Recruiting data is sensitive in ways HR teams underestimate. CVs, video recordings, voice transcripts, assessment results, hire/no-hire decisions, performance reviews — all of it is PII, much of it is special-category under GDPR. Treat it accordingly.
Two baselines for any recruiting platform you adopt: [data subject rights, retention policies). Both should be available to you on demand without sales escalation.
Ask for the Skim the exceptions section — every report has some. Look for 'no exceptions' on access controls and data segregation specifically.
Ask for the DPA. Check the data residency clause matches your needs (EU customers should require EU storage; US customers can usually accept US East/West). Verify retention windows are configurable per requisition.
Ask about Article 22 explainability. The vendor should be able to surface, on demand, why any AI scoring decision was made — for any candidate who asks. This isn't optional under GDPR.
