Define retention periods per candidate status: e.g., unsuccessful applicants retained for 6-12 months post-rejection (varies by jurisdiction), active talent pool candidates retained for a defined period with renewal consent
Build a scheduled job that queries your ATS for candidates whose retention period has expired; use the ATS API to retrieve candidates filtered by last_activity_date or rejection_date
For each expired candidate, call the ATS delete endpoint (e.g., Greenhouse Harvest DELETE /v1/candidates/{id} or the equivalent in your ATS) to permanently remove the record
Log each deletion with a timestamp and the policy rule that triggered it; store logs outside the ATS in a separate audit log
Implement a candidate data subject access request (DSAR) handler that, upon receiving a verified request, exports all candidate data via the ATS API and delivers it within the regulatory deadline
Known gotchas
Some ATS platforms soft-delete candidates (marking them inactive) rather than permanently erasing data; verify that the delete API call results in actual data erasure by checking whether the record is retrievable afterward
Retention periods vary by EU member state even under GDPR; a single global retention policy may be too short for some jurisdictions and non-compliant in others — legal review is required
Deleting a candidate via the API may not automatically delete associated files (resumes, cover letters) stored in object storage; confirm with your ATS vendor whether file deletion is included in the candidate delete operation
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp