This document is intended for informative purposes only. It does not constitute legal advice regarding any privacy regulations or any other matter, and may not be used or relied on for such purposes.
Background on the GDPR
📝Note: Recruit has developed this document to explain its platform’s compliance with the GDPR.
In April 2016, the European Parliament passed into law a sweeping reform in the areas of data protection and data privacy. The European General Data Protection Regulation (the “GDPR”) entered into effect on May 25, 2018 in each of the 28 EU member states. It replaced the European Data Protection Directive first enacted in the EU in 1995.
The GDPR encompasses dozens of pages and imposes strict obligations on companies and organizations in virtually every aspect of collecting, processing, handling and storing personal data. At the same time, the GDPR enhances the rights of data subjects to control how their personal data are collected and used. Remedies are also defined in the GDPR language.
Due to the extensive reach of the GDPR, European and non-European companies and organizations are affected and should conduct compliance reviews to ensure they meet the requirements.
Our guidelines
To ensure that our data handling practices comply with GDPR (for both ourselves and our customers), we have been working on GDPR compliance for several months. The planning has included extensive conversations with companies and legal resources that operate inside and outside the EU. Our GDPR compliance planning has been guided by the following principles:
No “One size fits all” roadmap – Companies have to respond differently to the new regulations based on various factors such as: the countries in the EU in which they operate, whether the company’s sole operations are in the EU, the channels used to acquire candidates and varying interpretations of the GDPR.
Minimize the effect on operations outside the EU – Many of our customers operate globally; the EU is just one of several regions. We understand that, while they need to comply with GDPR, avoiding interruptions to operations in other regions is also critical. Therefore, a “business as usual” continuation is also very important.
Flexibility & control – Rather than mandate rigidity, we want companies to have the control and flexibility to define and implement their own policies. This means enabling customers to manage their hiring processes and data collection and retention policies. This extends to defining separate policies for candidates who are unaffected by GDPR.
Help companies to prepare – GDPR preparation takes time, time for internal activities as well as time for candidates to make consent decisions. Companies need to define their policies, edit email templates and notifications, and adjust automation rules before the GDPR takes effect. Moreover, some of our customers may begin obtaining consent from existing candidates to allow sufficient time for data opt-in consent.
Enforce policies – We designed the new GDPR-related changes in Recruit similar to how we develop other product features, we give the organization the flexibility to define policies and limit the actions of employees to enforce these policies where needed to avoid mistakes.
Automate – Automation is a key foundation of Recruit. We’re constantly seeking to automate actions and tasks.. New GDPR-related automation includes the way we request candidate consent so that candidates can grant consent or withdraw it.
Make it simple – While the legal language of the GDPR may sound intimidating to many, recruiters, hiring managers and interviewers don’t need to be legal experts to follow the organization’s policies to comply with the new regulations, We’ve made the path to compliance clear, simple and accessible to everyone.
Leverage the opportunity – GDPR compliance may be a burden to many, but we encourage you to recognize the opportunities in becoming compliant. These include clarifying your organization’s data-handling policies, improving the candidate experience and removing outdated resumes from your database.
GDPR applicability to the Recruit platform
📝 Note: Recruit has worked diligently to comply with the GDPR.
The GDPR applies to businesses with an establishment in the EU. Establishment means any regular exercise of business activity. Every organization with an EU establishment that uses the Recruit platform must comply with the GDPR. This in turn assumes that the Recruit platform itself must handle data according to GDPR compliance requirements.
The GDPR also applies to businesses established outside the EU subject to each of the following:
They collect and process personal data of EU data subjects.
The processing activities are related to goods or services (paid or free) offered to EU data subjects.
EU applicants interact and use the applicant-facing portions of the Recruit platform. It may be that EU applicants’ use of the Recruit platform triggers the applicability of the GDPR with respect to the Recruit platform.
The respective roles of the data controller and data processor
📝 Note: The recruiting organization (Recruit’s corporate customer) is the data controller under the GDPR, and Recruit is the data processor under the GDPR, processing the data for and on behalf of that organization.
A key GDPR concept is the distinction between the data controller and the data processor. Recognizing that not all organizations involved in processing personal data have the same degree of responsibility, the GDPR distinguishes between a data controller and a data processor.
Generally, the controller is the organization that exercises significant decision making as to the purposes for processing the data and chooses the methods for doing so. It is the organization that determines or controls issues such as:
Whether to collect the personal data about candidates. For example, it is Recruit’s customer, the recruiting organization, that decides to collect data about candidates for open positions.
Which data to collect about candidates. For example, it is Recruit’s customer, the recruiting organization, that determines which CV fields it wants to collect; the questions, if any, candidates must answer as part of an online questionnaire; and the information asked of candidates through the online candidate form on the recruiting organization’s career webpage.
How long to retain data. For example, it is Recruit’s customer, the recruiting organization, that determines when to delete candidate information from the platform. Organizations can configure the platform to automatically delete the personal data of rejected candidates once the position has been filled.
With whom data should be shared after hiring. For example, it is Recruit’s customer, the recruiting organization, that determines whether to export a hired candidate’s information to the organization’s internal HR systems.
The legal basis for collecting the data. For example, it is Recruit’s customer, the recruiting organization, that determines whether to collect the data on the basis of the candidate’s affirmative consent, on the basis of local legislation permitting data processing of employment candidates or on the basis of the customer’s legitimate interests.
The processor, on the other hand, is an organization that determines issues such as:
The technical methods for processing the data for and on behalf of the controller. Recruit — not the controller — has designed and developed the technical features of the platform’s data processing activities.
The technical details of how the data is safeguarded. Recruit — not the controller — has designed and developed the data security features of the platform.
Our GDPR-compliant engagement agreements with our customers
📝 Note: Recruit has GDPR-driven contract provisions in place with its customers.
The GDPR requires that Recruit provide customers with written contracts that define the subject-matter and duration of Recruit’s processing activities for the customer, the nature and purpose of the processing, the type of personal data and categories of data subjects, as well as the obligations and rights of Recruit and its customers.
The GDPR also requires that these contracts define or confirm specific issues, such as:
Data processing is conducted according to documented instructions from the customer
Recruit personnel authorized to handle the customer’s personal data have committed themselves to confidentiality
Recruit has implemented appropriate technical and organizational measures for data security
Recruit assists customers with the customer’s data breach obligations and in customer’s performance of a data protection impact assessment
Recruit deletes or returns the personal data to the customer after the end of the engagement between the Recruit and the customer
Recruit makes available to the customer all information necessary to demonstrate compliance with the obligations laid down in the GDPR
Recruit is required to allow for and contribute to audits, including inspections, conducted by the customer or another auditor mandated by the controller
Recruit technically assists the customer, to the extent practicable, in the fulfilment of the customer’s obligation to respond to requests for exercising the data subject’s rights under the GDPR
Processing the data pursuant to documented customer instructions
📝 Note: The Recruit platform has GDPR-driven controls and configuration options in place through which customers, as data controllers, provide their data processing instructions to Recruit as a data processor.
The GDPR requires processors like Recruit to process personal data only pursuant to the documented instructions of their customer.
Through the Recruit platform’s various customer control and configuration options, the customer conveys to Recruit documented instructions regarding matters such as:
With which partners to source candidates from
Whether to source candidates from professional networks such as LinkedIn and what information to extract from those sources
Whether or not to source candidates from a designated email address to which CVs are sent
What information to seek from candidates through the online candidate form on the recruiting organization’s career webpage
What questions to ask candidates through an online candidate questionnaire
Whether to obtain candidate evaluation data from outside evaluation providers
Whether to feed a candidate’s data from the Recruit platform to the organization’s HR system and when to delete candidate data
Whether to obtain candidate profiles from the web, including professional profiles (such as GitHub, Stackoverflow, Behance) and social profiles (such as Facebook, Twitter, YouTube).
Whether to obtain candidates contact details (email address, phone number) from the sources on the web.
Legal basis for data processing
📝 Note: The Recruit platform helps the recruiting organization document the legal basis for processing candidate data and helps seek the candidate’s unambiguous informed consent wherever the organization decides to rely on consent as the legal basis.
The GDPR provides that processing personal data shall be lawful only if and to the extent processing is performed pursuant to one or more of the recognized legal bases for data processing. Among the recognized legal bases for processing are the following:
Where the candidate has freely given the recruiting organization his or her unambiguous informed consent to processing his or her personal data for one or more specific purposes; or
Where processing is necessary for the purposes of the legitimate interests pursued by the recruiting organization except where such interests are overridden by the interests or fundamental rights and freedoms of the candidate which require protection of personal data; or
Where local law provides an independent legal basis for processing personal data of candidates for recruitment purposes
Although it is up to the recruiting organization to analyze and determine the legal basis for its processing of candidate data, the v platform assists the organization in substantiating the legal basis.
First, the v platform helps the organization track the legal basis for processing candidate data. The platform attributes a record to each candidate, through which the organization can flag the legal basis used for processing that candidate’s data.
Second, where the organization determines that the candidate’s consent should serve as the legal basis for processing his or her data, the Recruit platform provides the organization an option to seek the candidate’s unambiguous informed consent at two levels of granularity:
Processing his or her data for a specific position
Processing his or her data for other positions or future available positions
Additionally, the platform provides consenting candidates an easy opt-out option to withdraw their consent at any time, consistent with the GDPR’s requirements.
Data Retention, deletion and pseudonymization
📝 Note: The Recruit platform adheres to defined policies for data retention, provides tools for manual and automated pseudonymization of candidate-data and offers flexibility in defining which candidates are data subjects protected by the GDPR.
The Recruit platform facilitates the organization’s defined policies for data retention. The organization can define how long candidate data is kept (e.g., on the basis of legitimate interest) before candidate consent is sought.
To address the need for removal of personal data, Recruit provides the organization tools for manual and automated pseudonymization of candidates data. The pseudonymization process only keeps non-identifying data and an encrypted form of identifying data, to allow the organization to re-identify and retrieve prior candidates’ hiring process history in the event that a candidate is re-sourced into the Recruit platform (e.g., applying for another position).
Recruit has many customers that are global companies that operate in the EU and other regions Recruit allows companies to define their policy as to which candidates are data subjects protected by the GDPR. The Recruit platform enables the company to define a data subject as any candidate who applies for positions in the EU, and optionally to candidates who apply from the EU or identify themselves as located in the EU.
Transitioning the legal basis into the GDPR era
📝 Note: The Recruit platform enables existing customers to seek the unambiguous informed consent of all their past and present candidates as a transitional step into the GDPR era.
When transitioning into the GDPR era, Recruit’s existing customers may determine that they wish to obtain (or re-obtain) the consent of candidates on file. To this end, the Recruit platform enables existing customers to contact all past and present candidates to seek their unambiguous informed consent at the levels of granularity outlined above.
Privacy notice to candidates
📝 Note: The Recruit platform enables the recruiting organization to provide candidates a privacy notice consistent with the GDPR’s transparency principle.
Under the GDPR’s transparency principle, candidates must be given a privacy notice outlining various issues regarding the data processing practices taken. The notice must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The Recruit platform offers its customers a general-purpose privacy notice that customers may edit and present to candidates. Although customers may use the notice “as is”, they are encouraged to edit it for their specific circumstances.
Engaging subcontractors
📝 Note: The Recruit platform’s use of subcontractors for data processing activities is consistent with the GDPR’s requirements for sub-processors.
The GDPR permits processors, like Recruit, to use subcontractors for data processing activities (“sub-processors”), subject to three conditions.
First, Recruit performed prior due diligence into each proposed sub-processor’s data protection practices to confirm that the sub-processor provides sufficient guarantees that its processing meets GDPR requirements.
Second, Recruit’s customers need to authorize the use of sub-processors. Recruit, in its GDPR-driven contracts with customers, obtains from customers a general authorization to use sub-processors. Recruit maintains an updated list of its sub-processors online. Recruit also informs its customers of any intended changes concerning the addition or replacement of sub-processors, and gives customers the opportunity to object to such changes. (If the customer objects and the proposed change is a material component in the Recruit platform, Recruit reserves the right to terminate its agreement with that customer.)
Third, Recruit entered into a data processing agreement with the sub-processor that is consistent with GDPR requirements for such engagements.
Cross-border data transfers
📝 Note: If Recruit processes data in non-EU territories, it does so under GDPR-recognized cross-border safeguards.
The GDPR restricts the cross-border transfer of personal data to jurisdictions outside the European Economic Area (EEA). As a general rule, personal data may only be transferred to jurisdictions recognized by the EU Commission as having an adequate level of data protection, or otherwise transferred under appropriate safeguards.
The Recruit platform stores personal data in Amazon Web Services’ storage servers located in the European Economic Area. In addition, Recruit and its sub-processors’ only process personal data in member states of the European Economic Area, in territories or territorial sectors (e.g., Privacy Shield) recognized by an adequacy decision of the European Commission as providing an adequate level of protection for personal data or through recipients subject to adequate safeguards under the GDPR (e.g., Model Clauses).
Assisting the customer with requests of data subjects seeking to exercise their GDPR rights
📝 Note: The Recruit platform provides tools to help the organization accommodate candidate requests to exercise their data protection rights under the GDPR.
The GDPR requires processors like Recruit to technically assist the customer, to the extent practicable, in the fulfillment of the customer’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.
To this end, the Recruit platform provides recruiting organizations a variety of tools to help accommodate candidate requests to exercise their rights in relation to their personal data, such as:
Retrieving candidate data so that the organization may send the data to the candidate for review.
Providing the organization tools to correct candidate data in response to a candidate’s request to do so.
Allowing candidates to withdraw their consent or otherwise exercise their right to be forgotten, by giving the customer the tools to delete or choose to pseudonymize candidate data.
Fetching candidate data in a structured format, so that the organization can send the data to the candidate seeking to exercise his or her right to data portability.
Giving the recruiting organization control over whether or not to configure automated decision-making (e.g., whether or not to reject a candidate automatically based on his/her responses to a questionnaire or an evaluation score).
Information security
📝 Note: Recruit implements appropriate technical and organizational measures to secure personal data.
The GDPR requires both controllers and processors to implement appropriate technical and organizational measures to secure personal data, including encryption and security tests.
Recruit takes measures to protect against unauthorized access to or unauthorized alteration, disclosure, or destruction of personal data. These include managing database access privileges, use of firewalls, UTM (unified threat management protection system), virtual private network, and subnet segregations, and penetration testing conducted by an independent third party at least once a year. Recruit also uses a reputable third-party auditor to perform an annual audit of its security controls.
In addition, Recruit restricts data access to a group of employees and contractors who need access to that information. These individuals are bound by confidentiality and data security obligations and are subject to disciplinary measures, including termination, if they fail to meet these obligations.
Handling data breaches
📝 Note: Recruit complies with the data breach responsibilities that the GDPR imposes on processors.
Pursuant to the GDPR’s requirements, Recruit shall without undue delay notify its customers of any security breach it becomes aware of regarding personal data that Recruit processes. Recruit endeavors to mitigate the breach and prevent its recurrence. Recruit also cooperates with its customers so that customers can address the data breach obligations imposed upon them.
For these purposes, Recruit is developing an appropriate data breach response plan and business continuity plan and conducting breach response training exercises.
This document is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes.
Have more questions? Contact us at recruit.support@sparkhire.com