Is sourcing candidates from public profiles GDPR compliant?

Sourcing from publicly available profiles can be GDPR compliant if you have a legitimate interest, only process data that candidates have made public, and provide transparency about how you use their data. The key distinction is between data candidates have voluntarily published versus data obtained through scraping or purchased lists.

What is the difference between public data and scraped data under GDPR?

Public data refers to information that individuals have voluntarily made available on professional platforms. Scraped data is collected through automated tools that extract information at scale, often without proper consent mechanisms. GDPR treats these differently, and scraping without legal basis can lead to significant fines.

Do recruiting tools need to use EU infrastructure for GDPR compliance?

While not strictly required, using EU-based infrastructure significantly simplifies GDPR compliance by avoiding cross-border data transfer issues. Tools that store and process candidate data on EU servers eliminate the need for Standard Contractual Clauses or adequacy decisions.

How can recruiters verify if their sourcing tool is GDPR compliant?

Check for: EU-based infrastructure, clear data processing agreements, transparency about data sources, candidate opt-out mechanisms, data retention policies, and regular compliance audits. Red flags include vague data sourcing descriptions, non-EU servers without transfer safeguards, and no DPA available.

Is Your Sourcing Strategy GDPR Compliant? A 2026 Checklist for EU Recruiters

By Bruno Puignou · February 18, 2026 · 6 min read

Key Takeaway

A GDPR-compliant sourcing strategy in 2026 requires public-data-only sources, EU-based infrastructure, and transparent AI with human oversight. GDPR fines for recruitment violations reached 1.3 billion euros across the EU in 2025.

You found the perfect candidate. Great profile, right skills, open to new roles. You reach out. They reply-but not with interest. With a complaint.

"Where did you get my data?"

GDPR-compliant sourcing is the practice of finding and contacting candidates using only lawfully obtained, publicly available data, processed on EU-based infrastructure, with full transparency and documented legal basis.

For European recruitment agencies, this question is not just awkward. It is a legal minefield. GDPR fines for recruitment violations reached €1.3 billion across the EU in 2025, according to recent AI recruiting statistics. Data Protection Authorities are actively auditing sourcing tools. And the difference between compliant and non-compliant sourcing often comes down to one thing (for the latest European recruiting data, see Taleva's recruiting data hub): where your tool gets its data and where that data lives.

Here's your complete GDPR recruitment compliance checklist for 2026-and why your choice of sourcing platform matters more than you think.

Why GDPR Compliance in Sourcing Is Getting Harder

When GDPR launched in 2018, most agencies updated their privacy policies and moved on. That is no longer enough.

Three things have changed:

AI sourcing tools are everywhere. Automated candidate discovery means processing thousands of profiles per search, as our complete guide to AI sourcing for recruiters explains. Each one is personal data under GDPR.
Cross-border data transfers are under scrutiny. The EU-US Data Privacy Framework exists, but tools routing data through non-EU servers still carry risk-especially after Schrems II precedents.
Data Protection Authorities are targeting recruitment specifically. Italian, French, and Dutch authorities have all issued guidance or fines related to AI-driven candidate sourcing in the past 18 months. The EU AI Act compliance guide for recruiting covers what this means for your agency.

According to Taleva's analysis of 200M+ European profiles, sourcing tools that rely on scraped or purchased data expose agencies to the highest enforcement risk. If your sourcing tool scrapes private profiles, stores data on US servers, or cannot explain its data processing chain-you have a problem.

The Critical Difference: Public Data vs. Scraped Data

This is where most agencies get confused-and where the real risk hides.

Publicly available data is information that individuals have intentionally made accessible to the public. Think: public LinkedIn profiles, published GitHub repositories, company "About" pages listing team members, conference speaker bios. Under GDPR, processing this data for legitimate interest (like recruitment) is generally permissible-with proper safeguards.

Scraped private data is different. This includes information extracted from behind login walls, private social media accounts, purchased databases of unknown origin, or data aggregated without consent. Processing this for recruitment violates GDPR's lawfulness principles.

The problem? Many global sourcing tools blur this line. They advertise "800M+ profiles" without explaining where those profiles come from. If you can't verify the data source, you can't prove compliance.

EU Infrastructure vs. Global Tools: Why It Matters

Where your sourcing tool's servers physically sit isn't a technicality-it's a compliance requirement.

All-EU infrastructure means:

Candidate data never leaves the European Economic Area.
No reliance on Standard Contractual Clauses (SCCs) or adequacy decisions that could be challenged.
Subject to EU jurisdiction and Data Protection Authority oversight directly.
Simpler compliance documentation with your clients.

Global tools (US-based servers) mean:

Data transfers to the US under the EU-US Data Privacy Framework-which could be invalidated like Privacy Shield before it.
Potential exposure to US surveillance laws (FISA 702).
Complex compliance documentation requirements.
Higher risk profile if audited by a Data Protection Authority.

For a European agency whose entire business depends on trust with candidates and clients, the safest path is clear: use tools built on EU infrastructure, processing only publicly available data. We've ranked the top 10 GDPR-compliant AI recruiting tools for Europe to help you choose.

Your 2026 GDPR Sourcing Compliance Checklist

Use this checklist to audit your current sourcing stack. Every "no" is a risk to address.

Data Sources

☐ Your sourcing tool only processes publicly available candidate data.
☐ You can verify and document where candidate profiles originate.
☐ No data is sourced from purchased lists, leaked databases, or private accounts.
☐ Candidates' publicly shared professional information is the basis for outreach.

Infrastructure & Data Storage

☐ All candidate data is processed and stored within the EU/EEA.
☐ No data transfers to non-adequate third countries without proper safeguards.
☐ Your tool provider clearly documents their data processing practices and sub-processors.
☐ Sub-processors are documented and EU-based (or adequately protected).

Lawful Basis & Transparency

☐ You have a documented lawful basis for processing (legitimate interest for recruitment is most common).
☐ You've conducted a Legitimate Interest Assessment (LIA) for your sourcing activities.
☐ Candidates are informed of data processing at first contact (privacy notice in outreach).
☐ You can respond to Subject Access Requests (SARs) within 30 days.

Data Minimisation & Retention

☐ You only collect data relevant to the recruitment purpose.
☐ Candidate data is deleted or anonymised after a defined retention period.
☐ You don't store sensitive/special category data (health, ethnicity, religion) unless explicitly consented.
☐ Your ATS/CRM has automated retention policies configured.

AI & Automated Decision-Making

☐ If AI ranks or filters candidates, you can explain the logic to candidates who ask.
☐ No fully automated rejection decisions without human review.
☐ Your AI tool provider can demonstrate bias testing and fairness measures.
☐ You've assessed your tools under the EU AI Act's high-risk category for employment. (Use our EU AI Act compliance checklist for recruiters to verify.)

Vendor Due Diligence

☐ You've reviewed your sourcing tool's privacy policy and data processing documentation.
☐ You know where their servers are located.
☐ You've asked them directly: "Where does your candidate data come from?"
☐ You've confirmed they don't sell or share candidate data with third parties.

Red Flags: When Your Sourcing Tool Might Not Be Compliant

Watch for these warning signs:

"We have 800M+ profiles" but no clear explanation of data sources. Where did those profiles come from? If they can't tell you, that's a problem.
US-only server infrastructure with vague references to "GDPR compliance." Being aware of GDPR isn't the same as being structurally compliant.
No clear data processing documentation available or compliance materials that take weeks to produce. Compliant vendors have this ready on day one.
Contact data from unknown origins. If emails and phone numbers appear without clear sourcing methodology, the enrichment process may violate data protection principles.
No data deletion capabilities. If you can't delete a candidate's data from the tool when requested, you can't fulfil GDPR obligations.

How Taleva Handles GDPR Compliance

Taleva was built for European recruitment agencies-and GDPR compliance is structural, not an afterthought.

All-EU infrastructure. Candidate data is processed and stored entirely within the European Union. No transatlantic data transfers. No reliance on frameworks that could be invalidated.
Public data only. Taleva sources candidates from 15+ publicly accessible platforms-LinkedIn public profiles, GitHub, StackOverflow, company career pages, Indeed, Glassdoor, and more. No scraping of private data. No purchased databases.
Transparent data chain. For every candidate surfaced, you can trace where the data came from. Full auditability for regulatory inquiries.
AI with human oversight. Taleva's semantic AI ranks candidates by fit, but recruiters make every decision. No automated rejections.
Contact enrichment from verified public sources. Emails and phone numbers sourced from publicly available information only-enabling direct outreach that's both effective and compliant.

For agencies whose clients demand GDPR compliance documentation-which is increasingly all of them-Taleva makes the compliance conversation simple: EU data, EU servers, public sources, full transparency.

→ Start sourcing compliantly with Taleva

The Bottom Line

GDPR compliance in recruitment sourcing isn't about checking a box. It's about choosing tools and processes that are structurally safe-not retroactively patched.

The safest sourcing strategy for European agencies in 2026 combines three elements:

Public data only. Know where every candidate profile comes from.
EU infrastructure. Keep candidate data within European jurisdiction.
Transparent AI. Rank and prioritise with explainable logic and human oversight.

Your sourcing tool should make compliance easier, not harder. If it can't answer "where does the data come from?" and "where is it stored?", it's time to explore better alternatives for European agencies.

→ See how Taleva keeps EU agencies compliant