The General Data Protection Regulation (GDPR) is an EU law on data protection in the European Union and the European Economic Area. Loxo is committed to partnering with our customers and users to understand and prepare for GDPR.
Be sure to consult with your legal team before implementing any process changes around GDPR. This article explains where to find GDPR information for candidates and how to search your people to manage GDPR.
Read GDPR Settings in Loxo to turn on GDPR for your account. You must have admin access to your team's account in order to access the GDPR Settings page.
Manage Candidate GDPR Requests
Once you turn on GDPR, any candidates within the location that you selected to be protected by GDPR will automatically have a GDPR section added in the bottom right-hand corner of their profile.
You will be able to manage their GDPR requests, as well as view any action items that need to be taken, like updating their name, for example.
You can also email a GDPR Consent Link to your candidates through the Person Merge Tags dropdown.
Once sent, your candidates will receive a link to a form to fill out their preferences, such as:
If they want to be contacted about job opportunities
If they want to receive a copy of their data
If they want to update their information in your database
If they want to be removed from your database
Once they make a request on the GDPR Consent Link, that request will be recorded on their profile in the GDPR field within your people database:
which can be filtered by Protected vs. Not Protected:
Additionally, there is a more descriptive section in the bottom right-hand corner of a person's profile:
You can click on the yellow buttons to take actions, such as sending the customer a copy of their data, updating their information on their profile, etc.
Visibility
The Protected badge on a person's profile reflects that the person's data has an active legal basis - meaning valid consent on file, or a legitimate interest period that has not run out.
Candidates without a badge is not a bug - the previous version of the GDPR Protected badge was present as long as the person was located in the EU and this is no longer the case - it means the system is more accurately reflecting who is truly protected versus those without consent or legitimate interest periods documented.
Two Modes: How Does Your Agency Operate?
Every agency with GDPR enabled is in one of two modes. You can check and adjust under Settings > Compliance.
Mode | What drives protection |
Candidate Consent | Person gave explicit consent, and it hasn't expired |
Legitimate Interest | Person has been in contact/activity within the configured retention window (e.g. 24 months) |
Candidate Consent Mode - All Possible States:
Situation | Protected Badge? | Data Expired? | What it means |
Gave consent, not expired | ✅ Yes | No | Active lawful basis — all good |
Gave consent, now expired | ❌ No | Yes | Retention period elapsed — recruiter needs to act |
Consent explicitly revoked | ❌ No | Yes | No lawful basis — data should be deleted |
Never gave consent | ❌ No | Yes | No lawful basis — data should be deleted |
Key new behavior as of May, 2026: Previously, any person within the EU with no consent on file would show as Protected (incorrect). Now they correctly get a "data expired" required action - holding data without any consent is not GDPR-compliant.
Legitimate Interest Mode - All Possible States:
Situation | Badge? | Data Expired? |
Had activity within retention window | ✅ Yes | No |
No activity within retention window | ❌ No | Yes |
Not in the agency's protection group (e.g. non-EU) | ❌ No | No |
The "Data Expired" Required Action
When a person's data is flagged as expired, a required action appears on their profile telling you to act. This is created and removed daily by Loxo as an automation re-evaluates every person in your database.
Creating: Triggered automatically when gdpr data becomes expired
Clearing: Automatically removed when the person gives valid consent, or when activity brings them back inside the retention window, depending on your account settings.
GDPR Search Page
To access the GDPR Search page, click on the three dots on the navigation bar and select GDPR Search from the menu, under the Back Office section:
The GDPR Search page will show the candidates and their consent status. The column headings will vary depending on whether your Lawful Basis is Candidate Consent or Legitimate Interest.
Frequently Asked Questions
Q. "The Protected badge disappeared from people who never had consent — is this a bug?"
A. No. These people never had a legal basis for data retention. The badge was incorrect before; now it's accurate. They'll have a "data expired" required action the recruiter should address.
Q. "Why do some people suddenly have 'data expired' actions they didn't have before?"
A. They were EU-located but lacked active consent or legitimate interest. Previously the system didn't surface this; now it does.
Q. "We have people with consent on file but the badge still isn't showing."
A. Check if the consent has an expiry date that has passed. Go to the person's GDPR tab - the consent record will show the expires_at date. If it's in the past, the consent has lapsed and new consent will need to be collected.
Q. "All our people with social profiles suddenly lost the Protected badge."
A. If you have not had any recent activity logged against those people, the window may have elapsed. Check to confirm that no recent activity has occurred on these profiles. Also confirm the protection group (all_people vs eu_people) hasn't changed under Settings > Compliance.