(simplified)
* You need to have a data processing agreement with the Saas company X.
* You need to tell candidates in your privacy information that you send data to X
* You need to make sure X is properly implementing the data processing agreement (currently not clear how you do this except using e.g. PwC to review X)
If you have the data, you need to tell the candidate what you do to protect it, backup it, restrict access to it etc.
(also if e.g. the talentpool feature is provided by LinkedIn based on LinkedIn data you're not responsible under the GDPR, only if you sent data to X or X collects data on your behalf e.g. in a web form)