Permissions: Site Admin

Product tier: Available for all subscription tiers

To comply with GDPR, you can select specific candidate data to be deleted when requested by the candidate or after a candidate has been rejected from all applications, at a time specified by you and your legal team.

Note: As is the case with other features that help your offices be GDPR compliant, we advise that you seek legal counsel before configuring the details of this feature.

Greenhouse Recruiting allows your organization to control the data retention timeframe, data to be deleted, and notifications on a per office basis with our Data Retention Rules.

Note: Because unattached prospects aren't associated with offices on Greenhouse Recruiting, to ensure unattached prospects meet your data retention rules, choose "All Offices" for the data retention rule offices.

To configure a data retention rule, click the Configure icon on your navigation bar, and select Privacy & Compliance on the left.

From the subsequent page, navigate to the General Data Protection Regulation (GDPR) panel and click Configure.

Navigate to the Data Retention Rules panel and click Add a Rule.

Configure data retention period

From the subsequent Add a Rule panel, use the provided field to input how long (in days) your organization wishes to retain candidate personal data after they have been rejected on all applications.

Note: If a rejected candidate is converted into a prospect for a different job or is otherwise being considered for another job, the data retention timer will be deactivated and reset. Likewise, if a job is moved to a non-GDPR compliant office in your organization, the data retention timer for candidate personal data will also be deactivated.

The data retention timer will start from when a candidate is rejected on all job applications and will be applied retroactively to all rejected candidates. You will receive an email immediately for existing rejected candidates in your system if those candidates exceed the data retention period

Example: If you activate the data retention timer on May 25, 2018, and set the period for 365 days, you will receive an email immediately after activation to delete candidate personal data for any rejected candidates who were rejected on or prior to May 25, 2017.

Configure data retention rule offices

Select the offices that will be impacted by this rule by clicking the checkbox beside the office name.

Note: Because unattached prospects aren't associated with offices on Greenhouse Recruiting, to ensure unattached prospects meet your data retention rule, choose "All Offices" for the data retention rule offices.

Configure data to be deleted

Use the Data to be Deleted table to select what candidate personal data will be deleted for candidates.

You can read more about the impact of deleting data here: Data to delete glossary.

Note: Any personal data deleted will no longer show up in reports.

Note: Selecting Name and Pronunciation Recording from the Data to be Deleted panel will anonymize the candidate throughout the system except for the candidate's Activity Notes. To remove a candidate's name from Activity Notes as well, select Activity Notes on Data to be Deleted.

Configure data retention rule notifications

Since deleting candidate personal data is a destructive process, it is not automated and must be done manually. Once the data retention timer has lapsed for candidates rejected on all job applications someone will be notified that they should manually delete the data. To configure the notification to delete candidate personal data, navigate to the Notifications to Delete Data section.

From the subsequent fields, select the users who should be notified of candidates who need their personal data deleted. Select the time, time zone, and on which days you would like notifications to be sent out.

When finished, click Save to save the date retention rule.

Recipients will be notified on the day and time selected that the data retention period for certain rejected candidates is over and the candidates' personal data should be deleted.

Your new data retention rule will be added to your GDPR configuration.

Repeat this process to add additional rules to your organization.