GDPR Requirements for Video Interviews (HR Guide 2026)

As hiring teams increasingly adopt video interviewing tools to streamline candidate screening and improve hiring outcomes, understanding how the UK and EU GDPR applies is essential.

Video interviews go beyond text and CV data - they often include recordings, biometric-rich content (voice/video), transcripts, and structured interview notes, all of which fall under personal data protections. Failure to comply can lead to regulatory scrutiny from the Information Commissioner’s Office (ICO) or European data authorities and hefty fines under GDPR.

Below, we’ve laid out key GDPR requirements that HR leaders need to understand in 2026, and how Evidenced aligns with and supports practical compliance in recruitment workflows.

1. Data Protection Principles in Recruitment

Under GDPR, any processing of personal data during recruitment must respect a few core principles - lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality.

Practical takeaways for video interviews:

• Inform candidates clearly about what will be recorded, why, how long data will be retained, and who will have access.

• Record only what’s necessary to make hiring decisions - avoid capturing unrelated extra personal details.

• Maintain transparency through recruitment privacy notices or candidate consent forms that meet Article 13/14 requirements.

2. Candidate Consent & Lawful Basis

GDPR requires a lawful basis for processing personal data. For video recordings, organisations typically rely on consent or legitimate interests.

Consent Approach:

• Obtain explicit, informed consent from candidates before recording interviews.

• Make consent rejectable without detriment - candidates shouldn’t feel forced to consent just to be considered.

Video interviewing tools that lack built-in consent flows or transparency mechanisms may leave organisations exposed if they cannot clearly document their lawful basis.

Legitimate Interests Approach:

Organisations may also rely on legitimate interests (Article 6(1)(f)) when they have compelling business reasons - such as legal protection, quality assurance, and accurate record-keeping - provided they:

• Conduct a Legitimate Interests Assessment (LIA) documenting the business need

• Provide advance notice in interview invitations about recording and candidate rights

• Offer clear opt-out provisions without penalty

• Restrict access to authorised personnel only

• Define retention periods with automatic deletion

Legitimate interests often provides more stability for organisations that need interview records for legal protection, as candidates cannot withdraw this basis (though they retain the right to object).

3. Candidate Rights & Access Requests

GDPR grants candidates broad rights, including:

• Right of access: candidates can request copies of their personal data, including video recordings and transcripts.

• Right to object: particularly important when processing is based on legitimate interests rather than consent.

• Right to erasure (“right to be forgotten”): subject to certain conditions and exceptions (e.g., legal claims).

• Right to withdraw consent: at any time for processing based on consent.

HR leaders must have reliable processes to facilitate these requests within statutory deadlines.

4. Retention and Deletion Policies

GDPR prohibits storing personal data longer than necessary for the purpose for which it was collected.

For video interviews:

• Define and document retention periods for interview recordings, transcripts, and notes.

• Ensure your tools support automated expiry and deletion at the end of retention periods to reduce human error.

• Candidates who haven’t consented to extended retention should have their data automatically removed once the interview process ends unless another lawful basis applies.

Without configurable retention, compliance depends on manual processes - leaving gaps that regulators could classify as avoidable risk.

How Evidenced Helps HR Teams Comply With GDPR

Evidenced is designed with GDPR alignment in mind to support compliant video interviewing workflows:

1. Candidate Consent Built In

Evidenced requires candidates (and interviewers) to consent to recording and processing, with clear controls and documentation - making it easier to satisfy GDPR's lawful basis and transparency requirements. The platform also supports opt-out mechanisms for organisations relying on legitimate interests.

2. Configurable Retention Policies

Evidenced allows organisations to define retention periods for candidate data, enabling automatic deletion or anonymisation - a key need for compliance under the GDPR’s storage limitation principle.

3. Single Stream Recording

Unlike traditional video call tools such as Zoom or Teams, hiring teams using Evidenced can separate video streams for candidates and interviewers, allowing for each callers personal data to be distributed individually when required.

Beware of “AI Notetakers” Without Clear Governance

Many tools bundle AI transcription or analysis without clear retention controls or transparent consent mechanisms. Without proper retention settings and documented lawful basis, these tools can make it difficult to demonstrate compliance with GDPR - especially at audit time. HR and Compliance teams must ask:

• Can the tool prove how long candidate data is stored?

• Is consent logged and accessible on demand?

• What lawful basis does the tool rely on?

If not, you may struggle to meet GDPR’s documentation and accountability obligations.

Useful External Resources

You can find more information about the legalities of GDPR on the official ICO website.

For more information about what HR needs to track to stay compliant during the hiring process, read our blog post.