Loading...
Compliance

Candidate Privacy Notice for Job Applicants (GDPR and CCPA)

This Candidate Privacy Notice explains what applicant data {company_name} collects, why it is used in recruiting, how long it is kept, and how candidates can exercise GDPR and CCPA rights.

Get Started

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Technology · Healthcare · Financial Services · Retail · Professional Services

Overview

This Candidate Privacy Notice for Job Applicants (GDPR and CCPA) template gives you a candidate-facing disclosure for the personal data collected during recruiting. It is built for the application journey: what data you collect, where it comes from, why you use it, who you share it with, how long you keep it, and what rights candidates can exercise. The template is a good fit for employers that hire through an ATS, careers site, recruiter outreach, referrals, or interview workflows and need a clear privacy notice tied to those activities.

Use it when you want a reusable notice that can be linked from job postings, application forms, recruiter messages, and talent community sign-up pages. It is especially useful if you hire in jurisdictions where applicant privacy disclosures matter, including GDPR and California privacy regimes. It also helps standardize how HR, legal, and recruiting describe background checks, assessments, retention, and vendor sharing.

Do not use it as a substitute for your general website privacy policy or as a catch-all for employee privacy after hire. It is also not enough on its own if your recruiting process includes special categories of data, automated decision-making, international transfers, or sector-specific rules that require extra disclosures. In those cases, this template should be the applicant-specific layer that sits alongside your broader privacy documentation.

Standards & compliance context

  • GDPR transparency principles require applicants to understand what data is collected, why it is processed, and how long it is retained.
  • CCPA/CPRA candidate notices should describe categories of personal information, purposes, and the rights process available to California applicants.
  • If your recruiting process uses background checks, assessments, or automated screening, the notice should be aligned with the disclosures those tools require.
  • Retention language should reflect legal and operational recordkeeping needs, not an open-ended promise to delete everything immediately.
  • If you collect special categories of data or handle cross-border transfers, add the extra disclosures your legal team requires.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

How to use this template

  1. 1. Replace the placeholders for {company_name}, legal entity details, contact information, and the recruiting channels covered by the notice.
  2. 2. List the actual categories of applicant data you collect, including resume data, interview notes, assessment results, and any background-screening information you use.
  3. 3. Add the purposes for processing, the vendors or service providers involved, the retention period, and the candidate rights process that your team can actually support.
  4. 4. Publish the notice in the application flow and link it from the careers page, recruiter outreach, referral forms, and any talent community sign-up pages.
  5. 5. Review the notice with legal, privacy, HR, and recruiting before launch, then update it whenever your hiring tools, retention rules, or jurisdictions change.

Best practices

  • Keep the notice specific to recruiting data, and do not bury applicant disclosures inside a general website privacy policy.
  • Name the actual categories of data you collect, such as contact details, work history, interview feedback, and assessment results.
  • State retention periods in plain language and explain when applicant records are deleted or archived.
  • Describe candidate rights in a way your team can operationalize, including how requests are submitted and who responds.
  • Match the notice to your real recruiting workflow, including referrals, sourcing, agency submissions, and internal transfers if applicable.
  • Call out third-party processors used in hiring, such as ATS, scheduling, assessment, and background-screening vendors.
  • Separate required disclosures from optional talent community or marketing consent so candidates can make a clear choice.
  • Review the notice whenever you expand hiring into a new state or country with different privacy requirements.

What this template typically catches

Issues teams running this template most often surface in practice:

Applicants do not know whether their resume, interview notes, and assessment results are retained after the hiring decision.
The notice omits recruiter-sourced candidates, referrals, or agency submissions even though those channels collect personal data.
Retention periods are vague, which makes it hard for candidates to understand how long their information stays in the system.
The template fails to mention ATS, scheduling, assessment, or background-screening vendors that process applicant data.
Rights requests are described in theory but not tied to a real contact point or internal workflow.
The notice is too broad and reads like a website privacy policy instead of a recruiting disclosure.
Optional talent community sign-ups are mixed with job applications, creating confusion about consent and marketing use.

Common use cases

SaaS company hiring through an ATS
A software company posts roles on its careers page and routes all applications through an ATS. This template gives candidates a clear notice about resume data, interview notes, assessments, and retention before they submit an application.
Healthcare employer recruiting across multiple states
A healthcare organization hires clinical and non-clinical staff in states with different privacy expectations. The notice helps standardize applicant disclosures while leaving room for state-specific addenda and role-based screening details.
Financial services firm using background checks
A regulated employer needs to explain applicant data sharing with background-screening vendors and the handling of sensitive hiring records. This template supports those disclosures without turning the careers page into a legal memo.
Retail chain collecting referrals and campus applicants
A retail employer receives candidates from employee referrals, campus events, and direct applications. The notice helps keep those channels consistent so applicants understand how their information enters the hiring process.

Frequently asked questions

Who should use this candidate privacy notice template?

Use it if your company collects personal data from job applicants through an ATS, careers site, recruiter outreach, referrals, or interview notes. It is especially useful for employers that hire in jurisdictions with GDPR or CCPA/CPRA obligations. The template is written for recruiting privacy disclosures, not general website privacy policies. It can be adapted for direct hires, contractors, interns, and agency-sourced candidates.

Does this notice cover both GDPR and CCPA requirements?

Yes, the template is designed to support both GDPR-style transparency and California candidate privacy disclosures. It helps explain what categories of data are collected, the purposes for processing, retention, sharing, and candidate rights. You still need to tailor the notice to your actual recruiting tools, legal entities, and data flows. If your hiring process uses additional vendors or cross-border transfers, those details should be added.

When should candidates see this notice?

Candidates should see it before or at the point their personal data is collected, such as on the application page, in a recruiter email, or during an interview scheduling flow. The notice should be easy to find from the careers page and application form. If you collect data from referrals or sourcing platforms, include a link or reference there as well. The goal is to give notice before processing starts, not after the application is complete.

What kinds of data processing does this template describe?

It covers common recruiting processing such as application review, interview coordination, background screening coordination, candidate communications, and hiring decisions. It also addresses retention, sharing with service providers, and legal compliance uses. If you use automated screening, assessments, or talent pools, those should be described clearly. The notice should match what your recruiting team actually does, not a generic list of privacy activities.

How often should this notice be updated?

Review it whenever your recruiting process, vendors, retention periods, or legal entities change. A good practice is to review it at least annually and after any major ATS, HRIS, or background-check vendor change. If you expand into a new state or country with different privacy rules, update the notice before launching hiring there. The notice should stay aligned with your current data practices, not last year’s process.

Who should own and approve the notice?

Legal or privacy should own the wording, with HR and recruiting confirming that the notice reflects real hiring workflows. Talent acquisition can validate the candidate-facing language and placement on the careers site or application form. If your company has a DPO, privacy counsel, or outside employment counsel, they should review the final version. The notice works best when legal accuracy and recruiting operations are aligned.

What are common mistakes with candidate privacy notices?

Common mistakes include using a website privacy policy instead of a recruiting-specific notice, omitting retention periods, and failing to name the categories of data collected from applicants. Another frequent issue is promising rights or deletion options that the company cannot actually honor because of legal retention obligations. Teams also forget to mention third-party processors such as ATS, assessment, or background-screening vendors. The template helps avoid those gaps, but it still needs company-specific details.

Can this template be customized for different hiring channels or roles?

Yes, you can adapt it for direct applications, referrals, campus recruiting, agency submissions, and internal mobility candidates. If certain roles involve extra screening, travel, licensing, or regulated checks, you can add a short role-specific supplement. The core notice should stay consistent, while channel-specific disclosures can be linked from the relevant application flow. That keeps the candidate experience clear without creating conflicting notices.

How does this compare with a generic ad hoc privacy statement?

A generic statement often misses recruiting-specific details like applicant sources, interview notes, retention, and candidate rights handling. This template is structured around the actual lifecycle of a job application, which makes it easier for candidates to understand and for teams to maintain. It also reduces the risk of inconsistent disclosures across the careers page, application form, and recruiter communications. In practice, it is easier to operationalize than a one-off paragraph written from scratch.

Go deeper on the topic

Related concepts
  • AI governance is the framework a company uses to decide what AI tools are allowed to do, who's accountable for their outputs, what data they're allowed to...
  • Compliance is the practice of ensuring employee behavior meets regulatory, contractual, and internal-policy requirements — and of producing the evidence to...
  • Compliance training automation is the software-driven process for assigning, tracking, and evidencing required training (HIPAA, harassment prevention,...
  • HR case management is a structured system for handling employee questions, requests, and issues — with routing, SLAs, an audit trail, and a knowledge base...
Related guides

Ready to use this template?

Get started with MangoApps and use Candidate Privacy Notice for Job Applicants (GDPR and CCPA) with your team — pricing built for small business.

Get Started