GDPR in Recruiting Messaging: Applicant Data, Opt-In and Equal Treatment Compliance

WhatsApp in recruiting? Only with a clean legal basis. This guide explains GDPR requirements for messaging in the application process: consent vs. legitimate interest, the 6-month deletion rule, equal treatment compliance, and DPA requirements.

TL;DR

WhatsApp in recruiting? Only with a clean legal basis. This guide explains the GDPR requirements for messaging in the application process: consent vs. legitimate interest, the 6-month deletion rule, equal treatment compliance, and the data processing agreement with your messaging provider. Back to the overview: Recruiting Messaging Guide 2026.

Legal bases: consent, legitimate interest, pre-contractual measures

Every processing of personal data in recruiting messaging requires a legal basis under GDPR Art. 6. Three bases are relevant in practice:

1. Consent (Art. 6(1)(a) GDPR)

The most robust legal basis for recruiting messaging — but also the most demanding. Consent must be: freely given, specific, informed, and unambiguous. It must be documented and revocable at any time. A pre-ticked box or a buried clause in the privacy policy does not constitute valid consent. Best practice: double opt-in with a clear statement of what the candidate is consenting to ("I agree to be contacted about future job opportunities at Company X via WhatsApp") and a timestamped, auditable record.

2. Legitimate interest (Art. 6(1)(f) GDPR)

Can be used for communication that is directly related to the application process without needing explicit consent for each message. Examples where legitimate interest applies: interview reminders (when the candidate has provided their mobile number and a reminder relates directly to a scheduled appointment), status updates during an active process, and follow-up messages within a reasonable timeframe. Legitimate interest requires a balancing test: your interest in communicating must not override the candidate's interest in not being contacted. Document this balancing test.

3. Pre-contractual measures (Art. 6(1)(b) GDPR)

Applies to communication that is necessary to take steps at the candidate's request prior to entering a contract — essentially, the core application process itself. Requesting documents, conducting assessments, and scheduling interviews fall under this basis. Marketing messages and talent pool notifications do not.

Practical rule: use legitimate interest for process communication during an active application, consent for talent pool and re-engagement campaigns, and pre-contractual measures for the core administrative aspects of the process.

Opt-in design: what makes consent valid

A GDPR-valid opt-in for WhatsApp recruiting communication must meet these criteria:

  • Separate tick box: Not bundled with acceptance of privacy policy or terms of service. WhatsApp consent must stand alone.
  • Plain language: "I agree to be contacted about job opportunities at [Company] via WhatsApp" — not legal boilerplate.
  • No pre-ticking: The box must start unchecked.
  • Purpose specificity: If you want to use the number for both interview reminders and talent pool broadcasts, these require separate consents — or you must clearly state both purposes in the single consent text.
  • Easy withdrawal: "Reply STOP to unsubscribe" must be in every first message, and honouring it must be instant and automatic.
  • Audit trail: SendSeven logs the opt-in timestamp, source, and channel automatically for every contact.

Double opt-in adds a second layer: after the form opt-in, a WhatsApp message asking the candidate to confirm their consent by replying. This generates a stronger audit trail and filters out invalid numbers.

Retention periods: the 6-month rule

One of the most frequently asked compliance questions in European recruiting: how long can you retain applicant data?

The general rule, supported by guidance from European data protection authorities:

  • Rejected applicants: Data should be deleted within 6 months after the end of the application process. This period allows you to handle any potential discrimination claims under national anti-discrimination laws (equivalent to Germany's AGG).
  • Talent pool (with consent): Data can be retained for up to 2 years if the candidate has explicitly consented to talent pool inclusion and has been informed of the retention period.
  • Hired candidates: Transition to employee data handling — different rules apply (typically up to 10 years post-employment).

The 6-month rule is not a statutory requirement in all EU countries, but it is the established best practice recognised by most data protection authorities. Shorter periods are always permissible; longer periods without consent are not.

Practical implementation: set a retention policy in your ATS that automatically flags records for deletion review after 6 months. SendSeven allows you to tag contacts with retention categories and export deletion lists for your ATS.

Equal treatment compliance in automated messaging

GDPR is not the only compliance dimension in recruiting messaging. National equal treatment / anti-discrimination laws require that your communication does not directly or indirectly discriminate on protected grounds (age, gender, ethnic origin, religion, disability, sexual orientation).

Key implications for automated recruiting messaging:

  • Neutral language in all templates: No gender-coded language. Use gender-neutral formulations throughout ("the successful candidate" not "he/she"). This applies to WhatsApp templates, email sequences, and chatbot responses.
  • No profiling by protected characteristics: Automated segmentation rules must not filter candidates by age, gender, or other protected attributes. Role-based segmentation (skills, location, last contact date) is fine.
  • Consistent process for all candidates: If you use automated reminders for some candidates but not others, ensure the selection is based on objective criteria (opted in to WhatsApp vs. not), not protected characteristics.
  • Documented decision logic: For automated rejection communications, document the criteria used. Automated systems can still be discriminatory if trained on biased data.

Data Processing Agreement (DPA) with your messaging provider

When you use a third-party service like SendSeven to send WhatsApp messages, SMS, or emails to candidates, you are sharing personal data with a data processor. GDPR Art. 28 requires a written Data Processing Agreement (DPA) before any processing begins.

A compliant DPA must specify:

  • The scope, nature, and purpose of the processing
  • The type of personal data and categories of data subjects
  • Your rights as data controller (audit rights, instruction rights)
  • The processor's obligations (security measures, sub-processor disclosure, breach notification)
  • Data deletion or return at the end of the contract

SendSeven provides a ready-to-sign DPA compliant with GDPR Art. 28. All data is processed on EU servers (Google Cloud); AI processing in Frankfurt (Vertex AI). Sub-processors (including Meta for WhatsApp delivery) are disclosed in the DPA.

Important: you need a DPA with SendSeven. You do not need a DPA with each individual candidate.

Checklist: 10 points for GDPR-compliant recruiting messaging

  1. ✅ WhatsApp opt-in collected via separate, explicit, unchecked checkbox
  2. ✅ Double opt-in implemented for talent pool contacts
  3. ✅ Opt-in documented with timestamp and source (automated in SendSeven)
  4. ✅ Opt-out honoured within 24 hours, ideally immediately
  5. ✅ DPA signed with SendSeven before first message is sent
  6. ✅ Retention periods set: 6 months for rejected applicants without talent pool consent
  7. ✅ Talent pool consent is separate and explicitly states the retention period
  8. ✅ All message templates reviewed for equal treatment compliance (neutral language)
  9. ✅ Automated segmentation rules checked for protected-characteristic filters
  10. ✅ Privacy policy updated to mention WhatsApp as a communication channel

Conclusion

GDPR compliance in recruiting messaging is not a barrier — it is a competitive advantage. Candidates who are asked for consent explicitly, who receive transparent information, and who can easily opt out trust you more. That trust translates into higher opt-in rates, better engagement, and stronger employer brand. The legal framework is clear. The technical implementation with SendSeven is straightforward. There is no reason to avoid WhatsApp in recruiting out of compliance concern — there is every reason to implement it properly.

Further reading:

FAQ

Do I need a DPA with SendSeven for every candidate I message?

You need one DPA with SendSeven as your data processor — not a separate agreement with each candidate. The DPA covers all personal data processed through SendSeven on your behalf. Candidate relationships are handled through your privacy policy and opt-in documentation.

Can I message candidates from LinkedIn or other platforms via WhatsApp?

Not without prior consent. Contacting someone via WhatsApp requires that you have their mobile number and that they have consented to being contacted on that channel. Legitimate interest applies in very narrow circumstances for outreach — a LinkedIn connection is generally not sufficient.

What happens when a candidate withdraws consent?

You must immediately stop communication via the relevant channel. Any data processed solely on the basis of that withdrawn consent must be deleted unless another legal basis exists (e.g., a pending application for which legitimate interest or pre-contractual measures apply).

Is the 6-month deletion rule mandatory or a recommendation?

It is not a statutory requirement in all EU countries, but it is the established standard recommended by most European data protection authorities and is well-established practice for equal treatment compliance. Shorter periods are always permissible; longer periods without consent are legally risky.

Do I need a data protection officer for recruiting messaging?

It depends on company size and data processing scope. If you regularly process personal data of more than 20 people, a DPO is required under GDPR Art. 37 and relevant national law. In any case, a clear data processing register and documented retention policies are required regardless of DPO status.