- Confirm your legal basis. Many recruiting teams attempt to rely on legitimate interest, but verify with legal counsel whether consent, contractual necessity, or other basis better fits your jurisdiction and process. When relying on legitimate interest, your outreach must be genuinely relevant to the recipient — a software engineer getting a matched engineering role, not a spray-and-pray blast. Document your reasoning; don't just assume it applies.
- Check where your data came from. LinkedIn sourcing exists in a gray zone under GDPR; confirm your specific use case complies with LinkedIn terms and consult legal before scaling. Third-party data providers vary widely — verify that any vendor you use is itself GDPR-compliant and that the data was collected with appropriate disclosure.
- Include an opt-out in every message. Every single email — including follow-ups — needs a clear, easy way to say "stop contacting me." A one-line plain-text option at the bottom is enough. Honor removals within 30 days and suppress them permanently.
- Don't store data longer than necessary. If a candidate doesn't respond after your sequence ends, remove or anonymize their record. Holding onto thousands of non-responsive EU contacts in your CRM is a liability, not an asset.
- Audit your follow-up volume. Follow-up patterns must be responsive to recipient signals and based on documented relevance assessment, as excessive contact can undermine legitimate interest regardless of count. Aggressive cadences attract scrutiny, and what constitutes legitimacy depends on context and recipient perception.
- Keep a short processing record. A simple spreadsheet noting what data you hold, where it came from, and why satisfies basic Article 30 obligations for most small teams.
Run through this list with whoever owns your data stack — legal will stop flagging you and your deliverability will thank you too.