Greenhouse, EU Compliance, and the General Data Protection Regulation (GDPR)

A new, wide-sweeping data protection law called the General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. This law regulates collecting and processing personal data and it will have a significant impact on companies with operations or offices located in the EU.

We’ve been working with legal experts to make sure that Greenhouse:

  • remains compliant with how we handle customer data;
  • and has the tools necessary to help our customers properly manage their candidate data.

This information is meant for recruiting teams and other non-lawyers to understand some of the features we’re planning to implement over the coming months to help with these compliance efforts. If you’d like more detailed information about our GDPR plans to share with your legal team, please read our legal memo here.

Data Subject Consent

One question we’ve heard from some of our EU-based customers is “How does Greenhouse plan to help us get consent from individual job applicants to transfer their personal data to the US?”

GDPR: After speaking with a bunch of specialists and digging into the legal language, we found it’s actually a common misconception that companies are required to collect consent from every job applicant or prospect. In fact, there are even risks with asking for consent from applicants for processing their data! If candidates are asked for their consent when they apply, for example, they could then choose to revoke it at any time, which could put added pressure on your team. For a more detailed explanation, please read our legal memo.

Collecting resumes and other relevant personal information is a legitimate interest of a company trying to evaluate and hire candidates. Because of this, companies do not need to collect consent from job applicants. Similarly, Greenhouse customers are not required to obtain consent from candidates to transfer their personal data from the EU to the US, because Greenhouse can commit to providing a level of protection for the data that is acceptable under EU law.

Our Plan: Because getting consent from applicants is not required under the GDPR and creates a greater burden on companies, Greenhouse expects that our EU customers will want to avoid it. We don’t currently have plans to build a feature to collect and store consent from candidates. However, we will include language on our job boards to meet the requirement that companies alert candidates that they will transfer personal data to another country.

The Right to be Forgotten

GDPR: People have the “right to be forgotten” and Greenhouse customers will be required to erase a candidate’s personal data when requested by the candidate. Companies also need to erase personal data when it’s deemed no longer necessary for the business to continue storing it.

Our Plan: Greenhouse plans to build tools allowing you to:

  • Specify a timeframe to based on your company's specific policies when your legal justification for keeping candidate data has expired (for example, one month after a candidate’s application is rejected) to automatically bulk delete candidate data;
  • Generate candidate emails requesting permission to keep their data longer than your default timeline, and keep their data when candidates agree;
  • Configure which data is deleted when a candidate asks to be forgotten (for example, you might decide to delete any PII but keep information that would allow you to generate reports on pipeline conversion);
  • Delete a candidate’s data by clicking a button on their profile;
  • Keep an encrypted version of a deleted candidate’s name and email address so that you will be notified if the same candidate enters your process again (for example, if the candidate applies again, is referred, or is found through prospecting).

Enhanced Rights to Notice and Access

GDPR: Companies are required to provide a variety of details at the time data is requested (for example, when a candidate applies to a job), including why they are requesting certain information, how long it will be stored, and where it will be sent.

Our Plan: Greenhouse will include language on job boards so that any necessary notifications and disclosures are made to candidates when they apply.

GDPR: The GDPR significantly enhances people’s right to access their own personal data, and companies will need to provide this data to candidates upon request in an efficient and easy format.

Our Plan: Greenhouse plans to build a feature that will allow companies to respond to and complete data requests from candidates. You’ll be able to configure what data should be accessible and send it to candidates in a CSV file by clicking a button on their profile.

The Right to Object

GDPR: People have a right to restrict their personal data from being used for direct marketing purposes.

Our Plan: If a candidate opts out, Greenhouse already has a “do not email” feature in place which prevents users from sending any email to that candidate.


If you have any other questions, please feel free to reach out to your Account Manager or email support@greenhouse.io.

Have more questions? Submit a request

Comments

Powered by Zendesk