TL;DR

Data retention and deletion policies define how long personal data is kept and what happens to it at the end of that period. Under GDPR's storage limitation principle (Article 5(1)(e)), keeping personal data longer than necessary is a violation - not a theoretical risk, but a specific legal obligation with a defined penalty framework.

What Data Retention and Deletion Means in Practice

Retention is not a default state - it requires justification. GDPR Article 5(1)(e) requires personal data to be kept "no longer than is necessary for the purposes for which the personal data are processed." This means for every category of data in your recruitment system, you need a documented purpose, a retention period tied to that purpose, and a process that actually deletes or anonymizes the data when the period expires.

In a staffing agency context, different data categories have different retention triggers and periods. An unsuccessful job applicant's CV: the standard in the UK (where the ICO has published guidance) is 6 months after the recruitment process concludes, unless the candidate consented to a longer period for future opportunities. A placed contractor's payroll records: HMRC requires 3 years from the end of the tax year for PAYE records, 6 years for other employment records. A client contact's business card details: legitimate interest may justify retention for the duration of the business relationship plus a reasonable period after.

Anonymization is not the same as pseudonymization, and only anonymization satisfies the retention obligation. Pseudonymized data (where identifying fields are replaced with a reference key that allows re-identification) is still personal data under GDPR. True anonymization - where re-identification is not reasonably possible - takes data outside GDPR's scope entirely. Most "anonymization" implemented in ATS platforms is actually pseudonymization, which means the GDPR obligations continue.

Automated deletion is the only practical implementation at scale. Manual deletion processes rely on staff remembering to act, which fails consistently. A retention schedule must be implemented as automated system jobs that run on a defined schedule and delete or anonymize records that have passed their retention date. The process must log what was deleted and when, both to demonstrate compliance and to investigate edge cases.

Why Data Retention and Deletion Matter for Recruitment Teams

The UK ICO fined Clearview AI £7.5 million in 2022 partly for failing to have a data retention policy. The Swedish DPA fined a company for retaining employee data after the employment relationship ended without justification. These are not edge cases - storage limitation is one of the most actively enforced GDPR principles because violations are easy to identify through subject access requests and audits.

For staffing agencies, over-retention creates compounding liability. Every day you hold a CV beyond the justified retention period, you are processing that data without a lawful basis. If that data is then subject to a breach, the breach covers data you should not have had. The regulatory response will address both the breach and the underlying retention failure as separate violations.

Right to erasure requests (GDPR Article 17) interact directly with retention. If a candidate exercises their right to erasure, you must delete their data unless you have a competing legal obligation to retain it (such as HMRC payroll records). A documented retention schedule makes responding to erasure requests faster and more defensible, because you can show the legal basis for any retention you maintain over the candidate's objection.

Data Retention and Deletion in Action

A staffing agency has 200,000 candidate records in its ATS, many from applicants who were never placed and have had no contact with the agency in three or more years. The agency implements a retention audit: all records are tagged with data category, the most recent activity date, and the applicable retention period. Records past their retention date are automatically flagged. The agency runs a consent refresh campaign for candidates who are within the retention window but whose consent predates the current policy. After 90 days, the automated deletion job removes 47,000 records that have passed their retention date and have not re-engaged. The agency documents the deletion in its processing records, satisfying GDPR Article 30.

Compliance Checklist