There are two legal bases that an organization can choose between in order to retain candidate data in Greenhouse Recruiting: Legitimate interest or Explicit consent.
In this article, we will provide a brief overview of each legal basis and how each basis impacts the configuration of Greenhouse Recruiting's GDPR features.
Note: Please seek the advice of your legal counsel to determine which legal bases your organization should use.
Legal basis options
Legitimate interest
According to Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation), organizations can claim that collecting and evaluating candidate data is a legitimate interest as it pertains to selecting a candidate for employment.
By default, Greenhouse Recruiting is configured to support legitimate interest as the legal basis.
Explicit consent
According to Art. 6(1)(a) of Regulation (EU) 2016/679 (General Data Protection Regulation), if organizations have no provision for legitimate interest, they can retain candidate data if the data subject (i.e., candidate) provides explicit consent to have their data retained and processed.
Organizations who wish to use explicit consent as a legal basis will need to manually select it from the GDPR configuration page in Greenhouse Recruiting.
Legal basis combinations
Before choosing a legal basis combination, we encourage you to consult your legal counsel about how GDPR affects your organization.
Your organization will end up with one of the four following legal basis combinations:
- Legitimate interest for data processing and legitimate interest for data retention
- Legitimate interest for data processing and explicit consent for data retention
- Explicit consent for data processing and explicit consent for data retention
- Explicit consent for data processing and legitimate interest for data retention
The combination you choose affects how candidates give consent and how candidate data is managed.
After you configure your legal bases, candidates can select their data processing and retention preferences either during the job application or after being manually added to Greenhouse Recruiting.
How candidates give consent
Legitimate interest + legitimate interest
Candidates are not required to consent to data processing or data retention. They won't see consent checkboxes on job posts or receive consent emails.
Candidates will continue to receive data collection emails if a data collection email rule has been configured.
Legitimate interest + explicit consent
Candidates must consent to data retention. Consenting to data processing is optional.
Candidates will see a data retention checkbox on job posts if the job's office has a data retention rule. Candidates can deny consent by leaving the box unchecked.
If a candidate is manually added to Greenhouse Recruiting, they must match either a data retention rule or a data collection email rule to receive the GDPR email. If the candidate matches a data retention rule, they can also consent or deny via buttons in the email.
Explicit consent + explicit consent
Candidates must consent to data processing to apply for a job post with a data retention rule. If a candidate leaves the data processing checkbox unchecked, they cannot submit their application. Candidates can deny consent for retention by leaving the data retention checkbox unchecked.
If a candidate is manually added to Greenhouse Recruiting, they must match a data retention rule to receive the GDPR email. Candidates will then have the option to manage or deny consent.
Explicit consent + legitimate interest
Candidates must consent to data processing. Consenting to data retention is optional.
Candidates must consent to data processing to apply for a job post with a GDPR rule. If a candidate leaves the data processing checkbox unchecked, they cannot submit their application.
If a candidate is manually added to Greenhouse Recruiting, they must match a data retention rule to receive the GDPR email. Candidates will then have the option to consent or deny having their data processed.
How candidate data is managed
Legitimate interest + legitimate interest
Candidates will be marked for deletion after they've been rejected on all applications and after the data retention period is up. The candidate's data will be retained according to the configured data retention rule.
Legitimate interest + explicit consent
If a candidate denies consent for data retention, they'll be marked for deletion after being rejected from all active applications.
If a candidate consents to data retention, they'll be marked for deletion after they've been rejected from all active applications and the data retention period is up.
Explicit consent + explicit consent
The table below outlines the points at which candidates are marked for data deletion depending on their consent status.
| Data processing consent | Data retention consent | Outcome |
|---|---|---|
| Consent given | Consent given | The candidate is marked for data deletion after they've been rejected from all active applications and the data retention period is up. |
| Consent given | Consent denied | The candidate is marked for data deletion after they've been rejected from all active applications. |
| Consent denied | Consent given |
This is not a possible outcome. Greenhouse Recruiting doesn't allow candidates to consent to data retention without having first consented to data processing. |
| Consent denied | Consent denied or consent left blank |
The candidate is marked for data deletion immediately. Note: This outcome can only occur if a candidate is manually added to Greenhouse Recruiting and denies consent. |
Explicit consent + legitimate interest
If the candidate consents to data processing, they'll be marked for data deletion after they've been rejected on all active applications and the data retention period is up.
If the candidate denies consent to data processing, they'll be immediately marked for data deletion, and their data will not be retained.