You are here: Information Security Data protection (GDPR) For managers Handling applications and supporting documents

Guidelines for managers on handling applications and supporting documents

Here, you can find guidelines for how to handle applications received in response to job advertisements, and also unsolicited applications


Applications received in response to job advertisements

Applications and supporting documents must be treated as confidential. For positions that are filled after they have been advertised, this means that – other than administrative case officers – only members of the appointment committee and, where appropriate, the assessment committee, may have access to the applications.

Applications and supporting documents may only be stored for up to six months after the applicant has received notice of rejection. Applications may be saved for up to 12 months, provided that the applicant has given express consent thereto.


Proposed consent text

“With reference to Article 6(1) (a) and Article 9(2) (a) of the General Data Protection Regulation and Sections 6(1) and 7(1) of the Danish Data Protection Act, I, the undersigned, hereby give consent for my application with supporting documents for the position of [job title of the position applied for] at [name of unit] to be saved for up to one year after I have received notice of rejection for the position. I am aware that my consent may be revoked at any time.”  


The application and supporting documents of the successful candidate will be saved in the personnel folder in the record-keeping system.

You have a duty to inform the employees who are part of the appointment committee that they have an obligation to store applications, with supporting documents, so that unauthorised persons cannot access them, and to erase electronic documents and shred all printed materials received from applicants immediately after the position has been filled.

Unsolicited applications

To ensure that personal data is handled correctly, HR recommends that unsolicited applications are not forwarded to other managers at AU. If you receive an unsolicited application that you believe might be relevant for another AU manager, the easiest solution is to request the person who submitted the application to send the application to the relevant manager(s).  This ensures that the person submitting the application is responsible for his or her own data and that you do not need to consider obtaining consent for/notification of forwarding of the application.



a. If your immediate assessment is that you cannot use the application and you do not expect the applicant’s competencies to be relevant:

Proposed response text to be sent as soon as the application has been received and read:

“Dear [name],

Thank you for your application. Unfortunately, we are unable to offer you employment. However, you are welcome to check AU’s website for any new vacancies that may arise.

Your unsolicited application has not been, and will not be, forwarded, and will be erased immediately. Aarhus University is the data controller for the processing of personal data. Our data protection officer can be contacted by email at: dpo@au.dk.

You have the right to complain about the erasure of your data to the Danish Data Protection Agency at dt@datatilsynet.dk


b. If your immediate assessment is that there is no current opportunity to offer employment, but you would like to save the application because you assess that a position may arise within the next six months:

Proposed response text to be sent as soon as the application has been received and read:

“Dear [name],

Thank you for your application. We do not currently need your competencies, but we would like to retain your application for up to six months in the event of a job opportunity arising.

If you do not hear from us, your application with supporting documents will be erased no later than six months from today's date, unless you request erasure at an earlier time.

Your application will not be forwarded by me to other recipients within AU. [Insert any contact details for another manager at AU, if you believe that it might be relevant for the applicant to send the application to this manager].

Aarhus University is the data controller for the processing of personal data. Processing of your data is authorised under Article 6(1) (a), and possibly Article 9(2) (a) of the General Data Protection Regulation, cf. Section 6(1) and possibly Section 7(2) of the Danish Data Protection Act. Our data protection officer can be contacted by email at: dpo@au.dk.

You are entitled to access the data, to have incorrect data rectified or erased, and to complain about the data processing to the Danish Data Protection Agency at dt@datatilsynet.dk

When you save the application, you should save it on a secure drive that is logged. You should also set up a “reminder procedure” to ensure that you erase the application no later than after six months.


c. If your immediate assessment is that you would like to engage in dialogue with the applicant, because there may be a match between the applicant and tasks to be undertaken:

Proposed response text to be sent as soon as the application has been received and read:

“Dear [name],

Thank you for your application. [Write what you wish to do]. If we cannot offer you employment at the moment, we would like to retain your application for up to six months in the event of a job opportunity arising.

If you do not hear from us, your application with supporting documents will be erased no later than six months from today's date, unless you request erasure at an earlier time.

Your application will not be forwarded by me to other recipients within AU. [Insert any contact details for another manager at AU, if you believe that it might be relevant for the applicant to send the application to this manager].

Aarhus University is the data controller for the processing of personal data. Processing of your data is authorised under Article 6(1) (a), and possibly Article 9(2) (a) of the General Data Protection Regulation, cf. Section 6(1) and possibly Section 7(2) of the Danish Data Protection Act. Our data protection officer can be contacted by email at: dpo@au.dk.

You are entitled to access the data, to have incorrect data rectified or erased, and to complain about the data processing to the Danish Data Protection Agency at dt@datatilsynet.dk

When you save the application, you should save it on a secure drive that is logged. You should also set up a “reminder procedure” to ensure that the application is erased no later than after six months.

1444519 / i40