To comply with GDPR, you can select specific candidate data to be deleted when requested by the candidate or after a candidate has been rejected from all applications, at a time specified by you and your legal team.
Greenhouse Recruiting allows your organization to control the data retention timeframe, data to be deleted, and notifications on a per-office basis with our data retention rules.
To configure a data retention rule, click the Configure icon on your navigation bar, and select Privacy & Compliance on the left.
From the subsequent page, navigate to the General Data Protection Regulation (GDPR) panel and click Configure.
Navigate to the Data Retention Rules panel and click Add a Rule.
Configure data retention period
From the subsequent Add a Rule panel, use the provided field to input how long (in days) your organization wishes to retain candidate personal data after they have been rejected on all applications.
The data retention timer starts when a candidate is rejected on all job applications and is applied retroactively to all rejected candidates. You will receive an email immediately for existing rejected candidates in your system if those candidates exceed the data retention period
Configure data retention rule offices
Select the offices that will be impacted by this rule by clicking the checkbox beside the office name.
Configure data to be deleted
Use the Data to be Deleted table to select what personal data is deleted for candidates.
Read the comprehensive list of data that can be deleted and its impact here: Data to delete glossary.
Configure data retention rule notifications
Deleting a candidate's personal data must be done manually. Once the data retention timer has lapsed for candidates rejected on all job applications, someone is notified that they should manually delete the data.
To configure the notification to delete candidate personal data, navigate to the Notifications to Delete Data section.
Select the users who should be notified.
Select the time, time zone, and on which days you'd like notifications to be sent out.
When finished, click Save to save the date retention rule.
Your new data retention rule is now added to your GDPR configuration.
Repeat this process to add additional rules to your organization.
Recipients are notified on the day and time selected that the data retention period for certain rejected candidates is over and the candidates' personal data should be deleted.