GDPR and compliance: consent, retention, and deletion

Capture candidate consent and handle subject data requests (Access, Delete, Rectification, Erase, Stop processing).

What CVViZ provides

CVViZ ships consent capture and subject-data-request tracking aligned with GDPR principles. Whether the GDPR module is active in your workspace is controlled by theflag on your company settings.

Your DPO or legal team should still review your full compliance posture β€” CVViZ provides the building blocks; the policy decisions are yours.

Per-candidate Data Privacy tab

Open any candidate. When GDPR is active, the profile shows a Data Privacy tab. From here you can:

  • See the candidate's consent status.
  • Add, update, or withdraw consent on the candidate's behalf.
  • Log subject data requests.
  • Trigger Stop Processing or candidate deletion.

Each candidate's consent record can be in one of these states:

  • Pending β€” consent has been requested but not yet given.
  • Withdrawn β€” candidate has withdrawn previously-given consent.
  • Offered β€” consent has been given.
  • Not Offered β€” no consent has been requested.

Subject Data Request types

CVViZ tracks five categories of requests, matching common GDPR rights:

  • Access (A) β€” the candidate wants to see what data you hold on them.
  • Delete (D) β€” the candidate wants their data deleted.
  • Rectification (R) β€” the candidate wants a field corrected.
  • Erase (E) β€” the right-to-be-forgotten variant of deletion.
  • Stop Processing (S) β€” the candidate wants you to stop using their data without deleting it outright.

Each request has a status the team progresses (received β†’ in progress β†’ completed). Aggregated counts surface in the compliance dashboard so you can see how many of each are open or new.

Handling a deletion request

  1. Open the candidate's Data Privacy tab.
  2. Log the request with the appropriate type (Delete or Erase).
  3. Use Delete Candidate when you're ready to remove the record. The action is destructive β€” once executed, the candidate's data is permanently removed.

Handling Stop Processing

The Stop Processing action halts further activity on the candidate without deleting their data. Useful when a candidate asks you to stop reaching out but doesn't ask for full deletion.

Right of access (data export)

For Access requests, log the request on the Data Privacy tab and use the available export options to package the candidate's data for delivery within your jurisdiction's response window.

Aggregate reporting

Compliance settings include counts of:

  • Access requests: total, new.
  • Delete requests: total, new.
  • Rectification requests: total, new.
  • Erase requests: total, new.
  • Stop Processing requests: total, new.
  • Consent: pending, withdrawn, offered, not offered.

Useful for periodic compliance reviews.

Best practices

  • Train recruiters on the difference between Stop Processing and full Deletion.
  • Respond to Access requests within your jurisdiction's deadline (30 days under GDPR).
  • Review the consent and request counts monthly to catch backlogs early.
  • Don't store sensitive notes in free-text fields. Treat the candidate timeline as if it might be exported in an Access request.