesn't set "X years" in stone. It sets a principle, and the ICO gives a benchmark. Here's the clear answer, no guesswork.
Summary
- The baseline rule: storage limitation
- The concrete benchmark: ICO guidance
- Successful candidate, unsuccessful candidate, talent pool: three cases
- What to do once the period ends
- How a compliant ATS handles it
- FAQ
1. The baseline rule: storage limitation
The (UK) GDPR doesn't give a hard number for CVs. It sets a principle, in article 5(1)(e): personal data must be kept no longer than is necessary for the purposes for which they're processed — the storage limitation principle.
Plain English for an agency or HR team: once an application has been processed, keeping a CV needs a justification. That justification can't be a catch-all "just in case". The candidate must know why (talent pool, future opportunity…) — and the retention has a limit.
2. The concrete benchmark: ICO guidance
The principle is abstract. The ICO makes it operational. The ICO Employment Practices Code recommends keeping unsuccessful candidate data only for the relevant claims period — at least 6 months to cover Employment Tribunal claim windows (the standard limit for an Equality Act claim being 3 months from the date complained of, with extensions sometimes granted).
For a longer retention (talent pool, future vacancies), the practical benchmark is 2-3 years from last meaningful contact, with information given and the right to opt out. Going beyond requires documented justification.
Equivalent benchmarks in the EU:
- France (CNIL): 2 years from last contact for unsuccessful candidates.
- Spain (AEPD): 6 months to 1 year for future vacancies; blocking after 24 months.
3. Successful candidate, unsuccessful candidate, talent pool: three cases
- Successful candidate — data switches to a new purpose: "personnel management". Different retention rules apply.
- Unsuccessful candidate — 6 months baseline (UK), 2 years (FR) or 6-12 months (ES) by reference; or earlier deletion/anonymisation.
- Talent pool / CV bank — keeping a candidate beyond the recruitment cycle requires transparent information (why, how long) and a lawful basis (most often legitimate interest, sometimes consent). The candidate must be able to opt out or request deletion at any time.
Layer in the minimisation principle (art. 5(1)(c)): only keep what's relevant — not a full dossier with messages, scoring and notes that no longer serve the purpose.
4. What to do once the period ends
Three compliant options:
- Delete the data.
- Anonymise (statistics, reporting) — the data no longer allows identification; GDPR no longer applies.
- Get explicit consent from the candidate to extend retention under a clear purpose, with a fresh deadline.
A bad option: silently extending the period. The candidate must be able to exercise their rights at any time — access, rectification, erasure (art. 17), objection (art. 21), particularly for direct marketing-like communications.
5. How a compliant ATS handles this
A serious recruitment platform shouldn't leave this to manual hygiene. It should provide:
- Configurable retention periods per purpose.
- Automatic purge or anonymisation at expiry.
- An interface for exercising rights (access, rectification, erasure).
- Audit trails of these operations.
At Marvin Recruiter, retention is configurable per customer. Default: 2 years from last contact, with expiry notifications and a one-click erasure flow. Goal: the rule applies automatically rather than relying on each user's diligence.
Where this article comes from
Marvin Recruiter integrates GDPR and AI Act in product design. This article is the output of our in-house R&D — regulation, ICO/CNIL/AEPD doctrine, Digital Omnibus monitoring. Informative, not legal advice. Not yet reviewed by a lawyer. Validate compliance decisions with your DPO or a specialised law firm.
FAQ
How long can I keep a CV after a recruitment process?
UK: at least 6 months for unsuccessful candidates (ICO claim-window benchmark); 2-3 years from last contact for talent pools, with information and opt-out. EU benchmarks vary (FR: 2 years; ES: 6-12 months).
Does GDPR set a hard retention period for CVs?
No. (UK) GDPR sets a principle (storage limitation, art. 5(1)(e)). National regulator guidance (ICO, CNIL, AEPD) gives operational benchmarks.
Can I keep a candidate in my talent pool indefinitely?
No. A talent pool is still a (UK) GDPR processing: purpose, lawful basis, retention, information, and the ability for the candidate to object or request erasure.
Can a candidate request deletion of their data?
Yes — right to erasure (art. 17) and right to object (art. 21), absolute for direct marketing-like activities.
My recruitment policy keeps records for 6 years for discrimination defence. Is that legal?
In the UK, a longer retention may be justified for legal-defence purposes (Equality Act claim limits, with extensions). Document the reasoning and keep this data in a separate, restricted-access archive — not in your live recruitment database.
Informative article up to date as of 15 May 2026. Sources: UK GDPR / Regulation (EU) 2016/679 (art. 5, 17, 21); ICO Employment Practices Code; CNIL and AEPD recruitment guidance. Not legal advice.
Suggested internal links: AI Act and recruitment guide (A1) · LinkedIn sourcing and GDPR article 14 (R3) · Request a demo.
