Edit legal basis for GDPR configuration

Permissions: Site Admin

Product tier: Available to all subscription tiers

Explicit consent is one of two legal bases that your organization can select in order to retain candidate data in Greenhouse Recruiting.

In this article, we will cover how to:

Note: By default, Greenhouse Recruiting supports legitimate interest as your organization's legal basis.

Edit legal basis

To edit the legal basis for your organization's GDPR configuration, click the Configure icon configure.png in the upper right-hand corner and select Privacy & Compliance on the left-hand panel.


Click Configure inline with the General Data Protection Regulation (GDPR) panel. 


Navigate to the Legal Basis panel and click Configure.


Click the button to the left of either Legitimate Interest or Explicit Consent and click Save when finished.


A dialog box will ask you to confirm the change. Click Change Legal Basis


Impact of Explicit Consent on GDPR configuration

When Explicit Consent is used as the legal basis for your organization's GDPR configuration, a question that requests consent will be automatically appended to existing and new job posts for offices with a data retention rule.

Note: This automatically appended question is non-editable. Greenhouse Recruiting will use the {{COMPANY}} token and the {{CANDIDATE_RETENTION_TIMER}} token for the office associated with job.


Additionally, an email requesting permission to collect, store, and process candidate data will be automatically sent to anyone under a data retention rule that does not enter through a consent portal.


You can also manually request consent from any pre-existing candidate and/or prospect who has yet to provide consent to have their data collected, stored, and processed. Click the links below to learn more:

Impact of Legitimate Interest on GDPR configuration 

When legitimate interest is used as the legal basis for your organization's GDPR configuration, you will lose Greenhouse Recruiting's built-in consent request functionality.

Since collecting consent is not the legal basis of your GDPR configuration, your organization can customize organizational rules and email templates to automatically email a GDPR notification to candidates and/or prospects who entered into your system without having applied to a job post.