When a candidate applies for a job or is added manually to your pipeline, they may need to agree that your organization can use and/or retain their data in order to comply with GDPR. The specifics of how their data is retained and used is based on your organization's legal basis - or, the specific way your team may require candidates to opt-in to their data usage.
When using single purpose consent, two different legal bases can be configured for each of the two types of data usage, meaning there can be four total combinations of legal bases that could be configured for your organization.
This article will go into more detail about how each combination affects your candidate experience and automated data management.
Note: Seek the advice of your legal counsel to determine which legal bases your organization should use.
Legal basis options
Greenhouse supports two types of legal basis for GDPR compliance: legitimate interest and explicit consent.
Legitimate interest
According to Art. 6(1)(f) of Regulation (EU) 2016/679 (General Data Protection Regulation), organizations can claim that collecting and evaluating candidate data is a legitimate interest as it pertains to selecting a candidate for employment.
In other words, using "legitimate interest" as a legal basis means candidates are not prompted specifically to provide data consent, but instead, your organization is trusted to access it only as it applies to active roles and still uses background data management processes like automated retention rules.
Greenhouse Recruiting uses "legitimate interest" as the default legal basis when setting up GDPR.
Explicit consent
Explicit consent is a stricter setting for GDPR compliance.
According to Art. 6(1)(a) of Regulation (EU) 2016/679 (General Data Protection Regulation), if organizations have no provision for legitimate interest, they can still retain candidate data if the data subject (i.e., candidate) provides explicit consent to have their data retained and processed.
In other words, when your organization opts for explicit consent as its legal basis, a candidate will have to individually agree to the specific use of their data. If a candidate does not provide this consent in a specific time frame, their data will be flagged for deletion.
Organizations who wish to use explicit consent as a legal basis will need to manually select it from the GDPR configuration page in Greenhouse Recruiting.
Legal basis combinations
When using single purpose consent, you'll choose a legal basis for each specific use of candidates' data, rather than a single legal basis to apply to all the data in your system.
At the end of your setup process, your organization will use one of the following four combinations:
| Legal basis for data processing | Legal basis for data retention | |
| 1 | Legitimate interest | Legitimate interest |
| 2 | Legitimate interest | Explicit consent |
| 3 | Explicit consent |
Legitimate interest |
| 4 | Explicit consent | Explicit consent |
Combination 1: Legitimate interest (data processing) + legitimate interest (data retention)
Candidate experience
Candidates are not required to consent to data processing or data retention. They won't see consent checkboxes on job posts or receive consent emails.
However, candidates will continue to receive data collection emails if a data collection email rule has been configured.
Data management
Candidates are marked for deletion after they've been rejected from all applications in Greenhouse and the data retention period has passed.
Combination 2: Legitimate interest (data processing) + explicit consent (data retention)
Candidate experience
Candidates must consent to data retention during the application process by selecting the checkbox (or may deny consent by not selecting the checkbox). If a candidate is manually added to Greenhouse Recruiting, they must match either a data retention rule or a data collection email rule to receive the GDPR email. However, candidates do not have to provide explicit consent to processing when applying for a role.
Data management
Data collection email rules and data retention rules emails automatically notify candidates of the data collection and, if applicable, provide consent when they qualify for one of the rules. A candidate's record will be marked for deletion if they deny consent.
Note: Your current GDPR notification email will be used for both data processing and data retention emails, so if you are updating your GDPR rules to single-purpose consent, you may need to update the email template to apply to both cases.
Combination 3: Explicit consent (data processing) + explicit consent (data retention)
Candidate experience
Candidates are shown two checkboxes on applicable job posts. To apply for the job, the candidate must consent to data processing, but can deny consent for retention by leaving the data retention box unchecked.
If a candidate is manually added to Greenhouse Recruiting, they'll receive an email and can manage their data from that message.
Data retention
Candidates are marked for data deletion at different times based on their consent for data retention:
- Data retention consent given: Candidate data is marked for deletion after they've been rejected from all applications and the data retention period is up.
- Data retention consent denied: Candidate data is marked for deletion after they've been rejected from all active applications.
Combination 4: Explicit consent (data processing) + legitimate interest (data retention)
Candidate experience
Candidates must consent to data retention during the application process by selecting the checkbox.
If a candidate is manually added to Greenhouse Recruiting, they'll receive the GDPR notification to their email and be able to manage or deny consent in that message.
Data management
If the candidate consents to data processing, they'll be marked for data deletion after they've been rejected on all active applications and the data retention period is up.
If the candidate denies consent to data processing, they'll be immediately marked for data deletion, and their data will not be retained.