What's actually at stake
GDPR has been in force since 2018. Total fines across the EU passed the EUR 5.65 billion mark in early 2025, and "Employment" sits among the sectors with the highest average fines (CMS GDPR Enforcement Tracker, 2025). Video interviews record voice, face, and whatever happens to be in a candidate's room. That is exactly the kind of processing regulators look at hard.
The ceiling for a single infringement is EUR 20 million or 4% of global turnover, whichever is higher. The Dutch DPA recently issued a EUR 290 million fine against a US company for transferring driver data to the US without adequate safeguards. Similar transfer logic applies to candidate video.
Pick a lawful basis before you record
Article 6 gives you six lawful bases. For async video interviewing, two are realistic:
- Legitimate interest (Article 6(1)(f)). The employer's interest in assessing candidates, balanced against candidate rights. This is what most recruiters end up relying on for video.
- Consent (Article 6(1)(a)). Must be freely given, specific, informed, unambiguous. The EDPB has repeatedly warned that consent in employment contexts is rarely truly free, given the power imbalance.
In practice: document legitimate interest with a balancing test, give candidates a clear privacy notice, and treat consent as a backup only where it genuinely applies (for example, retaining a recording for future roles).
A practical seven-step checklist
- Run a DPIA under Article 35 before you go live. Document necessity, proportionality, and safeguards. Save it. You will be asked.
- Show the privacy notice before the record button. What you collect, why, how long you keep it, and how to exercise rights.
- Collect less. Don't record metadata you don't need. Don't ask candidates to record in front of bookshelves you'll later judge them on.
- Set a retention period and automate the delete. 6 to 12 months post-decision is a defensible default, depending on member state guidance.
- Encrypt. AES-256 at rest, TLS 1.3 in transit. HSTS on the candidate-facing domain.
- Make rights workable. SARs, erasure, portability. If your vendor can't export a candidate's full record in a reasonable format, you have a problem.
- Vet the vendor. Article 28 DPA, sub-processor list, EU/EEA storage. If data leaves the EEA, you need SCCs plus a transfer impact assessment.
What gets organisations fined
- Recording candidates without telling them clearly
- Keeping recordings forever "in case we ever want to look again"
- Sending data outside the EEA without proper transfer mechanisms
- Running AI scoring on candidates with no DPIA and no transparency notice
How StormInterview handles this
StormInterview stores data on EU servers, encrypts at AES-256 and TLS 1.3, and ships automatic retention policies. Candidates see a privacy notice before recording. SAR exports are two clicks from the admin dashboard.
From EUR 79/month, the compliance tools are in every plan, not an add-on.