What compliance changes for recruiting software
An ATS or recruiting platform handles resumes, internal notes, hiring decisions, and supporting documents. The question is not only whether you have a lawful basis. You also need to show proportionate security measures.
What the CNIL expects in practice
Coherent access rules
Recruiters, managers, HR teams, and contractors do not need the same level of access.
Controlled retention
Keeping candidate data too long or leaving it accessible without a clear purpose quickly becomes both a legal and operational weakness.
Proportionate security
The GDPR does not ask for abstract promises. It asks for measures adapted to the risk: access control, useful logging, document protection, and regular checks.
Why recruiting tools are exposed
Because they centralize human data, circulate across several teams, and often integrate with other systems such as SSO, email, sourcing tools, and document storage.
Our view
In 2026, the strongest recruiting vendors are not the ones that simply say "we are compliant". They are the ones that can demonstrate that candidate data flows, access rules, and visible exposure paths have already been reviewed seriously.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
ATS and GDPR: the points many vendors miss
The most frequent misses in recruiting software: retention, recruiter access, attachments, and candidate-data circulation.
Candidate onboarding and GDPR: common product mistakes
Candidate journeys often suffer from the same issues: excessive collection, weak attachment protection, and more visibility than intended.
CNIL 2025: €487M in fines. What small SaaS teams should take away
Record CNIL fines in 2025. Analysis and concrete lessons for businesses.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.