If you included a GDPR notice on your job post, all applicants who applied through that specific job post will see your company's GDPR information displayed. However, if candidates, prospects, or referrals were entered into your system without having applied through a job post, either through a referral process, being manually added to your account, or submitted through an agency, those individuals never had the opportunity to review your GDPR notification.
By configuring data collection email rules, your organization can automatically email a GDPR notification to candidates and/or prospects who entered into your system without having applied to a job post. These rules can be configured on a per-office basis. In this article, we will cover:
Note: Before continuing, we strongly advise that you speak with your legal counsel to draft the language of your email template to unwitting candidates, prospects, and referrals.
To start, click the Configure icon in the upper right-hand corner and navigate to Privacy & Compliance on the left-hand panel.
From the subsequent page, navigate to the General Data Protection Regulation (GDPR) panel and click Configure.
Add Data Collection Email Rule
From the GDPR page, navigate to the Data Collection Email Rules panel and click Add a Rule.
Use the panel to select the Offices that will be impacted by the rule and the recipients of the GDPR notification email.
Click Save when finished.
Candidates and/or prospects who are added to your system for the selected offices and match the configured recipient criteria will receive your organization's GDPR notification.
Note: Users who added a candidate/prospect that match the criteria you have specified in your rule will need to provide an email address for the candidate and/or prospect.
Repeat as necessary for other offices.
Configure GDPR Email Template
From the Data Collection Email Rules panel, click Configure GDPR Email Template to create the email that will be sent to selected individuals.
From the Edit Email Template page, input a name for the template, sender address, and subject heading for the email in the appropriate fields.
Draft language that will be automatically sent to candidates whose data you are collecting from other sources.
Note: You should seek the advice of your legal counsel to prepare this language as it applies to your business. A Greenhouse example of an Article 14 notification is provided below to serve as a starting point, but Greenhouse cannot guarantee that this language will ensure GDPR compliance for your company.
When you have finished, click Save.
Greenhouse GDPR Notice to Unwitting Prospects Example
Note: You should seek the advice of your legal counsel to prepare this language as it applies to your business. What follows is an example of an Article 14 notification. Greenhouse cannot guarantee that this language will ensure GDPR compliance for your company
This email is to notify you that personal data about you has been collected by [CONTROLLER] (“Controller”), which is located at [ADDRESS] and can be contacted by emailing [EMAIL], because Controller wishes to evaluate your candidacy for employment at Controller. Your personal data was either obtained from publicly available sources (e.g. LinkedIn) or provided to Controller by someone who referred you for potential employment. Controller’s data protection officer is [DPO NAME], who can be contacted at [CONTACT INFORMATION]. Your personal data will be processed for the purposes of managing Controller’s recruitment related activities, which include setting up and conducting interviews and tests for applicants, evaluating and assessing the results thereto, and as is otherwise needed in the recruitment and hiring processes. Such processing is legally permissible under Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation) as necessary for the purposes of the legitimate interests pursued by the Controller, which are the solicitation, evaluation, and selection of applicants for employment.
Your personal data has been shared with Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by Controller to help manage its recruitment and hiring process on Controller’s behalf. Accordingly, if you are located outside of the United States, your personal data has been transferred to the United States. Because the European Union Commission has determined that United States data privacy laws do not ensure an adequate level of protection for personal data collected from EU data subjects, the transfer was subject to appropriate additional safeguards under [either the standard contractual clauses or the Privacy Shield]. You can obtain a copy of the standard contractual clauses by contacting us at email@example.com.
Your personal data will be retained by Controller as long as Controller determines it is necessary to evaluate your application for employment. Under the GDPR, you have the right to request access to your personal data, to request that your personal data be rectified or erased, and to request that processing of your personal data be restricted. You also have to right to data portability. In addition, you may lodge a complaint with an EU supervisory authority.