Why Data Protection Matters in Job Applications
As an applicant, the GDPR grants you the right to access, delete and correct your application data — even after a rejection. With every application, you transfer a wealth of personal data: name, address, career history, qualifications, and sometimes even health data or gaps with private backgrounds. This data is subject to the GDPR — the General Data Protection Regulation of the EU.
This means: you have rights. And companies have obligations. Most applicants are unaware of these rights — and therefore never exercise them.
"Your application data belongs to you — even after you have sent it."
GDPR principle for application processesYour Rights as an Applicant at a Glance
Right of Access
You can request at any time what data a company has stored about you — even after a rejection.
Right to Erasure
After the process is completed or upon request, your data must be deleted — unless there is a legitimate interest.
Right to Rectification
Incorrectly stored data? You can demand its correction — at any time during and after the process.
Right to Object
You can object to the processing of your data for specific purposes — e.g. if your profile is to be used for other positions.
How Long May Applicant Data Be Stored?
This is the most frequently asked question — and the answer is not straightforward, as there is no uniform statutory deadline. Here is what applies:
Data may be processed
For the duration of the application process, processing is justified by the employer's legitimate interest.
Typically 4–6 months retention
To be able to respond to potential discrimination claims under German anti-discrimination law (AGG), data may be retained for approx. 4–6 months after rejection. After that: deletion.
Only with explicit consent
If a company wants to keep you on file for future positions, it needs your explicit, informed consent. Without it: not permitted.
Transfer to personnel file
If you are hired, application data is transferred to your personnel file. Different, longer retention periods then apply.
What Companies Are Not Allowed to Do
This data must not be collected
- Pregnancy — explicitly prohibited under AGG (German General Equal Treatment Act) and GDPR
- Religious affiliation — only permissible for faith-based employers
- Trade union membership — no questions, no processing
- Health status — only if directly relevant to the position (e.g. fitness to drive)
- Criminal record — only permissible in narrowly defined exceptions
What You Can Do in Practice
- Deletion request after rejection: You can informally request by email that your data be deleted after the process is concluded
- No automatic opt-in for talent pools: A checkbox for "use data for future positions" must be voluntary and informed
- Third-party tools: When you apply through portals (LinkedIn, Stepstone), their data protection rules also apply — take a moment to read the notices. Even with digital applications via email or portal, you should know what happens to your data
- Requesting return of application documents: You can ask for physically submitted documents to be returned. When sending documents digitally, also take care not to include unnecessary data
- Minimise data in your application: Only include what is relevant to the position. Our free ATS check shows you which information is actually needed
How we handle your data
All data you provide to us for your application documents is used exclusively for your order. We do not store any data beyond the completion of the order. Details can be found in our privacy policy.
You are not sending your data into a void — you have the right to know what happens to it. And the right to demand its deletion.
Your Application — Secure and Professional
We take care of your documents. Confidential, data protection compliant, GDPR-secure.
Choose a Package → Free ATS Check