On May 25, 2018, a new sweeping data protection law, General Data Protection Regulation (or "GDPR"), was put into effect in the EU. This law places regulation on the collecting and processing of personal data and has a significant impact on companies or offices located in the EU. For a detailed explanation of GDPR, click here.
Greenhouse Recruiting comes ready-built with features and tools to help manage candidate data in compliance with GDPR.
Note: GDPR features are available to all Greenhouse Recruiting customers. However, some of the customizations must be configured by Site Admins.
Click here for our legal memo on GDPR, and click here for a list of all our GDPR topics.
Note: Always consult with legal counsel when you have questions about how GDPR affects your organization.
Configure GDPR settings
To access and turn on your GDPR settings, click the Configure icon on your navigation bar. Then, click Privacy & Compliance in the left sidebar.
Find the General Data Protection Regulation (GDPR) section and click Configure.
GDPR settings
Note: If you're configuring GDPR for the first time, please refer to this article.
The GDPR page includes several editable sections:
Data Protection Officer (DPO)
An organization that is a data controller or a data processor may be required to appoint a Data Protection Officer (DPO) as a point of contact for their organization.
If your organization is not required to appoint a DPO, you can list the person at your company who is responsible for data privacy.
For information on how to add a DPO, click here.
Legal basis
GDPR requires any organization that stores or uses personal data to confirm they have a valid legal basis to do so.
For information on how to edit legal basis, click here.
Data retention rules
Under GDPR, individuals have a "right to be forgotten," which means an organization must be able to delete their information at their request. Additionally, companies must also delete data when they no longer have a legal basis to keep it.
In Greenhouse Recruiting, you can define a "retention time" for your system's data. Then, you can notify people in your organization when a candidate has been rejected from all job applications and the retention time has passed.
Because GDPR may not affect all parts of the organization, you can also use data retention rules to include or exclude certain offices from utilizing GDPR features.
For information on how to create a data retention rule, click here.
Data collection email rules
GDPR requires that you notify candidates, prospects, and referrals of your GDPR policy. When someone applies through a job post, they are usually notified of your GDPR policy on the job application itself.
If you choose to disclose GDPR information on job posts, applicants will be notified of your GDPR policy when applying for a job.
However, candidates, prospects, and referrals who are entered into Greenhouse Recruiting outside of a job post (For example, as a referral, a manual addition, or an agency submission) should be sent your GDPR policy separately using data collection email rules.
For information on how to send your GDPR policy to candidates, click here.
Consent extension email
Note: In order to utilize Greenhouse Recruiting's built-in request consent functionality, your organization will need to have selected "explicit consent" as the legal basis for your GDPR configuration.
If your organization would like to extend the length of time it retains a candidate's and/or prospect's data, you will need to explicitly request this extension.
The consent extension email allows your organization to configure an email that is automatically sent to candidates and/or prospects before their data retention period expires to ask for consent.
For more information on how to create a consent extension email, click here.
If you've already sent a GDPR consent request to a candidate, and the timer for the request hasn't expired, you can resend the email to the candidate to remind them to consent or decline.
To resend a consent email, go to the candidate's profile and click Resend consent email at the top.
Disclose GDPR information on job posts
You can place a GDPR notification on all job posts by adding a custom question. To add the custom question to all jobs, it is easiest to first add the question to a single job, and make it available on all jobs through a bulk action.
For more information on how to add GDPR information to job posts, click here.
Note: Remember to consult with legal counsel for notification language as it relates to your organization.
Candidate Packets
Note: This feature is available for all organizations regardless of whether or not GDPR is configured. If GDPR is not configured, you can create a candidate packet by going to Configure icon > Candidate Packets.
GDPR expands the rights of candidates to access their own data. Using Greenhouse Recruiting, you can quickly and efficiently report on collected candidate information using candidate packets.
For more information on creating a candidate packet, click here.
Once a packet has been set up, you can download the information for a specific candidate on their candidate profile. For more information on downloading a candidate packet, click here.
Other features
Mark a candidate as Do Not Email
Note: This feature is available for all organizations regardless of whether or not GDPR is configured.
Under GDPR, individuals can request that their email not be used for direct marketing purposes. To ensure that no marketing emails are sent from Greenhouse Recruiting, you can mark the candidate as Do Not Email.
Go to the candidate's profile, then find the Tools section on the right side. Click the checkbox next to Do Not Email.
Delete a candidate's data
After you receive a notification that a candidate's data retention period has expired, you can delete the candidate's data in Greenhouse Recruiting. When a candidate's data has been deleted, an entry will be added to their Activity Log.
Click here for information on deleting a single candidate's data, or click here for information on deleting candidate data in bulk.