Does GDPR apply to me if my recruiting agency is based outside the EU?

Yes. GDPR applies to any business processing personal data of EU residents, regardless of where the business is located. If you're sourcing EU-based candidates, you're in scope.

Do I need explicit consent to cold-email a candidate in Germany?

Germany's DSK is stricter than most EU regulators, and many compliance teams treat explicit consent as effectively required for B2B cold outreach there. When targeting German candidates at scale, get legal advice specific to that jurisdiction.

Can I keep a candidate's CV on file after rejecting them for a role?

Candidates typically consent to data processing only for the role they applied for, so storing CVs for future openings requires a second, explicit approval — a short consent request in your rejection email covers it.

Is Your Recruiting Outreach GDPR-Ready? A Fast Checklist

Q: are you ready for gdpr

Reaching EU-based candidates without a GDPR plan is a real legal risk. Here's a fast checklist recruiters can run through before hitting send.

Informational only, not legal advice. · Published May 17, 2026

Question

Amy

Recruiter

are you ready for gdpr

Read full question

My agency does a lot of outbound sourcing, and half our candidates are based in Europe. Someone on LinkedIn told me our cold email sequences aren't GDPR-compliant and now I'm panicking. I'm not sure what we actually need to fix or where to start. Are there quick wins before we lawyer up?

Illustration for the article: Is Your Recruiting Outreach GDPR-Ready? A Fast Checklist

Deep breath — cold email recruiting to EU candidates is still legal under GDPR. But "legal" only holds if you can check five boxes. Run through these before your next sequence goes out.

Your Pre-Send GDPR Checklist

✅ Lock in a legal basis — and write it down. GDPR Article 6(1)(f) permits B2B cold outreach under legitimate interest, but you must pass a three-part test: purpose, necessity, and balancing — and document it in a Legitimate Interest Assessment (LIA) before you send. Without that document, you lose the argument during any regulatory inquiry by default.
✅ Only email business addresses — never personal ones. Legitimate interest applies when contacting candidates in their professional capacity at a work email. Personal addresses like Gmail or Yahoo require explicit consent in most EU jurisdictions — a much higher bar that essentially rules out cold outreach.
✅ Put the source and an opt-out in every email. GDPR mandates transparency: your first outreach must clearly identify who you are, include a one-click opt-out, and note where you found their data (e.g., "We found your profile on LinkedIn. Unsubscribe anytime."). Google and Yahoo now enforce one-click unsubscribe for bulk senders too — it's table stakes.
✅ Honor opt-outs before the next send — automatically. GDPR standards favor immediate action on opt-out requests; you don't get the 10-business-day window CAN-SPAM allows. Automate suppression list updates in whatever email sequencer you use so no candidate gets a second touch after unsubscribing.
✅ Delete inactive candidates promptly. GDPR's storage limitation principle means removing contacts who haven't responded within 30–60 days and deleting opted-out records immediately and permanently. If you're storing CVs for future roles, get a second consent from candidates at rejection — a quick line in your rejection email is enough.

The Risk Is Real

Since GDPR took effect, over 1,600 companies have been fined, with penalties totaling billions of euros. In December 2024, French regulator CNIL fined Orange €50 million for sending ads without proper consent. The fines aren't reserved for big tech — smaller agencies get caught too. Getting your LIA written and your suppression list wired up takes an afternoon, not a legal retainer.

Sources

Stop writing follow-ups manually

DripDraft writes AI-personalized follow-ups for every cold email you send. They land as Gmail drafts for your review — never auto-sent. Free plan includes 10 campaigns/month.

Get started free Add to Chrome