ATS Compliance: 4 Critical Rules for Global Recruitment

Cross-border hiring has become a staple of the modern working world, and it’s no longer restricted to large enterprises. In 2025 alone, top startups hired 1,400+ employees from different countries, concentrated mainly in the UK, Canada, and Germany, according to Deel’s Global Hiring Report.

But alongside the flexibility of accessing global talent comes the complexity of managing candidate data across multiple jurisdictions. The result is a compliance bottleneck that most hiring teams simply aren’t prepared for. Application tracking systems sit right at the center of that bottleneck. Each country has its own rules about how you’re allowed to manage candidate data, and your ATS needs to support all of them.

This guide walks you through the key ATS compliance requirements for global hiring teams, and how Deel ATS gives you the framework to meet them, acting as a single source of truth for every cross-border hire.

Why is ATS compliance critical for global hiring?

Applicant tracking system (ATS) compliance requires organizations to collect, store, and process their candidates’ data legally, based on the applicant’s local jurisdiction. Organizations that don’t have compliant recruitment practices face significant fines and enforcement under regulations like General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA.)

Unfortunately, hiring across borders is complicated, and it’s all too easy to make compliance mistakes, especially when your company headquarters is based in a different country to your candidates. Here’s why ATS compliance is critical.

Meeting data residency requirements

Data residency refers to the physical location where your candidates’ data is stored and processed. This might include any of the following types of hiring data:

• Application data (CVs, cover letters, assessments)
• Interview notes and recordings
• Background check results
• Candidate communications (emails, messages)
• Metadata (IP addresses, timestamps, behavioral tracking)

In terms of ATS compliance, this data residency location must be legally acceptable for the candidate’s jurisdiction. The problem is that most ATS platforms store and move this data across multiple systems by default, using an array of cloud hosting, integrations, and analytics tools. And often, hiring teams can fall into the trap of not fully considering where that data ends up.

The main risk is that you’re handling candidate data in a way that violates the laws of the candidate’s country, even if it's permitted in your own country.

How data residency requirements vary by region

The specific data residency requirements you need to know depend entirely on where your candidates are located. You could be subject to very different requirements around how their data is stored, transferred, and protected. The table below covers some of the key regions, but with hiring happening internationally across 150+ countries, the full picture is considerably more complex.

Gaining consent from candidates

A key part of ATS compliance is checking that you have a valid legal basis to process candidate data and capturing explicit, localized consent. This includes getting permission to:

• Store their CV
• Share their data internally (for example, with hiring managers and interview panel members)
• Run background checks
• Use automated screening or AI scoring
• Keep their data for future roles

The way you obtain consent should match the law in your candidate's location, not yours. As a best practice, collect it in a way that’s:

• Specific: Candidates know exactly what they're agreeing to
• Granular: Separate consent is required for different use cases
• Informed: Written in clear language, not buried in legal text
• Jurisdiction-aware: Matches the laws in the candidate's location

If you use AI in your talent acquisition process, there are additional obligations to consider. For example, under GDPR:

• Solely automated decisions are prohibited by default if they have a significant effect on a candidate.
• You must meet specific legal conditions if you’re using automated decisions. For example, you must inform candidates that automation is involved, and give them the right to request a human review.
• If candidate data is processed by third-party AI tools, you'll also need a Data Processing Agreement in place with that vendor. Consent alone isn't sufficient.

Adhering to data retention schedules

Applicant tracking systems store candidate data by nature. But how long you hold onto that data is a compliance matter. The core principle across most data privacy frameworks is that organizations should only keep candidate data for as long as they have a lawful reason to keep it. After that point, retaining it is unlawful, even if you never actively use it again.

Data retention is one of the easiest things for regulators to enforce because it’s binary: you either deleted the data or you didn’t. Critically, it's not enough to simply delete data; you also need to prove that you did. Regulators can request evidence of your deletion policies and processes at any time, so it’s essential to keep clear, auditable records of when you deleted the data and according to what policy.

It's also worth distinguishing between two related compliance obligations your ATS should support:

• Retention schedules: Your organization proactively deletes candidate data automatically after a defined period, based on the legal requirements of the candidate's jurisdiction.
• The right to erasure, also known as the right to be forgotten: Under frameworks like GDPR, candidates can request that you delete their data before your standard retention period ends.

How candidate data retention rules vary globally

Retention rules vary significantly by region, and in some jurisdictions, getting them wrong carries the same enforcement risk as any other data protection violation. Here's how the requirements break down across key hiring markets.

How does Deel streamline international ATS compliance?

Deel is the industry standard for global workforce management. It acts as an all-in-one HR platform, supporting compliant hiring all the way from application to onboarding. Here are the strategic advantages you’ll enjoy when you use Deel as your ATS, centralizing your candidate data and automating every aspect of your compliance across multiple jurisdictions.

• Global infrastructure: Deel is built with compliance at its core. The platform gives your hiring team the controls, visibility, and local hiring insights they need to work confidently across multiple countries.
• Deel Hire integration: Deel Hire acts as the front door for every hiring decision, helping your team determine whether to bring someone on via an Employer of Record, a Professional Employer Organization, or as a contractor. This integration guides you to choose the correct legal path before signing any contract.
• Deel HR integration: When someone accepts an offer, their information moves straight from the ATS into Deel HR. There’s no need to manually copy data between systems, which alleviates the admin burden, and reduces the risk of human error.
• Automated verification: Deel handles all your background checks and identity verification within the platform, based on local market regulations.

4 steps to achieve ATS compliance across borders

No ATS makes your hiring compliant by default, but the right platform gives your team the controls to get there. Deel ATS is ISO 27001 certified and SOC 2 audited, providing the permissions, retention settings, and privacy controls your team needs to hire responsibly across borders. Here's how to use them.

1. Implement role-based recruitment permissions

Not everyone on your hiring team needs access to the same candidate data. A recruiter screening applications, for example, doesn't need visibility into salary negotiations, while a hiring manager reviewing final candidates doesn't need access to every applicant in the pipeline.

Role-based access control (RBAC) lets you set custom permissions and approval rules by team and role, so each person only sees and acts on the data relevant to their function. Along with reducing security risks, this structure also makes it far easier to demonstrate compliance. As permissions link to defined roles, you can show regulators exactly who had access to candidate data, and why.

In Deel’s ATS, you can configure these permissions directly, so your recruitment workflow is watertight from the moment a role goes live.

2. Automate resume retention and deletion schedules

Manually tracking when to delete candidate data across multiple jurisdictions isn't realistic at scale. Deel ATS supports your data retention compliance requirements by providing the controls that keep you in line with regulations like GDPR and local labor laws.

You review your retention schedules by jurisdiction, configure them within your ATS settings, and clearly document your process for handling deletion requests.

3. Validate third-party recruiting integrations

Every tool you connect to your ATS becomes part of your data processing chain, which means every integration is a potential compliance risk if you don’t vet it properly. Deel ATS integrates natively with LinkedIn, Google Workspace, and Microsoft, and is designed to work within a compliance framework that extends across connected tools.

But the principle applies beyond Deel's native integrations. If you're posting roles to job boards, running background checks through a third-party provider, or using any external tool that touches candidate data, you need to be confident that:

• The integration handles candidate data in line with the laws of each candidate's jurisdiction
• A Data Processing Agreement is in place with every third-party vendor that processes personal data on your behalf
• You've reviewed where that vendor stores and processes data, particularly for candidates based in countries where transfer restrictions apply

4. Audit screening tools for automated bias

AI-assisted screening can speed up your hiring process significantly, but you’ll need to configure and monitor it carefully. In many jurisdictions, screening tools that produce discriminatory outcomes can create legal liability, regardless of whether the bias was intentional. And the courts are beginning to reflect that.

For example, the Mobley v. Workday case in the US is one of the first major cases to allege that an AI screening tool may discriminate against applicants, particularly on the basis of age and race. No tool can eliminate bias by default, so your team should regularly review screening criteria and check hiring outcomes across candidate groups.

The aim is to ensure that the criteria your ATS matches against is genuinely relevant to the role — a setting you can configure in Deel’s ATS. Although AI surfaces candidates, it doesn't select them. Instead, we always recommend using a human-in-the-loop process that requires the hiring team to decide who moves forward. To support fair hiring processes, Deel’s ATS also uses structured applications and assessments, reducing the inconsistency that tends to introduce bias in the first place.

Strengthen ATS compliance with Deel

ATS compliance isn't a "set it and forget it" task. As your hiring footprint grows, so does your exposure, and a platform that can't keep up becomes a liability.

ATS works best as part of a connected system. Together with Deel Hire and Deel HR, it gives your team a single place to hire, onboard, and manage top global talent, with compliance baked into every stage rather than retrofitted after the fact.

Book a demo to see our joined-up global talent platform in action.