One important principle of the GDPR is “storage limitation”, which means that you are not allowed to store/save personal data for a longer period of time than you need it for the specific purpose you collected it for (similarly, you are not allowed to process more data than necessary for this specific purpose).
Besides the main purpose, you may need to keep data for other (specific and specified) purposes, such as defending against potential future accusations of discrimination in the recruitment process (which purpose would motivate to save personal data that you deem necessary to defend against an accusation of discrimination for up to two years, based on the current Swedish Discrimination Act (2008:567)). If you have several purposes for processing the personal data, remember that you need to inform the candidate of each purpose, and what legal ground you base each processing on.
We recommend that you establish an internal policy or routine regarding the deletion of the different categories of personal data you process. Such policy should answer the following questions:
Who is responsible for personal data in the recruitment process?
What other purposes than the actual recruitment may we need the data for (e.g. defending against accusations of discrimination)
What data is collected for which purpose?
For how long should the data be kept for each purpose (and how do we ensure it’s not processed for this purpose when it’s no longer needed)?
Who handles the actual deletion and according to which instructions?