When a candidate applies for a job or is added manually to your pipeline, they may need to agree that your organization can use and/or retain their data in order to comply with GDPR. The specifics of how their data is retained and used is based on your organization's legal basis - or, the specific way your team may require candidates to opt-in to their data usage.
When using single purpose consent, different legal bases can be configured for each of the two types of data usage, meaning there can be four total combinations of legal bases that could be configured for your organization.
This article will go into more detail about how each combination affects your candidate experience and automated data management.
Note: Seek the advice of your legal counsel to determine which legal bases your organization should use.
Legal basis options
Greenhouse supports three types of legal basis for GDPR compliance: legitimate interest or contract and explicit consent.
Legitimate interest or contract
Legitimate interest: According to Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”), organizations can claim that collecting and evaluating candidate data is a legitimate interest as it pertains to selecting a candidate for employment.
Contract: According to Art. 6(1)(b) of the GDPR, organizations can claim that collecting and evaluating candidate data is necessary for the performance of an employment contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Data protection authorities such as the CNIL in France have issued guidance suggesting that “contract” may be the most common or appropriate legal basis for evaluating candidates for employment.
Why does Greenhouse combine “legitimate interest” and “contract” into a single option?
Selecting "legitimate interest or contract" as your option means candidates are not prompted specifically to provide data consent, but instead, your organization is trusted to access it only as it applies to active roles and still uses background data management processes like automated retention rules. Because, operationally within Greenhouse, “legitimate interest” and “contract” function identically and neither trigger the consent communications, these two bases are listed as a single option – “legitimate interest or contract” – though we recognize these two are distinct legal bases.
Greenhouse Recruiting uses "legitimate interest or contract" as the default option when setting up GDPR.
Explicit consent
Explicit consent is a stricter setting for GDPR compliance.
According to Art. 6(1)(a) of Regulation (EU) 2016/679 (General Data Protection Regulation), if organizations have no provision for legitimate interest, they can still retain candidate data if the data subject (i.e., candidate) provides explicit consent to have their data retained and processed.
In other words, when your organization opts for explicit consent as its legal basis, a candidate will have to individually agree to the specific use of their data. If a candidate does not provide this consent in a specific time frame, their data will be flagged for deletion.
Organizations who wish to use explicit consent as a legal basis will need to manually select it from the GDPR configuration page in Greenhouse Recruiting.
Legal basis combinations
When using single purpose consent, you'll choose a legal basis for each specific use of candidates' data, rather than a single legal basis to apply to all the data in your system.
At the end of your setup process, your organization will use one of the following four combinations:
| Legal basis for data processing | Legal basis for data retention | |
| 1 | Legitimate interest or contract | Legitimate interest or contract |
| 2 | Legitimate interest or contract | Explicit consent |
| 3 | Explicit consent |
Legitimate interest or contract |
| 4 | Explicit consent | Explicit consent |
Combination 1: Legitimate interest or contract (data processing) + legitimate interest or contract (data retention)
Candidate experience
Candidates are not required to consent to data processing or data retention. They won't see consent checkboxes on job posts or receive consent emails.
However, candidates will continue to receive data collection emails if a data collection email rule has been configured.
Data management
Candidates are marked for deletion after they've been rejected from all applications in Greenhouse and the data retention period has passed.
Combination 2: Legitimate interest or contract (data processing) + Explicit consent (data retention)
Candidate experience
Candidates must consent to data retention during the application process by selecting the checkbox (or may deny consent by not selecting the checkbox). If a candidate is manually added to Greenhouse Recruiting, they must match either a data retention rule or a data collection email rule to receive the GDPR email. However, candidates do not have to provide explicit consent to processing when applying for a role.
Data management
Data collection email rules and data retention rules emails automatically notify candidates of the data collection and, if applicable, provide consent when they qualify for one of the rules. A candidate's record will be marked for deletion if they deny consent.
Note: Your current GDPR notification email will be used for both data processing and data retention emails, so if you are updating your GDPR rules to single-purpose consent, you may need to update the email template to apply to both cases.
Combination 3: Explicit consent (data processing) + Legitimate interest or contract (data retention)
Candidate experience
Candidates are shown a checkbox on applicable job posts. To apply for the job, the candidate must consent to data processing, but do not have to select a checkbox for data retention.
If a candidate is manually added to Greenhouse Recruiting, they'll receive an email and can manage their data from that message.
Data management
If the candidate consents to data processing, they'll be marked for data deletion after they've been rejected on all active applications and the data retention period is up.
If the candidate denies consent to data processing, they'll be immediately marked for data deletion, and their data will not be retained.
Combination 4: Explicit consent (data processing) + Explicit consent (data retention)
Candidate experience
Candidates must consent to data retention during the application process by selecting two checkboxes.
If a candidate is manually added to Greenhouse Recruiting, they'll receive the GDPR notification to their email and be able to manage or deny consent in that message.
Data retention
Candidates are marked for data deletion at different times based on their consent for data retention:
- Data retention consent given: Candidate data is marked for deletion after they've been rejected from all applications and the data retention period is up.
- Data retention consent denied: Candidate data is marked for deletion after they've been rejected from all active applications.
Data management
If the candidate consents to data processing, they'll be marked for data deletion after they've been rejected on all active applications and the data retention period is up.
If the candidate denies consent to data processing, they'll be immediately marked for data deletion, and their data will not be retained.