Candidate applications and GDPR


In line with the GDPR principle of ‘data minimisation’, ensure that as a company you are requesting only what is ‘adequate, relevant and limited to what is necessary’ in your application forms, and that you have a full understanding of exactly why that data is required. Your organisation will need to take responsibility for your own GDPR compliance and make sure that your team is using Workable correctly.

Workable’s customisable application form, requests only the essential information required for recruiting purposes. This can be used as a starting point.


Decide how long you need to keep candidate data on file. Document these decisions and communicate them to your hiring teams.

With the Workable Annual plan, you will be able to set up a Privacy Notice template that is automatically shared with applicants.

If you don’t have the Workable Annual plan we suggest including a short paragraph at the end of every job description created via Workable with information pertaining to your Privacy Notice.

Ideally, your linked privacy notice will be related to recruitment only, instead of a more general company privacy policy. This will further increase transparency, enabling the candidate to quickly see relevant information which could be missed in a longer, more general policy.

Non-standard applications

If a candidate is referred, sends in a speculative resume, hands you a resume at a careers fair or applies via any route in which they haven’t had access to the details of how you will process their data, then you must inform them.

We suggest creating an email template which confirms receipt of their application, outlines how you will use the data and links to your Privacy Notice for recruitment.

Are you sourcing candidates? Find out more about candidate sourcing and GDPR compliance.

Applicant consent option annual_label.png

With the Workable Annual plan, you can add a checkbox item to application forms that will appear automatically for any job located in the EU, Norway, and Iceland, where residents are protected under the laws of the General Data Protection Regulation (GDPR), as well as to jobs based in Switzerland and Liechtenstein. Candidates must check the box to apply and will be shown a link to your Privacy Notice.


To enable this option click your user icon in the upper right of Workable and navigate to Compliance. Flip the Applicant consent switch to ON.


Enabling this switch is not a requirement. As a recruiter, you have a legitimate interest in collecting data from candidates who want to work at your company. Candidates choose the information they submit and should understand that their data will be used for hiring purposes.

Additionally, candidates will automatically receive a link to your Privacy Notice on the application confirmation page that appears after they apply. They will also receive an application confirmation email that contains a link to your Privacy Notice.