Application of GDPR to emailed CVs

First of all, you should discuss with your CEO and define the period of data retention according to the company's needs. If CVs received from spontaneous job seekers will not be considered by the HR department, you can delete all the files. If they assume that CVs still can be useful, you can determine a period of validity (I guess 6-9 months) in which the information in the CVs may be interesting, after one year CVs are pretty useless and old, so you should be able to delete it.

Here you can find more information about HR and GDPR:

• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

Thank you for your response.  I am still a little confused.

If it is determined by the CEO that the CVs should be kept for 6 months, what do we need to do in those 6 months to remain compliant with GDPR?  Do we need explicit consent to keep them or is a notice on our website stating this sufficient or am I missing something here?  I have inserted my original question below for ease of reference.

During the retention period, you can store the unsolicited CV, you don't need explicit consent because the legal basis falls under the request of pre-contractual measures on request of the data subjects (Article 6 par. 1 lett. b) GDPR). You need to state in the privacy notice that personal data in CVs will be processed for the purpose of selecting candidates for a job application and that will be stored for 6 months. 

Here you can find the legal basis in EU GDPR

• Article 6 GDPR https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/