Compliance with deletion periods is a central component of GDPR-compliant data processing. softgarden offers companies a powerful and individually configurable solution for managing personal data in the recruiting process.
Overview: Deletion Periods in the System
Area | Standard Period | Adjustable | Deactivatable | Legal Basis |
Applications | 6 months after completion | ✅ | ✅ | GDPR Art. 6 para. 1 lit f; See § 61 para. 1 ArbGG in conjunction with § 15 AGG |
Candidate Profiles in Talent Pool | 12 months | ✅ | ✅ | Art. 6 para. 1 lit. a GDPR |
🧭 The path to configuring deletion periods for users with administrator roles is: Settings → Additional Features → Privacy and Security
👉 Alternatively, this direct link is available: https://app.softgarden.io/just-hire/settings/features/dataprivacy
🔗 Note on Data Privacy Notices:
If you store your own link to the data privacy notices in the system, you are responsible for ensuring that the information contained in them—especially regarding deletion periods—is kept up to date.
Using softgarden's standard data privacy notices offers you several advantages:
System-wide changes to deletion periods are automatically considered.
The document automatically expands to include any additional booked features and supplementary products—including the relevant data protection information.
👉 This way, your data privacy notices remain up-to-date and complete without the need for manual upkeep.
Configuration of Deletion Periods
Flexible Selection: Periods can be freely chosen between 1 and 60 months.
Deactivation Possible: Automatic deletion can be completely deactivated.
Independent Periods: Different periods can be defined for hired and rejected applications.
Talent Pool: Here too, storage duration is individually configurable—assuming the applicant's consent.
Tenant Structure: What to Consider?
When working with a tenant system, particular rules apply:
No Automatic Inheritance: Deletion periods defined in the main tenant are not automatically transferred to sub-tenants. They must be individually stored for each sub-tenant.
Independent Responsibility: Each tenant is independently responsible for GDPR-compliant configuration of its deletion periods.
Individual Settings: Deletion periods must be tenant-specific in each respective admin area.
Transparent Communication: For shared talent pools or central reporting, clear coordination between tenants is recommended.
Which Data Are Deleted?
Application documents (resume, cover letter, certificates)
Personal information (name, contact details, photo)
Communication, evaluations, interview appointments
Notes and internal comments
What Is Retained?
Anonymized Metadata for reporting (e.g., Time-to-Hire)
System Logs for GDPR documentation (e.g., deletion times, user actions)
Automatic Reminders & Notices
Notifications to Applicants: 14 days before the Talent Pool period expires
Reminders for Recruiters: For manual extension or deletion
Legal Foundations
Art. 5 para. GDPR: Data may only be stored as long as necessary for the purpose.
§ 15 para. 4 AGG: Application documents can be kept for up to 6 months to defend against discrimination claims.
Art. 6 GDPR: Processing only with consent or legal basis.
Do Companies Have to Inform Applicants About Changes to Deletion Periods?
And how important is this point for transparent communication?
Yes—if deletion periods are explicitly mentioned in the data privacy notices, companies must actively inform upon changes. This means applicants should be directly contacted, for instance, via email. Simply updating the privacy statement is not sufficient in this case.
However, if the deletion periods are only generally described (e.g., "according to legal retention periods"), it suffices to update the data privacy notices without notifying applicants directly.
📌 Nonetheless, for transparent communication, this topic is central: A clear and understandable note on data deletion—such as "Your data will be deleted according to legal retention periods"—strengthens applicants' trust and fulfills GDPR requirements.
FAQ on Deletion in softgarden
Can I delete applications immediately? → Yes, upon the applicant's request, directly in the applicant profile.
What happens when archiving? → Archiving is not deletion—the data remains until the period expires.
Can an applicant withdraw consent to the Talent Pool? → No, there is no specific form for deletion from the Talent Pool. One can simply respond to a previous Talent Pool email and express the wish to be deleted or contact the company in another way.
Can applicants delete their own data? → Yes, through their login in the career portal.
Conclusion
With the ability to set deletion periods individually between 1 and 60 months or deactivate them—and with the tenant-capable structure—softgarden offers maximum flexibility with high data protection security. Companies should regularly review settings and communicate transparently to applicants.