Free Word download • Edit online • Save & share with Drive • Export to PDF
A Receipt of Resume is a formal legal document issued by an employer to a job applicant confirming that their resume and application materials have been received, logged, and will be handled in accordance with stated data privacy obligations. It establishes the date and method of receipt, identifies the position or department of interest, sets out how long the applicant's personal data will be retained, and explicitly disclaims any obligation to interview or employ the applicant. Unlike an informal email acknowledgment, a receipt of resume creates a documented, mutually acknowledged record that satisfies privacy law requirements in jurisdictions such as the European Union, Canada, and US states with active consumer privacy legislation.
Without a formal receipt of resume, employers face exposure on two fronts simultaneously. First, retaining a candidate's personal data without documented consent and a defined retention period is a direct violation of GDPR, PIPEDA, and state-level US privacy laws — penalties under GDPR alone can reach €20 million or 4% of global annual turnover. Second, the absence of a no-employment-obligation disclaimer leaves the door open for applicants to argue that prolonged retention of their materials, or subsequent contact, created an implied promise of consideration or hire. A signed receipt of resume closes both gaps: it gives the applicant transparent notice of how their data will be used and for how long, and it gives the employer a clear, dated record proving compliance. This template provides everything you need to issue a professional, legally defensible receipt in under 15 minutes — protecting your organization from the first moment a resume lands in your inbox.
| If your situation is… | Use this template |
|---|---|
| Acknowledging an unsolicited resume with no open position | Receipt of Resume (Unsolicited) |
| Confirming receipt of an application for a specific posted role | Job Application Acknowledgment Letter |
| Informing a candidate their application was not selected | Rejection Letter |
| Inviting a shortlisted candidate to an interview | Interview Invitation Letter |
| Extending a formal employment offer after selection | Job Offer Letter |
| Onboarding the hired candidate with full employment terms | Employment Contract |
| Collecting candidate consent for background checks | Background Check Authorization Form |
Why it matters: Retaining candidate personal data indefinitely without a defined expiry breaches GDPR, PIPEDA, and many US state privacy laws — penalties can reach €20M or 4% of global turnover under GDPR.
Fix: Set a specific retention period in months and link it to a documented deletion schedule in your HR records policy.
Why it matters: Without an explicit disclaimer, candidates who receive positive follow-up communication may argue that an implied contract to interview or hire was created.
Fix: Include a clear, unambiguous clause stating that receipt of a resume creates no obligation to interview, offer employment, or respond to the applicant.
Why it matters: Under GDPR and PIPEDA, processing personal data without specifying the legal basis (consent, legitimate interest, or contractual necessity) renders the processing unlawful, regardless of whether consent was informally obtained.
Fix: Name the exact legal basis in the data privacy clause and, where relying on consent, ensure it is freely given, specific, and documented in writing.
Why it matters: Data subjects have the right to contact and hold accountable a named legal entity, not an internal department. Naming only 'HR' creates ambiguity that undermines the document's enforceability.
Fix: Identify the employer's full legal entity name as the data controller and provide a specific named individual or role as the data privacy contact.
Why it matters: A receipt signed only by the applicant is not a mutual acknowledgment — it cannot be used to prove the employer accepted obligations regarding data privacy or confidentiality.
Fix: Require an authorized employer representative to countersign before the document is filed, making it a bilaterally acknowledged record.
Why it matters: If an applicant submits a data deletion request and receives no response within the statutory timeframe (30 days under GDPR, 45 days under CCPA), the employer is in breach regardless of intent.
Fix: Name a specific monitored email address or role as the deletion-request contact and test it before the document goes live.
In plain language: Names the employer entity and the applicant, including contact details, to establish exactly whose resume was received and who is acknowledging it.
This Receipt of Resume is issued by [EMPLOYER LEGAL NAME], a [STATE/PROVINCE] [ENTITY TYPE] ('Employer'), to [APPLICANT FULL NAME] ('Applicant'), in acknowledgment of the resume and supporting materials received on [DATE].
Common mistake: Using only a department name or recruiter's name instead of the employer's full legal entity name — creating ambiguity about which organization holds the applicant's data.
In plain language: Formally confirms that the resume was received on a specific date and that it has been logged in the employer's applicant tracking system or hiring records.
Employer confirms receipt of Applicant's resume and any accompanying materials on [DATE OF RECEIPT], submitted via [METHOD — email / online portal / in person]. Materials have been logged under reference number [REFERENCE ID].
Common mistake: Omitting the submission date and method. Without these, neither party has a clear record for follow-up or compliance audits, and candidates have no reference point for status inquiries.
In plain language: States the specific role or department the applicant is being considered for, or notes that the submission is unsolicited with no current opening.
Applicant has expressed interest in the position of [JOB TITLE] within the [DEPARTMENT] department. / This is an unsolicited resume. Employer will retain the materials on file for consideration should a suitable position arise within [RETENTION PERIOD].
Common mistake: Leaving this clause blank or using vague language like 'general interest.' Without a specific role reference, a candidate may later claim implied promises about future employment opportunities.
In plain language: Informs the applicant how their personal data will be used, who will have access to it, and the legal basis under which the employer processes it.
By submitting their resume, Applicant consents to Employer collecting, storing, and processing their personal information for recruitment purposes in accordance with [APPLICABLE PRIVACY LAW / EMPLOYER PRIVACY POLICY]. Applicant's data will be accessible only to [HR personnel / hiring managers] involved in the relevant hiring process.
Common mistake: Omitting the specific legal basis for processing (e.g., consent, legitimate interest) under GDPR or applicable law — making the clause non-compliant in jurisdictions that require an explicit basis.
In plain language: States how long the employer will keep the applicant's resume and personal data before securely destroying it, in compliance with applicable law.
Employer will retain Applicant's resume and associated personal data for a period of [X months / years] from the date of receipt. Upon expiry of this period, Applicant's data will be securely deleted unless Applicant consents to an extended retention period.
Common mistake: Setting no retention period or an indefinitely open-ended one. Retaining candidate data beyond a defined period without consent exposes the employer to GDPR and PIPEDA violations.
In plain language: Clearly states that receipt of a resume does not constitute an offer of employment, an interview guarantee, or any other obligation to hire the applicant.
This receipt does not constitute an offer of employment, a promise to interview, or any representation that a suitable position currently exists or will become available. Employer retains full discretion over all hiring decisions.
Common mistake: Failing to include this disclaimer entirely. Without it, an applicant could argue that prolonged retention of their materials and subsequent contact created an implied obligation to consider or hire them.
In plain language: Advises the applicant of their right to withdraw consent, request access to their data, or ask for their information to be deleted from the employer's records at any time.
Applicant may at any time withdraw consent for data processing, request access to their personal data held by Employer, or request deletion of their data by contacting [CONTACT NAME / DATA PRIVACY OFFICER] at [EMAIL ADDRESS].
Common mistake: Providing a contact email that is monitored infrequently or no longer active — meaning deletion requests are never actioned, creating material compliance risk.
In plain language: Confirms that the employer will treat the applicant's personal information, employment history, and references as confidential and will not share them without consent.
Employer agrees to treat all application materials submitted by Applicant as confidential and will not disclose them to third parties without Applicant's prior written consent, except as required by law or as necessary to conduct the hiring process.
Common mistake: Not defining third parties — leaving open whether sharing with a parent company, subsidiary, or external recruiter requires additional consent under applicable law.
In plain language: Specifies which jurisdiction's laws govern the document, particularly data privacy obligations.
This Receipt of Resume is governed by the laws of [STATE / PROVINCE / COUNTRY]. Any dispute arising in connection with this document shall be resolved in accordance with the applicable laws of [JURISDICTION].
Common mistake: Choosing a governing law that does not correspond to where the applicant resides or where the employer operates, which can render data privacy provisions unenforceable.
In plain language: Provides signature blocks for both the employer's authorized representative and the applicant, confirming mutual acknowledgment of the document's terms.
By signing below, both parties acknowledge the terms of this Receipt of Resume. [EMPLOYER REPRESENTATIVE NAME], [TITLE], [DATE] / [APPLICANT NAME], [DATE].
Common mistake: Collecting only the applicant's signature and omitting the employer's authorized representative. A one-sided acknowledgment reduces the document's value as evidence in a dispute.
Insert the employer's registered legal name, entity type, and jurisdiction of incorporation. Include the HR or data privacy contact name and email address who will handle data requests.
💡 Cross-reference the entity name with your corporate registry to ensure the name on the document matches payroll and public records exactly.
Fill in the applicant's full legal name, the date their resume was received, and the submission method (email, online portal, or in person). Assign a unique reference number for your applicant tracking system.
💡 Log the reference number in your ATS on the same day you issue the receipt — this creates an auditable chain of records in case of a privacy complaint.
Name the exact job title and department the applicant is being considered for. If the resume was unsolicited, state that clearly and specify the retention period you will apply.
💡 For unsolicited resumes, a 6-month retention period is a common standard — long enough to be useful, short enough to comply with most privacy frameworks.
Identify the applicable privacy law (GDPR, PIPEDA, CCPA, or other), the legal basis for processing, and who within the organization will have access to the applicant's data.
💡 If your organization operates across multiple jurisdictions, name each applicable law separately — do not rely on a single generic reference to 'applicable law.'
Enter a specific retention period in months or years. Ensure this aligns with your organization's documented data retention policy and any sector-specific requirements.
💡 Most employment law advisors recommend 12–24 months for active candidates and 6 months for unsolicited submissions as a reasonable default in the absence of specific statutory guidance.
Confirm that the disclaimer clause is present and clearly worded. Do not soften the language with phrases like 'we will do our best to consider' — neutral, unambiguous language is safer.
💡 Have your legal or HR team review this clause if you are operating in a jurisdiction with strong implied-contract employment laws.
Collect the applicant's signed acknowledgment before formally processing their application data. Add the authorized HR or hiring representative's signature on the employer side.
💡 Use Business in a Box eSign to timestamp digital signatures — this is particularly important for GDPR compliance where you need to demonstrate that valid consent was obtained prior to processing.
Store the signed receipt alongside the resume in your ATS or secure HR records system. Set a calendar reminder for the retention period expiry date to trigger timely deletion.
💡 Linking the deletion reminder to the reference number assigned in Step 2 ensures no applicant record is retained beyond its authorized period.
A receipt of resume is a formal written acknowledgment issued by an employer to a job applicant confirming that their resume and application materials have been received, logged, and will be handled in accordance with the employer's data privacy policy. It serves as both a professional courtesy and a compliance document, particularly in jurisdictions where acknowledging the receipt of personal data is required by law.
A receipt of resume is not universally mandated by employment law, but it functions as a practical compliance tool under privacy legislation such as GDPR, PIPEDA, and certain US state privacy laws. In jurisdictions governed by GDPR, employers must inform data subjects — including job applicants — of how their personal data will be processed, which a well-drafted receipt satisfies. Failure to provide this notice can expose employers to regulatory penalties even without a specific receipt requirement.
No. A receipt of resume is an acknowledgment of data receipt only, not an offer of employment or a guarantee of an interview. A properly drafted receipt includes an explicit no-employment-obligation disclaimer confirming this. Employers should ensure this clause is clear and unambiguous to prevent applicants from later claiming an implied contractual obligation arose.
Retention periods vary by jurisdiction and the nature of the submission. Under GDPR, personal data should be kept only as long as necessary for the purpose for which it was collected — typically 6–12 months for unsuccessful applications and up to 24 months for candidates placed in an active pipeline. In Canada, PIPEDA requires organizations to keep personal information only as long as needed. In the US, the EEOC recommends retaining job application records for at least one year. Setting a documented retention period in the receipt protects employers from both under-retention and over-retention risks.
In the EU and UK, the General Data Protection Regulation (GDPR) applies to all personal data in resumes, requiring a legal basis for processing, a retention policy, and the ability to fulfill data subject rights requests. In Canada, PIPEDA governs federally regulated employers, with provincial equivalents in Alberta, BC, and Quebec. In the US, there is no single federal law, but CCPA applies in California for certain employers, and many states are enacting similar legislation. Employers operating across borders should comply with the most stringent applicable framework.
Yes, in jurisdictions governed by GDPR, the right to erasure (Article 17) allows individuals to request deletion of their personal data. Under CCPA, California residents have a similar right. A receipt of resume should document this right explicitly and provide a named contact for making such requests. Employers must respond within the applicable statutory timeframe — 30 days under GDPR, 45 days under CCPA — or risk enforcement action.
Best practice is to obtain acknowledgment from both the applicant and an authorized employer representative. The applicant's signature confirms informed consent to data processing; the employer's signature confirms acceptance of the stated data handling obligations. For digital submissions, a timestamped eSign or a clickwrap acknowledgment on an online portal can serve the same function and is generally accepted as valid consent under GDPR and PIPEDA.
A job application acknowledgment letter is a brief, informal communication confirming receipt and setting expectations for next steps — it is primarily a candidate experience touchpoint. A receipt of resume is a formal legal document covering data privacy obligations, retention terms, consent to processing, and the no-employment-obligation disclaimer. In privacy-conscious organizations, the receipt of resume is the substantive compliance document; the acknowledgment letter is the friendly human follow-up.
Unsolicited resumes create the same data privacy obligations as solicited ones — the applicant's personal data is being collected regardless of whether a role was posted. A receipt of resume for unsolicited submissions is particularly valuable because it documents the retention period and no-obligation disclaimer in a context where the applicant may have inflated expectations about being considered for future openings.
An acknowledgment letter is a short, informal message confirming receipt and setting timeline expectations for the candidate. A receipt of resume is a formal legal document covering data privacy, retention, and consent obligations. Use the acknowledgment letter for candidate communication and the receipt of resume for compliance documentation — ideally both.
A rejection letter notifies a candidate that they will not be moving forward in the hiring process. A receipt of resume is issued at the beginning of the process to acknowledge receipt and establish data handling terms. The receipt comes first; the rejection letter, if needed, comes later and should reference the same application reference number.
An interview invitation letter advances a shortlisted candidate to the next stage of selection. A receipt of resume precedes it in the hiring pipeline, establishing the formal record of when and how the application was received. The interview invitation should reference the original application date documented in the receipt.
An employment contract governs the full working relationship after a hiring decision has been made. A receipt of resume operates at the front of the pipeline, before any employment decision, and explicitly disclaims any employment obligation. The two documents serve entirely different stages and should never be confused as substitutes for each other.
High application volumes and distributed hiring teams mean formal receipts with reference numbers are essential for ATS compliance and GDPR audit readiness.
Regulated hiring processes and sensitive candidate background data require documented consent for processing and strict retention schedules to satisfy FCA and SEC record-keeping rules.
Candidate applications often include sensitive professional licensing and clinical credentials that require confidentiality clauses and defined access controls beyond standard HR use.
Staffing agencies and consulting firms that process resumes on behalf of client employers must clarify in the receipt which entity acts as data controller and which as data processor.
Seasonal and high-turnover hiring creates large backlogs of unsolicited resumes; a standardized receipt with a 6-month retention period helps manage data volumes and deletion obligations.
Union-affiliated workplaces may require that resume receipt procedures align with collective bargaining agreements, particularly regarding how candidate data is shared with shop stewards or union representatives.
No single federal law mandates a receipt of resume, but the EEOC requires employers with 15 or more employees to retain job application records for at least one year. California's CCPA grants residents the right to know what personal data is collected and to request deletion — making a formal receipt with a privacy clause advisable for any employer hiring California residents. Several other states including Virginia, Colorado, and Connecticut have enacted similar consumer privacy laws that apply to employee and applicant data.
PIPEDA applies to federally regulated employers and requires that personal information — including resume data — be collected with consent, used only for the stated purpose, and retained only as long as necessary. Alberta, British Columbia, and Quebec have substantially similar provincial legislation. Quebec's Law 25 (Bill 64), fully in force since September 2023, imposes additional breach notification and data minimization obligations. French-language requirements apply for Quebec-based employers under the Charter of the French Language.
The UK GDPR (retained post-Brexit) and the Data Protection Act 2018 require employers to have a documented legal basis for processing applicant personal data, to inform applicants of their data rights at the point of collection, and to retain data only for a defined period. The ICO recommends retaining unsuccessful applicant data for no longer than 6 months. Employers should include a privacy notice or reference their full privacy policy within the receipt.
GDPR Article 13 requires employers to provide applicants with a data privacy notice at the time personal data is collected. The receipt of resume satisfies this obligation when it includes the data controller's identity, processing purposes, legal basis, retention period, and data subject rights. Relying on 'legitimate interest' as the legal basis for processing unsolicited resumes requires a documented balancing test. Member states including Germany, France, and the Netherlands have additional national employment data protection rules that may require sector-specific adaptations.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-size employers issuing receipts for standard domestic job applications | Free | 10–15 minutes per issuance |
| Template + legal review | Employers handling cross-border applications or operating in GDPR, PIPEDA, or CCPA-regulated jurisdictions | $150–$400 for a privacy counsel review | 1–3 days |
| Custom drafted | Large employers with global hiring pipelines, regulated industries, or complex multi-jurisdiction data processing obligations | $800–$2,500+ | 1–2 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Free Forever Plan · No credit card required
