How Does GDPR Affect AI Hiring Bias Audits?

**Data collection challenges:**

• GDPR requires a legal basis for processing personal data, including demographic data needed for bias audits
• Legitimate interest and compliance with legal obligations are valid bases
• You must inform candidates about data collection purposes

**Processing requirements:**

• Demographic data is "special category data" under GDPR Article 9
• Processing is permitted for employment law obligations and substantial public interest
• Data minimization applies — collect only what is needed for the audit

**Data retention:**

• Set retention periods for audit data (OnHirely supports configurable retention from 30-180 days)
• Delete demographic data after audit completion if no longer needed
• Maintain audit reports (without individual data) for compliance records

**Practical tips:**

• Include bias audit data collection in your privacy notice
• Use anonymization where possible
• Work with your DPO to establish lawful processing basis
• OnHirely processes data in SOC 2-ready infrastructure with GDPR-compliant retention controls