StormInterView
GDPR & Compliance

GDPR Compliance for Video Interviews: The Complete 2026 Guide

8 min readFebruary 25, 2026

This is what StormInterview does. Async video interviews, AI cheating detection, structured scoring. One link to a candidate, done.

Free for 14 days. No card.

Try it

What's actually at stake

GDPR has been in force since 2018. Total fines across the EU passed the EUR 5.65 billion mark in early 2025, and "Employment" sits among the sectors with the highest average fines (CMS GDPR Enforcement Tracker, 2025). Video interviews record voice, face, and whatever happens to be in a candidate's room. That is exactly the kind of processing regulators look at hard.

The ceiling for a single infringement is EUR 20 million or 4% of global turnover, whichever is higher. The Dutch DPA recently issued a EUR 290 million fine against a US company for transferring driver data to the US without adequate safeguards. Similar transfer logic applies to candidate video.

Pick a lawful basis before you record

Article 6 gives you six lawful bases. For async video interviewing, two are realistic:

  • Legitimate interest (Article 6(1)(f)). The employer's interest in assessing candidates, balanced against candidate rights. This is what most recruiters end up relying on for video.
  • Consent (Article 6(1)(a)). Must be freely given, specific, informed, unambiguous. The EDPB has repeatedly warned that consent in employment contexts is rarely truly free, given the power imbalance.

In practice: document legitimate interest with a balancing test, give candidates a clear privacy notice, and treat consent as a backup only where it genuinely applies (for example, retaining a recording for future roles).

A practical seven-step checklist

  1. Run a DPIA under Article 35 before you go live. Document necessity, proportionality, and safeguards. Save it. You will be asked.
  2. Show the privacy notice before the record button. What you collect, why, how long you keep it, and how to exercise rights.
  3. Collect less. Don't record metadata you don't need. Don't ask candidates to record in front of bookshelves you'll later judge them on.
  4. Set a retention period and automate the delete. 6 to 12 months post-decision is a defensible default, depending on member state guidance.
  5. Encrypt. AES-256 at rest, TLS 1.3 in transit. HSTS on the candidate-facing domain.
  6. Make rights workable. SARs, erasure, portability. If your vendor can't export a candidate's full record in a reasonable format, you have a problem.
  7. Vet the vendor. Article 28 DPA, sub-processor list, EU/EEA storage. If data leaves the EEA, you need SCCs plus a transfer impact assessment.

What gets organisations fined

  • Recording candidates without telling them clearly
  • Keeping recordings forever "in case we ever want to look again"
  • Sending data outside the EEA without proper transfer mechanisms
  • Running AI scoring on candidates with no DPIA and no transparency notice

How StormInterview handles this

StormInterview stores data on EU servers, encrypts at AES-256 and TLS 1.3, and ships automatic retention policies. Candidates see a privacy notice before recording. SAR exports are two clicks from the admin dashboard.

From EUR 79/month, the compliance tools are in every plan, not an add-on.

Start a free trial.

Read enough. See it in action.

Create an interview in 5 minutes. 14 days free. We don't ask for a card.

Start free

Cancel anytime.

Related articles

GDPR & Compliance

EU AI Act for Recruiters: Seven Questions to Ask Your Tools Before August 2026

August 2026 is three months away. If your interview platform uses AI scoring, transcription, or automated screening, these seven questions tell you whether your vendor is ready.

7 min read
GDPR & Compliance

Video Interview Security: Encryption, Storage, and Infrastructure Best Practices

Video interview recordings contain some of the most sensitive candidate data. A single breach can trigger GDPR fines up to €20 million. Here is how to secure your video interview infrastructure.

8 min read
GDPR & Compliance

How to Handle Candidate Data Requests Under GDPR: A Step-by-Step SAR Guide

Under GDPR Article 15, every candidate can request a copy of all personal data you hold about them. With SAR complaints rising 36% year-over-year, here is how to handle them properly.

7 min read