TL;DR. On April 3, 2026, France's CNIL added recruitment to its three priority audit themes for the year. ~20% of the agency's 323 yearly inspections will land on hiring, using the 19-fact-sheet guide published in 2023. The CNIL already fined an ATS vendor 7,000 euros in September 2025. Here is the playbook to turn a mishandled application into a formal complaint.
You send your CV. Not a word about GDPR in the form.
Three years later, a recruiter pings you — your file resurrected from a hard drive you thought was gone.
Next rejection: an algorithm did not retain your profile.
In 2026, this is the kind of file the CNIL wants on its desk. What if the next sanction came from your complaint?
Why the CNIL is putting recruitment on the table in 2026
On April 3, 2026, France's data protection authority (CNIL) published its annual decision on priority audit themes (CNIL, 2026). Recruitment is one of the three targets, alongside the unified electoral register and sports federations.
To set the order of magnitude: the CNIL states that roughly 20% of its yearly inspections fall under priority themes (CNIL, 2026). Out of the 323 inspections conducted in 2025 (CNIL annual report, 2025), that is roughly sixty files specifically dedicated to employment data.
The declared scope: large companies and recruitment agencies. The CNIL also uses this round to preview its future role as a market surveillance authority for AI in the world of work, under the EU AI Act (CNIL, 2026).
The grid that field agents will use is not new: it is the recruitment guide published in January 2023, in 19 fact sheets (CNIL, 2023). In other words, the standards have been on the table for three years — the surprise excuse no longer flies on the employer side.
The three audit angles, translated into signals you can spot
The CNIL lists three angles. Here is what they look like in your day-to-day candidate experience.
Angle 1 — prior information. The application form must tell you who collects your data, why, for how long, and how to exercise your rights. Candidate-side signal: no GDPR mention in the form, no link to a privacy policy, no statement of purpose for the processing.
Angle 2 — retention period. The CNIL is explicit in its Q&A: "Le dossier pourra être conservé 2 ans après votre dernier contact avec le recruteur, ou plus longtemps si vous avez donné votre accord formel." (CNIL Direct). Translation: two years max after your last contact, unless you signed off on more. Candidate-side signal: a reactivation message three years after your last exchange, with no written consent in between.
Angle 3 — automated decisions (Article 22 GDPR). You have the right not to be subject to a fully automated decision. Candidate-side signal: a rejection whose stated reason explicitly points to an algorithm, with no trace of human involvement.
| CNIL audit angle | What you observe as a candidate | Reference you can cite |
|---|---|---|
| Prior information | Form with no GDPR notice, no purpose, no retention period | CNIL recruitment guide, 19 sheets |
| Data retention | Commercial reactivation 3 years later, no consent | CNIL Direct, 2-year ceiling |
| Automated decision | Rejection reason "by the algorithm" with no human | Article 22 GDPR |
Stacked on the same file, these signals make for a solid complaint.
New audit angle: background checks and internet searches
The CNIL Direct Q&A spells out what you can push back on when a recruiter digs through your social profiles (CNIL). Three practices sit in the red zone:
- harvesting data from personal profiles (personal Instagram, private life, political opinions);
- requesting a criminal record extract outside legally defined cases;
- cross-referencing several public sources without telling you upfront.
How do you catch this in practice? A question in the interview about an Instagram post unrelated to the role. A mention of a personal profile in the recruiter's notes. A request for documents not tied to the mission.
- ✓Public professional profiles (work LinkedIn)
- ✓Posts tied to your area of expertise
- ✓Press or conference mentions tied to the role
- ✓Data relevant to assessing the mission
- ✗Harvesting personal profiles (Instagram, private life)
- ✗Political, religious or union opinions
- ✗Criminal record outside legally defined cases
- ✗Cross-referencing sources without telling you
- No GDPR notice anywhere in the application form or job ad.
- Reactivation of your file beyond 2 years with no written consent.
- Rejection reason that names "the algorithm" with no human review.
- Interview question about content from your personal social profiles.
- Request for documents (criminal record, detailed civil status, photo) not justified by the role.
Filing a CNIL complaint, step by step
The CNIL does not self-initiate on individual cases. Your complaint is what opens the file. Here is the concrete sequence.
Step 1 — Exercise your right with the organization first
Send a written GDPR request by email or letter: right of access, right to erasure, right to object, or a request for human intervention under Article 22. Keep the delivery receipt.
The CNIL is crystal clear on the deadline: "L'organisme doit vous répondre dans les meilleurs délais, et sous un mois maximum." (CNIL). One month maximum to reply. Past that, you are legitimate to escalate.
Step 2 — Build the file
Capture the useful evidence:
- screenshot of the application form with no GDPR notice;
- reactivation email received more than 2 years after your last exchange;
- copy of the rejection that names "the algorithm";
- your original GDPR request and its delivery receipt.
The more factual the file, the more likely the CNIL routes it through simplified procedure.
Step 3 — File the complaint
The form is online at cnil.fr/plaintes. Pick the "work / recruitment" category. Attach your evidence. Note explicitly if the organization failed to reply within one month — that is an aggravating factor at instruction stage.
Step 4 — What can happen on the employer side
Three scenarios: desk audit (written exchange), on-site inspection (CNIL agents in the office), or simplified procedure. The last one has become standard for clear-evidence files.
Concrete example: on September 4, 2025, the CNIL fined a French ATS vendor 7,000 euros under simplified procedure — failure to frame subcontracting, incomplete records of processing, security gaps, and failure to document a data breach (CNIL, sanctions table).
What CNIL pressure changes for your process and negotiation
You are not isolated. The CNIL recorded 20,150 complaints in 2025, +10% versus 2024 (CNIL annual report, 2025), with an explicit share tied to data protection failures in the workplace.
The channel is saturated but operational. And it has two direct leverage effects on your candidate process.
Negotiation leverage. You can ask the recruiter in writing: what is the legal basis for screening, what is the retention period, is there an automated decision anywhere in the funnel. Those three questions shift the conversation. Either you get clear answers, or the recruiter dodges — and you know who you are dealing with.
Correction leverage. A recruiter who learns a complaint is in progress usually fixes the process within weeks to avoid an on-site inspection. Nobody on the inside wants to explain to leadership that the CNIL is on the way.
To anchor this in real candidate sentiment, a post from doctor_radium on Hacker News captures the opacity well: "Speaking as a person over 40 who has been job-hunting and has encountered Workday roughly 10 times, what I don't understand is whether the 'AI-based applicant screening tools, which include personality and cognitive tests' cited in the article are present in every installation" (HN, 2025). That is exactly the kind of black box the 2026 audits are meant to crack open.
Frequently asked questions
Can I file with the CNIL if I never got a reply to my rejection?
Yes, once the organization passed the one-month mark after your written GDPR request (access, erasure, objection). Attach your original request and the delivery receipt.
How long can a recruitment agency keep my CV?
Two years maximum after your last contact, unless you gave formal consent to a longer period. Past that, it is a reportable non-compliance.
Is an "algorithm rejection" legal?
Not if it is fully automated with no real human intervention. Article 22 GDPR gives you the right to obtain human review and to contest the decision.
Who is the CNIL auditing first in 2026?
Large companies and recruitment agencies, per the April 3, 2026 decision. Small businesses are not exempt but get less of the focused audit volume.
What is the risk for a sanctioned company?
On September 4, 2025, an ATS vendor took a 7,000 euro fine under simplified procedure. Full-procedure GDPR fines can hit several million euros for heavier files.
Can a recruiter Google my name?
Yes for public professional data tied to the role, no for harvesting data from personal profiles without telling you. The CNIL Direct Q&A spells it out.
How long does a CNIL complaint take?
It varies. A few weeks for a formal reminder of the law, several months for an on-site inspection. The simplified procedure is now standard for clear-cut cases.
Do I need a lawyer?
No. Filing with the CNIL is free and the form is built to be filled out without legal help.
Could my complaint backfire on me with the recruiter?
It stays confidential from the employer if you tick the matching box. It only becomes visible if the CNIL opens a formal procedure.
What to take away
- Recruitment is a CNIL priority audit theme for 2026 — about 20% of 323 yearly inspections.
- Three angles under watch: prior information, 2-year retention ceiling, automated decisions.
- Background checks and internet searches are explicitly in the 2026 scope.
- The key deadline: one month for the organization to reply before you escalate.
- Filing is free, online, and already producing concrete sanctions (7,000 euros in September 2025).
- CNIL pressure doubles as a negotiation lever: a written request often fixes the process on its own.
