GDPR Compliance for Technical Interview Monitoring

By Vaibhav Devere, Founder, Zero Assist · 2025-03-15 · 6 min read

The Legal Question

When you install an agent on a candidate's machine to monitor running processes during an interview, you are processing personal data under GDPR. The process list is not directly identifying in isolation, but in combination with the candidate's identity and employment context, it constitutes personal data.

This does not mean monitoring is illegal. It means it must be done correctly.

The Lawful Basis

For candidate monitoring, the most applicable GDPR lawful basis is legitimate interests (Article 6(1)(f)), provided:

  1. The monitoring is proportionate to the purpose (detecting cheating, not broad surveillance)
  2. The candidate is informed in advance
  3. There is a genuine balancing test showing your interest outweighs the candidate's privacy rights

Some companies prefer explicit consent (Article 6(1)(a)). This is simpler to document but creates a complication: if consent is required to participate in the interview, it may not be freely given, which undermines the validity of the consent.

What You Must Disclose

Your privacy notice for candidates must include:

  • What data is collected (process names, timestamps, alert events)
  • Why it is collected (interview integrity)
  • How long it is retained
  • Who it is shared with
  • The candidate's right to access, rectify, and erase the data

This notice should be delivered and acknowledged before the interview begins — not buried in the application's terms of service.

Data Retention

GDPR requires data to be kept "no longer than necessary." For interview integrity data:

  • If the candidate is hired: retain through the employment relationship, then delete within a reasonable period post-employment
  • If the candidate is not hired: delete within 6-12 months of the rejection decision (check your local guidance — some EU supervisory authorities have issued specific recommendations)

Zero Assist provides configurable retention policies and automated deletion workflows to handle this without manual intervention.

The DPA Requirement

If you are using a third-party monitoring tool (including Zero Assist), you are required under GDPR Article 28 to have a Data Processing Agreement in place. The DPA documents the processor's obligations and ensures accountability.

Zero Assist provides a standard DPA available on request. Reach out to support@zeroassist.in to get it signed before your first monitored interview.