When a candidate applies for a job or is added manually to your pipeline, they may need to agree that your organization can use and/or retain their data in order to comply with GDPR. The specifics of how their data is retained and used is based on your organization's legal basis - or, the specific way your team may require candidates to opt-in to their data usage.
When using single purpose consent, two different legal bases can be configured for each of the two types of data usage, meaning there can be four total combinations of legal bases that could be configured for your organization.
This article will go into more detail about how each combination affects your candidate experience and automated data management.
Legal basis options
Greenhouse supports two types of legal basis for GDPR compliance: legitimate interest and explicit consent.
According to Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation), organizations can claim that collecting and evaluating candidate data is a legitimate interest as it pertains to selecting a candidate for employment.
In other words, using "legitimate interest" as a legal basis means candidates are not prompted specifically to provide data consent, but instead, your organization is trusted to access it only as it applies to active roles and still uses background data management processes like automated retention rules.
Greenhouse Recruiting uses "legitimate interest" as the default legal basis when setting up GDPR.
Explicit consent is a stricter setting for GDPR compliance.
According to Art. 6(1)(a) of Regulation (EU) 2016/679 (General Data Protection Regulation), if organizations have no provision for legitimate interest, they can still retain candidate data if the data subject (i.e., candidate) provides explicit consent to have their data retained and processed.
In other words, when your organization opts for explicit consent as its legal basis, a candidate will have to individually agree to the specific use of their data. If a candidate does not provide this consent in a specific time frame, their data will be flagged for deletion.
Organizations who wish to use explicit consent as a legal basis will need to manually select it from the GDPR configuration page in Greenhouse Recruiting.
Legal basis combinations
When using single purpose consent, you'll choose a legal basis for each specific use of candidates' data, rather than a single legal basis to apply to all the data in your system.
At the end of your setup process, your organization will use one of the following four combinations:
|Legal basis for data processing
|Legal basis for data retention
Combination 1: Legitimate interest (data processing) + legitimate interest (data retention)
Candidates are not required to consent to data processing or data retention. They won't see consent checkboxes on job posts or receive consent emails.
However, candidates will continue to receive data collection emails if a data collection email rule has been configured.
Candidates are marked for deletion after they've been rejected from all applications in Greenhouse and the data retention period has passed.
Combination 2: Legitimate interest (data processing) + explicit consent (data retention)
Candidates must consent to data retention during the application process by selecting the checkbox (or may deny consent by not selecting the checkbox). If a candidate is manually added to Greenhouse Recruiting, they must match either a data retention rule or a data collection email rule to receive the GDPR email. However, candidates do not have to provide explicit consent to processing when applying for a role.
Data collection email rules and data retention rules emails automatically notify candidates of the data collection and, if applicable, provide consent when they qualify for one of the rules. A candidate's record will be marked for deletion if they deny consent.
Combination 3: Explicit consent (data processing) + explicit consent (data retention)
Candidates are shown two checkboxes on applicable job posts. To apply for the job, the candidate must consent to data processing, but can deny consent for retention by leaving the data retention box unchecked.
If a candidate is manually added to Greenhouse Recruiting, they'll receive an email and can manage their data from that message.
Candidates are marked for data deletion at different times based on their consent for data retention:
- Data retention consent given: Candidate data is marked for deletion after they've been rejected from all applications and the data retention period is up.
- Data retention consent denied: Candidate data is marked for deletion after they've been rejected from all active applications.
Combination 4: Explicit consent (data processing) + legitimate interest (data retention)
Candidates must consent to data retention during the application process by selecting the checkbox.
If a candidate is manually added to Greenhouse Recruiting, they'll receive the GDPR notification to their email and be able to manage or deny consent in that message.
If the candidate consents to data processing, they'll be marked for data deletion after they've been rejected on all active applications and the data retention period is up.
If the candidate denies consent to data processing, they'll be immediately marked for data deletion, and their data will not be retained.