Legal Memo: Greenhouse and the General Data Protection Regulation (GDPR)

A new, wide-sweeping data protection law called the General Data Protection Regulation, or the GDPR, went into effect on May 25, 2018, which had significant impact on companies that collect and process personal data belonging to data subjects located within the EU member states. Here at Greenhouse, we have worked hard to both to ensure our own compliance with the new law and to build features that will assist our customers in their compliance efforts. In this memo, we hope to provide a brief overview of what we have accomplished in that regard and answer some questions you might have, but please feel free to reach out to our support team about any additional concerns that aren’t addressed here. Click here for more information on Greenhouse GDPR functionality. 

Like its predecessor data protection frameworks, the GDPR distinguishes between data controllers and data processors. Under the GDPR, our customers are the controllers with respect to the data collected and stored on Greenhouse, because they ultimately “determine the purposes and means of the processing of personal data.” This makes sense because, as between you and Greenhouse, you own the data submitted by your applicants and you decide to process it in the first place, how to process it, and when to delete it. By contrast, the GDPR defines processor as the person or entity “which processes personal data on behalf of the controller,” and that is the role Greenhouse plays in this context.

Now that we are clear on the definitions of controller and processor, we can discuss some of the primary ways that Greenhouse and Greenhouse customers are impacted by implementation of the GDPR.

Data Security Standards

The GDPR obligates a controller to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. In order to meet that standard, processors must comply with the measures outlined in Article 32, which require both controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including, for example:

  1. the pseudonymization and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Greenhouse already implements the measures listed above. In addition, we received our first SOC2, Type II certification, and ISO 27001 certification.

Data Subject Consent

One question we’ve heard from some of our EU-based customers is “How does Greenhouse plan to help us get consent from individual job applicants to transfer their personal data to the US?” The concern underlying this query is certainly understandable—it is daunting for a company to imagine that it might be required to obtain individual and freely-given consent from every single one of its job applicants, not to mention prospective candidates found on LinkedIn and elsewhere on the Internet, and the administrative headaches associated with such a scheme would be unavoidable. However, the notion that the GDPR requires a controller to obtain consent from each data subject before it can lawfully process his or her personal data is actually a common misconception. On the contrary, according to Article 6 of the GDPR, consent is just one of six distinct legal grounds upon which a controller can process personal data. So long as just one of the following conditions applies, processing will not run afoul of the GDPR:

  1. the data subject has given consent;
  2. processing is necessary for the performance of a contract to which the data subject is party (e.g. an employment contract);
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party.”

Because collecting resumes and other relevant information is an entirely “legitimate interest” of a company who is trying to evaluate candidates for employment, and it would indeed be expected by the applicants, there is no need to obtain consent from individuals who apply to jobs through Greenhouse. Relying on consent is cumbersome, not only because it puts the onus on a company to ask for it in the first place, but because it imposes additional ongoing obligations on the company, like ensuring that data subjects can withdraw consent at any time or placing the burden of proof that the consent given adheres to specific requirements on the company. In short, not only is obtaining consent from applicants to process their data not required under the GDPR, but it is also not preferable.

Similarly, the GDPR does not require Greenhouse customers to obtain consent from job applicants to transfer their personal data from the EU to the US. Rather, as has been the case since the Safe Harbor was invalidated in 2015, controllers can lawfully transfer personal data to a processor in the US provided that the processor has sufficient safeguards in place to ensure that the data will be afforded an appropriate level of protection. Article 46 of the GDPR explicitly states that data transfer to the US is legal if the controller and processor have entered into standard contractual clauses adopted by the EU Commission (an example is the “Model Clause” contract that Greenhouse has already entered into with many of its customers) or if an approved certification mechanism demonstrates the processors commitment to certain data protection safeguards (an example is the Privacy Shield). Therefore, Greenhouse customers do not need to get consent from data subjects to either process their personal data or to transfer it into the US.

Just as it is not preferable to rely on data subjects’ consent as a legal means for processing data, a similar rationale cautions against predicating the legality of a transfer of data to the US upon consent. Article 49 makes clear that the parties should only rely on consent as a last resort, if the Model Clauses or another non-consent-based mechanism is not available, because using consent as the condition predicate will subject the parties to heightened restrictions and documentation requirements.

Given all of the above, Greenhouse expects that its EU customers will want to avoid depending on getting consent from data subjects in order to legally transfer data to Greenhouse. Accordingly, we do not have plans to build functionality to collect and store such consent on the platform. We will, however, have language built into our job boards to meet the requirements of Article 13, which mandate that a controller provide clear and concise language to data subjects at the time of data collection indicating that the controller intends to transfer personal data to a third country, with reference to the safeguards in place that render the transaction legal.

The Right to Be Forgotten

In keeping with its general goal of expanding individuals’ control over the use of their personal data, the GDPR confers a new right upon data subjects: The right to be forgotten, also referred to as the right to erasure, which is discussed in Article 17. According to the law, controllers must erase personal data (1) upon the request of the data subject to which it pertains; or (2) when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” As the data controller, it is up to you to decide the point in the application/hiring process at which you no longer have a legitimate interest in retaining a candidate’s personal data, and such determinations will depend on your company’s specific processes and practices.

Greenhouse has built easily configurable tools that will allow you to comply with these obligations quickly and efficiently, enabling you to:

  • Set a deletion timeframe that allows you to configure for bulk deletion when your legitimate interest in retaining data has expired. You will be able to decide which predetermined conditions must be met to indicate that your legal basis for keeping the data has expired (for example, one month after a candidate’s application is rejected);
  • Configure exactly which data gets deleted when a candidate asks to be forgotten (for example, you might decide to delete any PII but retain information that would allow you to still generate reports on pipeline conversion or source quality);
  • Trigger the deletion of a candidate’s data easily with the click of a button placed on the candidate’s profile in your instance of Greenhouse;

Enhanced Rights to Notice and Access

In addition, the GDPR will increase a controller’s obligations regarding the information it is required to provide to data subjects. Among the items that must be disclosed at the time personal data is collected are the purposes of the processing, any recipients of the data, whether the data will be transferred internationally and under what legal grounds, and how long the data will be stored. Additionally, controllers must notify data subjects of their rights to request access to the data or lodge a complaint with a supervisory authority. This is language that Greenhouse has built into job boards so that all the necessary notifications and disclosures are made at the time that a candidate applies to a job.

Pursuant to Article 15, data subjects now have a more robust right to access their personal data that is being processed. Greenhouse has built a feature that will enable our customers to easily respond to and execute upon requests from individuals to access the personal data concerning them. Specifically, you can preconfigure which data should be made available to a candidate who has submitted a request for access, and then permission the access by clicking a button on the candidate profile. The data will then be provided to the candidate in the form of a CSV file, which will satisfy the GDPR requirement of data portability set forth in Article 20.

The Right to Object

Article 21 of the GDPR grants data subjects an unequivocal right to object to their personal data being processed for direct marketing purposes and related profiling. If a candidate makes this objection, Greenhouse already has a “do not email” feature in place which, when enabled, will prevent Greenhouse from sending any email to that candidate.