GDPR and candidate data retention


Under General Data Protection Regulations organizations should not retain candidate data indefinitely.

As the data controller of your Workable account, the responsibility of deleting candidate data rests with your organization. Deleting candidate data is a simple process within Workable.

As part of the right to erasure, candidates can elect to delete their own data via a link in their application confirmation email. This option must be enabled in your Compliance settings.

You can also delete candidate data yourself at any time, individually or in bulk. You might do this if a candidate has requested deletion, if you never plan to contact the candidate again or if you’ve held the candidate’s data for a long period without any further follow-up or review.

Automated data retention management annual_label.png

As part of a Workable Annual plan, you can automate the deletion of candidate data. You must be a Super Admin to set up or change these options.

Click your user icon in the upper right of Workable and select Compliance.

In the GDPR section locate the Data retention menu.


This feature has two sections.

First, you’ll be able to set the length of time your organization would like to store candidate profiles. The clock for this starts ticking the day the candidate profile was created in Workable. If you set your timeframe for 24 months, for example, then candidate profiles in active jobs, archived jobs and the Talent Pool will be automatically deleted 24 months after they were created in Workable.

Next, you’ll be able to exclude active profiles from automatic deletion. This means that candidates in active jobs and your Talent Pool will not be deleted automatically if there has been any recent activity—like comments, emails or evaluations. You can set the period of time for exclusion. For example, changing the setting to 6 months means that if there has been any activity on a candidate profile in the last 6 months, it will not be deleted. Candidates in archived jobs will be deleted based on their creation date, even if they have been updated recently.

Snoozed candidates will not be deleted automatically, no matter how long they’ve been in your account. When a snoozed candidate wakes up, this automatically counts as an update to their profile. In this example, a candidate who is unsnoozed would then only be deleted after 6 months if there are no other updates to their profile.


You can also choose to have candidates automatically deleted after 30 days if they have not received a link to your Privacy Notice or been contacted in any way. If you source (upload) a candidate into your account, then under the GDPR you must contact candidates ‘within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed.’. If you’ve uploaded a candidate and have not contacted them they will be deleted after 30 days. If you do contact them you should inform them of your Privacy Notice and their right to erasure.

After contacting a sourced candidate, the automation filters for the first switch will apply to that candidate.

Important: When you first enable a data retention option, candidates may be deleted from your account right away (in the example above candidates who are older than 24 months would be deleted). This will only occur when you click Save changes at the bottom of the GDPR section.

An alert will let you know how many archived and active candidates are about to be deleted.

Click Save changes to confirm the details and initiate the automation.

When a candidate meets the qualification for deletion they will be deleted from your Workable account. Their candidate profile, as well as their Timeline, will be removed and will not be recoverable. You will not be notified when this occurs.

Update remaining candidates annual_label.png

Enabling the switch for automated data retention management will provide an option to email any remaining candidates with your Privacy Notice and a link that would enable them to delete their own data.

We recommend that you choose this option, and email the remaining candidates. This will ensure that the candidates, who applied before your GDPR Privacy Policy was set up in Workable, receive a link to view it. You’ll have a clean slate and will not need any further planning or communication around notifying your existing candidates about GDPR.


If you choose to ignore the candidates you should follow up at a later date with more details.

Sourced candidates who have been in your account for more than 30 days can be emailed before deletion. If you choose this option they will all be classified as ‘contacted’ and thus will not be deleted as ‘non-contacted sourced candidates’ after 30 days.

Non-contacted Sourced candidates who are less than 30 days old will not be contacted at this time. When you first reach out to them an email footer will be included that contains a link to your Privacy Notice.

If there are candidates in your account without email addresses it will not be possible to share the Privacy Notice with them. These candidates will be treated as non-contacted Sourced candidates and will be deleted after 30 days.