Close Menu
    JOIN OUR NEWSLETTER
    Recruiting

    Still Keeping CVs in Email? That Could Be a GDPR Problem 

    By Updated:No Comments4 Mins Read
    Tech recruiter reviewing a candidate resume on a laptop at a desk. The picture represents talent acquisition and candidate screening.

    Email is meant for communication, not for storing applicants’ personal data — at least not under the General Data Protection Regulation (GDPR). Yet many companies still receive and store CVs this way, often without realizing it creates a compliance problem. 

    There are six main reasons why storing CVs in email is problematic under the regulation. We break them down. 

    No documented consent 

    Before storing a candidate’s personal data at all, GDPR requires a lawful basis for doing so. For recruitment, companies typically rely on either consent or legitimate interests — but either way, that basis must be documented. When CVs arrive by email, there is rarely any formal mechanism in place to capture or record this: the candidate sent their CV to apply for a role, not to have their personal data stored indefinitely across company mailboxes. Without an audit trail showing what legal basis was used, when, and what it covered, the company is exposed. 

    Indefinite data retention 

    Under GDPR, personal data must not be kept for longer than necessary. However, CVs in emails can be hard to find or forgotten, breaching this principle. 

    Uncontrollable duplication 

    Another issue here is that employees often forward CVs to one another, creating multiple unsecured copies that are hard to track — which leads us back to the problem of indefinite data retention. Btw, forwarding a CV often means that you keep multiple copies of personal data (in different mail folders) yourself.  

    Accidental breaches 

    According to GDPR, data must be processed in a manner that ensures security, including protection against unauthorized access. However, emails can be hacked or intercepted. Not to mention that we can accidentally send an email to the wrong person (and who hasn’t done this?). 

    Uncertain data residency 

    Storage location is another risk factor. GDPR restricts the transfer of personal data outside the European Economic Area (EEA). However, some major email providers may route or store data on servers outside the EEA by default, unless explicitly configured otherwise. 

    Failed right to be forgotten 

    The GDPR also includes the concept of the “right to be forgotten”: individuals have the right to request the deletion of their data. However, if a candidate asks to be forgotten and the company stores CVs in email, searching through individual mailboxes to delete every copy of their CV across the entire company within the timeframe required by GDPR (“without undue delay”) becomes extremely difficult to guarantee. 

    Animated banner promoting Jobshark recruiting services. The message reads “Looking for an AI developer?” with a call to action “Find top talent now”

    What are the penalties for failing to comply with GDPR? 

    Under Article 83, there are two tiers for penalties. 

    For procedural violations (e.g., inadequate record-keeping), the maximum fine is €10 million or 2% of worldwide annual turnover, whichever is higher. 

    Now, for more serious violations — such as breaches of core data processing principles, failure to respect data subject rights, or illegal international data transfer — the maximum fine is €20 million or 4% of worldwide annual turnover, whichever is higher. Failing to honor a right-to-erasure request (the “right to be forgotten”) falls into this category. 

    Regulators will consider several factors when calculating fines, including the number of individuals affected, the duration of the infringement, the sensitivity level of the data involved, cooperation with authorities, and whether the violation was intentional or not. 

    The upper limits reflect how seriously the matter is, but in practice, a first-time, unintentional breach handled transparently is likely to result in a significantly lower fine. Still, the financial and reputational risks remain substantial. 

    How to fix it 

    Under GDPR, compliance isn’t just about doing the right thing — you also need to be able to prove it. That means maintaining detailed documentation of the collected data — how it is used, where it is stored, for how long, and who is responsible for it. 

    When it comes to receiving and storing CVs, the most practical solution is to use dedicated HR software or an Applicant Tracking System (ATS) that captures consent at the point of application (documenting it automatically and tying it to a clear data retention policy), enforces data deletion policies, and encrypts candidate information. You don’t necessarily have to incur high subscription costs for that. The Hub offers a free ATS, while Jobshark is a tech recruiting platform built to be fully GDPR-compliant from the ground up. 

    Remember, the GDPR applies to all organizations — private, public, charities, not-for-profit, local, and central government. 

    Want to stay informed with content that matters?  

    Subscribe to the TechTalents Insights newsletter and get our best articles and interviews — completely free. 

    Author

    Related Posts

    Comments are closed.

    thinking head
    © COMSTREAM AB 2026

    FOLLOW US: