Single purpose consent is one of the features Greenhouse Recruiting provides to help you achieve GDPR compliance.
About single purpose consent
Under traditional data consent rules, when a candidate provides consent, that permission is applied to a broader range of potential uses.
However, Recital 32 of GDPR states, "When the processing has multiple purposes, consent should be given for all of them" and recommends that these broad rules be updated to "single purpose" - or, smaller statements of permission that cover a single action.
Example: When thinking about their privacy, a candidate is willing to share their data with a company at the time of their application, but does not want their data retained in your system long-term. Under traditional rules, a candidate would not have this level of control over their data.
However, when using single-purpose consent, a candidate could provide consent to process, but deny consent to retain and give your organization further instruction over how that candidate’s data should be managed in Greenhouse Recruiting.
Check single purpose consent status in Greenhouse Recruiting
Single purpose consent information is configured in the Privacy & Compliance section of the Configure page.
You'll know single purpose consent is enabled when the Legal Basis section of your GDPR page includes two options: consent to process and consent to retain.
Enable single purpose consent
Note: As with all things GDPR and privacy-related, we recommend consulting with your legal team to determine the best legal basis selections for your organization.
If you are a brand-new Greenhouse customer or or are setting up GDPR settings for the first time, single purpose consent is enabled by default.
If your organization enabled GDPR on or before July 10, 2023, you'll be prompted to enable single purpose consent and move over to the new system.
Legal basis is a way of describing how your organization approaches GDPR compliance. When you enable single purpose consent, you'll have to select the legal basis for each type of consent.
In traditional data consent rules, your organization would choose one policy (legitimate interest or contract or explicit consent) for the entire organization. However, since single-purpose consent further breaks down the candidate's data preferences, you will end up with one of four combinations.
Continue on this page to finish your setup.
After setup
If you decide to change from "legitimate interest or contract" to "explicit consent" during your setup, all active candidates (including those manually added to Greenhouse Recruiting) will be marked as "consent required" and a banner will appear on their profile. These candidates can be sent an email from their candidate profile and will have 30 days to update their consent with the new settings.
If a candidate does not provide consent within 30 days, their data will be queued for deletion. After 30 days, you also will not be able to resend the consent email.
Frequently Asked Questions (FAQs)
Which legal basis combination should I use?
We encourage you to consult your legal counsel about how GDPR affects your organization.
What does the candidate experience look like for each legal basis combination?
The way candidates give consent to data processing and data retention depends on which legal basis combination you choose. Learn more about legal basis combinations.
How is candidate data managed with each legal basis combination?
The handling of candidate data depends on which legal basis combination you choose. Learn more about legal basis combinations.
Is consent text configurable?
The consent text on job applications and emails is not configurable. However, you can add any extra details in the job and email templates as normal.