The Cost of Keeping Data Too Long
Every candidate video recording is personal data under GDPR. Keeping it longer than necessary violates the storage limitation principle (Article 5(1)(e)) and exposes your organisation to regulatory action. With 162 employment-related GDPR fines totalling €355 million already imposed across Europe (CMS Enforcement Tracker, 2025), data retention is a boardroom-level concern.
What the Law Actually Requires
GDPR does not prescribe a specific retention period for recruitment data. Instead, it requires that data be kept “no longer than is necessary for the purposes for which the personal data are processed.” In practice, this means:
- Active hiring process: Keep recordings until the role is filled and the offer accepted.
- Post-decision buffer: Many legal advisors recommend 6 to 12 months to defend against potential discrimination claims.
- Talent pool (with consent): If a candidate consents to being considered for future roles, recordings may be retained for up to 12 months, but this requires a separate, explicit consent.
Country-Specific Guidance
Several EU member states have issued specific guidance:
- France (CNIL): Recommends a maximum of 2 years for candidate data if consent is obtained for future opportunities.
- Germany: Federal Labour Court case law suggests 6 months post-rejection for discrimination claim defence under the AGG.
- Netherlands (AP): Recommends deletion within 4 weeks after rejection unless consent is given for longer retention.
- UK (ICO): Recommends documenting a clear retention schedule and not exceeding what is necessary.
Building a Retention Policy: Step by Step
- Define retention periods per data category. Video recordings, text responses, evaluation notes, and candidate profiles may warrant different periods.
- Automate deletion. Manual processes fail. Use platform features that automatically purge data after the defined window.
- Log all deletions. Maintain an audit trail showing when data was deleted and under which policy.
- Communicate to candidates. Your privacy notice must state the retention period or the criteria used to determine it.
- Review annually. Regulations and case law evolve. Schedule an annual review of your retention schedule.
Common Pitfalls
Organisations frequently make these mistakes:
- Storing recordings “just in case” with no defined retention period
- Relying on manual deletion processes that are never executed
- Not distinguishing between different data categories
- Failing to obtain separate consent for talent pool retention
How StormInterview Automates Retention
StormInterview lets you set granular retention policies per interview campaign. When the retention window expires, recordings and associated data are automatically and irreversibly deleted. A full audit log is maintained for compliance documentation. All storage is EU-based and encrypted with AES-256.
At €79/month, automated retention is included in every plan, not locked behind an enterprise tier.