Data accumulates by default
Many systems retain profiles indefinitely because deletion is operationally inconvenient. That creates unnecessary risk when the lawful basis for storing candidate data is time-limited.
Privacy and compliance
GDPR-compliant recruiting
GDPR-compliant recruiting requires more than a privacy statement. The system has to capture lawful basis, enforce retention windows, delete candidate data on schedule, and preserve logs that explain how an applicant moved through the hiring workflow.
Many hiring products treat compliance as a documentation layer around a general-purpose database. That leaves operational gaps when a profile must be retained for a limited period, removed from storage, or reviewed under a subject access or deletion request.
Recruitment orchestration handles those requirements more directly because workflows can encode when data is created, when it is evaluated, and when it must be removed. Vekt uses that model to connect hiring actions with enforceable privacy behavior.
Problem
Why privacy breaks in conventional hiring tools
If an organization cannot inspect where applicant documents live, which email events were sent, or when a retention deadline expires, privacy compliance depends on manual workarounds.
Policy drifts away from implementation
Privacy controls are only reliable when retention, access, and deletion are implemented in the same system that evaluates the candidate.
Mechanism
How data retention is enforced
A workflow can apply retention logic as a scheduled operation rather than as an administrative reminder.
Retention and deletion as workflow stages
After an individual applies, the system stores the candidate record and resume file with a retention horizon. Status updates, warning emails, and purge tasks run against that same record. When the retention period expires, the workflow deletes the database entry and the associated file.
This is where recruitment orchestration differs from ATS software. The privacy rule is part of system execution, not a separate compliance checklist.
Implications
Privacy and GDPR implications
The practical questions are concrete: what is stored, why it is stored, who can access it, and when it is deleted.
Lawful basis and data minimization
Structured workflows make it easier to justify each field and each document collected from the applicant. They also reduce the incentive to retain unused profile data.
Access control and auditability
When resume access and status changes are mediated by authenticated routes and logs, teams can inspect how personal data was used and by whom.
Vekt approaches GDPR-compliant recruiting as a systems problem. Privacy depends on how workflows retain, audit, and delete candidate data, not only on what policy documents promise.