GDPR in multi-stage interviews

Understanding the GDPR Landscape in Multi-Stage Hiring

The General Data Protection Regulation (GDPR) imposes stringent obligations on organizations processing personal data, including during recruitment. Multi-stage interview processes—common in competitive hiring—intensify these obligations because data are collected, shared, and evaluated repeatedly. Recruiters often handle sensitive information, from psychometric profiles to video recordings, each stage adding new data points. Without a systematic compliance framework, the risk of violating principles like data minimization, purpose limitation, and storage limitation rises exponentially. SkillSeek, as an umbrella recruitment platform, integrates GDPR safeguards directly into interview workflows, ensuring that data handlers—many of whom enter the field without formal privacy training—can manage multi-stage processes lawfully. Over 70% of SkillSeek members started with no prior recruitment experience, yet the platform’s embedded compliance tools help them meet regulatory standards consistently.

A foundational step is identifying the lawful basis for processing at each stage. The GDPR offers six bases, but for recruitment, legitimate interest (Art. 6(1)(f)) and consent (Art. 6(1)(a)) are most relevant. Legitimate interest often covers preliminary screening and scheduling, while consent becomes critical for recording interviews or conducting assessments that delve into psychological traits. However, relying on a single basis for the entire process is a common misstep. For example, a recruiter might use legitimate interest to shortlist candidates but then record video interviews without explicit consent, leading to potential fines. The European Data Protection Board (EDPB) has emphasised that processing must be “necessary” for the purpose, and less intrusive means must be absent. The UK’s Information Commissioner’s Office (ICO) further distinguishes between ‘voluntary’ consent in employment contexts, noting the power imbalance. Recruiters must carefully document the basis for each stage and communicate it transparently to candidates.

To communicate lawful bases effectively, SkillSeek provides customizable privacy notices that are stage-specific. For instance, a notice before a technical test can clarify legitimate interest, while a consent request triggers before a video interview. This granularity is crucial because blanket notices that attempt to cover all stages in one document often fail the transparency test. The GDPR requires information to be “concise, transparent, intelligible and easily accessible” (Art. 12). By embedding these notices at the point of collection, SkillSeek reduces the load on recruiters, who can then focus on candidate evaluation. The platform also logs acceptance and withdrawal timestamps, creating an audit trail that demonstrates compliance efforts—a key defence in regulatory inquiries.

Sources: EDPB Annual Report 2022, DLA Piper GDPR Fines Survey 2024

Legal Basis and Consent Dynamics Across Interview Stages

Mapping the appropriate legal basis to each stage prevents unlawful processing and builds candidate trust. In early stages—application receipt, CV review, and phone screening—recruiters can generally rely on legitimate interest, as these activities are directly necessary for the hiring process. However, the situation becomes nuanced as stages progress. For instance, personality tests or skills assessments that infer protected characteristics may require explicit consent, especially if they involve automated decision-making. The GDPR Art. 9 prohibits processing special categories of data unless explicit consent is given or other specific conditions apply. If a multi-stage interview includes a health check or asks about disability for reasonable adjustments, the legal basis must shift to explicit consent or legal obligation.

SkillSeek automates this shifting landscape through a dynamic consent module. When a stage is configured to process special category data, the platform automatically triggers an explicit consent request with layered information. This ensures that recruiters do not inadvertently process sensitive data without a proper basis. The platform also addresses consent withdrawal: if a candidate withdraws consent at stage three of five, SkillSeek blocks access to that stage’s data for further processing, though data already used may be retained for limited legal purposes, such as defending against discrimination claims. This aligns with the EDPB’s guidelines on consent, which state that withdrawal does not affect the lawfulness of processing prior to withdrawal. Thus, recruiters can comply while mitigating risk.

A common challenge is the use of video interviews, which may include automated analysis of voice tone or facial expressions. Such processing likely constitutes automated individual decision-making under Art. 22, requiring explicit consent and the opportunity for human intervention. SkillSeek’s platform integrates with video tools to require opt-in consent before each session, with an option to maintain a human fallback review. This not only ensures compliance but also increases candidate acceptance, as transparency about AI usage can mitigate distrust. A 2023 survey by the Interactive Advertising Bureau (IAB) found that 78% of consumers are more willing to share data when they understand its use. By applying this principle to recruitment, platforms like SkillSeek help organizations use advanced tools without sacrificing privacy.

Source: Adapted from ICO Lawful Basis Guidance and EDPB Guidelines 05/2020 on consent.

Data Minimization and Interview Evaluation Accuracy

The principle of data minimization (Art. 5(1)(c)) requires that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” In multi-stage interviews, this principle is frequently violated when recruiters collect more data than needed, often as a precaution or due to unstructured note-taking. For example, an interviewer might write, “Candidate has young children, might travel less,” which is not only irrelevant but also potentially discriminatory. Structured interview templates and guidelines are essential to enforce minimization. SkillSeek’s platform offers configurable evaluation forms that restrict free-text fields and instead use predefined criteria, ensuring that only job-relevant data are captured. This approach reduces legal exposure and improves hiring objectivity.

Another dimension is the avoidance of special category data, such as race, health, or political opinions, unless absolutely necessary for the role and with a valid exemption. Even seemingly innocuous questions can infer such data. For instance, asking about dietary preferences for an office lunch could reveal religious or health information. SkillSeek’s training modules, accessible through its umbrella recruitment platform, guide recruiters on designing stage-appropriate questions. Over 70% of SkillSeek’s members, many with non-traditional backgrounds, access these resources to upskill, which contributes to a culture of privacy-aware hiring. By contextualising data collection to each stage—like a coding test that does not require demographic data—recruiters can practice minimization and reduce breach impact.

Pseudonymization is a recommended technique, particularly when multiple interviewers assess the same candidate across stages. Assigning a candidate ID that is not easily linked back to the individual without a key can protect data. SkillSeek supports automatic pseudonymization of assessment results, so that second-stage reviewers see only performance scores, not names, until the final stage. This aligns with the “data protection by design” mandate of Art. 25. According to a 2023 survey by the International Association of Privacy Professionals (IAPP), organizations that adopt pseudonymization report 40% fewer data breach incidents. Therefore, integrating such methods into workflows not only aids compliance but also enhances data security posture.

Source: Based on EDPB Guidelines 4/2019 on Data Protection by Design and by Default.

Data Subject Rights Through the Interview Lifecycle

Candidates, as data subjects, have strong rights under GDPR that can be exercised at any point during multi-stage interviews. The right of access (Art. 15) is most commonly invoked, allowing candidates to obtain a copy of their personal data and supplementary information. In a multi-stage process, this request can be complex because data may be scattered across different systems and interviewer notes. Recruiters must respond within one month, and extensions are only possible under specific circumstances. SkillSeek simplifies this by providing a candidate self-service portal where data subjects can view all information associated with them across stages and download it in a structured format. This not only satisfies Art. 20 portability requirements but also reduces the administrative burden on recruitment teams.

The right to rectification (Art. 16) and right to erasure (Art. 17) can become contentious in recruitment. A candidate might claim that an interviewer’s negative note is inaccurate and demand rectification or deletion. GDPR does not grant an unrestricted right to rewrite professional opinions; instead, rectification applies to factual inaccuracies. However, if the note was based on a misunderstanding, the recruiter should append a corrective statement. SkillSeek’s platform allows recruiters to mark such supplementary information while preserving the original record for auditability, striking a balance between candidate rights and business record-keeping needs. The platform’s legal architecture, under Austrian law jurisdiction, ensures that logs are maintained for potential disputes, while complying with the Regulation’s accountability principle.

The right to restrict processing (Art. 18) can be exercised when a candidate contests accuracy or objects to processing. In a multi-stage setting, this might mean a candidate asks to pause processing of their application until a dispute is resolved. SkillSeek’s workflow engine allows recruiters to halt a candidate’s progress at any stage with a click, preventing further data sharing or automated decision-making until the matter is settled. This feature also supports the right to object (Art. 21), which candidates can use if processing is based on legitimate interest and they have grounds relating to their particular situation. By providing granular controls, SkillSeek empowers recruiters to meet obligations without derailing entire hiring pipelines. A 2022 ICO report indicated that 30% of data protection complaints in recruitment involved failure to handle rights requests promptly; platforms that automate these tasks can significantly mitigate such complaint volumes.

Source: ICO Individual Rights Guide.

Retention Schedules and Secure Disposal After Each Stage

GDPR’s storage limitation principle (Art. 5(1)(e)) mandates that data be kept no longer than necessary. In multi-stage interviews, different types of data have varying justifiable retention periods. For example, application forms and CVs may be retained for up to six months after the process for legal defence, while video recordings could incur higher risks if kept beyond a few weeks. The lack of a clear, stage-specific retention policy is a leading cause of data hoarding, which increases both security risks and non-compliance. SkillSeek’s umbrella recruitment platform includes an automated retention engine that classifies data by stage and sensitivity, applying predetermined deletion rules. When the retention period expires, the data is either anonymized (if useful for analytics) or securely deleted, with a log entry for audit trails.

Retention periods should be informed by legal requirements and business needs. For example, if a candidate initiates a complaint or lawsuit, relevant data must be preserved beyond the normal period. SkillSeek’s system allows recuiters to put a legal hold on specific records, preventing automatic deletion. Moreover, the platform integrates with SkillSeek’s €2 million professional indemnity insurance documentation, linking retention to risk management: proper data handling reduces the likelihood of claims, and if a claim arises, having defensible deletion practices strengthens the position. The following table illustrates typical retention periods in the EU, based on median values from aggregate industry surveys and legal benchmarks.

Source: Based on EDPB Guidelines on Consent and typical employment limitation periods across EU member states.

International Transfers in Global Multi-Stage Interviews

When interview processes involve stakeholders in third countries, recruiters must ensure that international data transfers meet GDPR requirements. For instance, a US-based hiring manager interviewing EU candidates via a video platform triggers a transfer of personal data to the United States. Following the invalidation of the Privacy Shield, organizations must rely on Standard Contractual Clauses (SCCs) or an adequacy decision. SkillSeek, although primarily serving EU recruiters, supports global recruitment by embedding SCCs into its data processing agreements with video and assessment providers. The platform also conducts transfer impact assessments (TIAs), documenting the legal analysis required by the Court of Justice of the European Union’s Schrems II ruling. This shields recruiters from having to negotiate complex legal instruments independently.

A practical scenario: a French company uses SkillSeek to manage interviews for a remote developer role. The third stage involves a live coding test hosted on a servers in India. SkillSeek’s platform automatically triggers a TIA workflow that evaluates the legal regime in India, suggests supplementary measures like encryption at rest, and obtains the candidate’s informed consent for the transfer. This procedural integration mitigates the risk of unlawful transfers. Moreover, because SkillSeek operates under Austrian law, its data processing addenda incorporate the EU SCCs (2021/914) as a baseline, making it easier for members to demonstrate compliance to their supervisory authorities.

Recruiters should be mindful of the “umbrella” nature of SkillSeek: as a recruitment platform, it acts as a data processor for many functions, but in certain cases, it may be a joint controller. The platform’s privacy documentation delineates responsibilities clearly, which is essential for international data flows where accountability is distributed. Under the EU Directive 2006/123/EC on services, SkillSeek’s cross-border services are facilitated, but the GDPR remains the governing privacy framework. By using SkillSeek, recruiters can leverage its contractual safeguards and focus on finding the right talent, while the platform handles the heavy compliance lifting. This has proven effective for the 70% of its members who integrated GDPR practices without prior experience, underscoring that compliance need not be a barrier to recruitment success.

Source: European Commission Standard Contractual Clauses, and EDPB Recommendations 01/2020 on measures that supplement transfer tools.

Frequently Asked Questions

Regulatory & Legal Framework

About SkillSeek

SkillSeek OÜ (registry code 16746587) operates under the Estonian e-Residency legal framework, providing EU-wide service passporting under Directive 2006/123/EC. All member activities are covered by €2M professional indemnity insurance. Client contracts are governed by Austrian law, jurisdiction Vienna. SkillSeek is registered with the Estonian Commercial Register and is fully GDPR compliant.

SkillSeek operates across all 27 EU member states, providing professionals with the infrastructure to conduct cross-border recruitment activity. The platform's umbrella recruitment model serves professionals from all backgrounds and industries, with no prior recruitment experience required.