Casting guide

GDPR-Compliant Casting: Handling Applicant Data the Right Way

3 min read

Every casting call collects personal data: names, photos, contact details, availability, and often physical characteristics. Under GDPR, that makes even a small casting call a data-processing activity with real obligations. Most productions handle this informally and get away with it, but the risk is genuine and the fixes are cheap.

This guide is a practical walkthrough of what GDPR expects from a production running a casting call, without the legal jargon. It is not legal advice, but it covers the decisions that matter and gives you a checklist you can actually follow.

Collectwith consentUsefor the decisionDeleteafter the shootStored on EU servers throughout
GDPR is mostly about the applicant data lifecycle: collect it with consent, use it for the decision, and delete it when the shoot is done.

Why a Casting Call Is a Data-Processing Activity

The moment a candidate submits an application, you are collecting and storing their personal data. Photos and video make this more sensitive, not less, because an image can reveal special category data such as ethnicity or, occasionally, health information.

GDPR applies whenever you process the personal data of people in the EU, regardless of how small the production is or where the company is based. There is no small-project exemption, so the practical question is not whether the rules apply but how to meet them without friction.

Establishing a Lawful Basis

You need a lawful basis to process applicant data. For casting, the two that usually apply are consent and legitimate interest, and consent is the cleaner fit because candidates are actively choosing to apply.

If you rely on consent, it must be specific, informed, and freely given. That means an unticked checkbox, a clear explanation of what the data is for, and no bundling consent with unrelated terms. Record when and how consent was given so you can demonstrate it later if asked.

Telling Candidates What Happens to Their Data

Transparency is a core GDPR requirement and the easiest to satisfy. Candidates should know what you collect and why before they submit, not buried in a policy they will never open.

A short data notice on the application form should cover:

  • What data you collect and why you need it
  • Who will have access to it (team, client, agency)
  • How long you will keep it
  • Where it is stored, ideally on EU servers
  • How candidates can request access or deletion
  • A contact address for data questions

Retention: Delete What You No Longer Need

One of the most common GDPR failures in casting is keeping applicant data forever. Once a production wraps, you generally no longer have a reason to hold the details of candidates you did not book, and holding them indefinitely is a liability.

Set a retention period before the casting call opens and state it on the form. When the project ends, delete the data of unsuccessful candidates unless you have a specific, stated reason to keep it, such as consent to be considered for future projects. Fewer records held for less time means less risk if anything ever goes wrong.

Where Your Data Lives

Storing personal data outside the EU triggers additional GDPR requirements around international transfers, which most small productions are not equipped to handle. The simplest way to avoid the problem is to keep the data in the EU in the first place.

When you choose a spreadsheet, form builder, or casting tool, check where it stores data. Many popular tools default to US servers. A tool that stores casting data on EU servers removes an entire category of compliance work and is worth prioritizing for productions handling applicant data at any scale.

Run your next casting call with KivaCast

Create a casting call, share the link, and review applications with your team. Free to start, no credit card needed.

Try it free