On May 25, 2018, a new sweeping data protection law (General Data Protection Regulation, or GDPR) was put into effect in the EU. This law places regulation on the collecting and processing of personal data, and has a significant impact on companies or offices located in the EU. Click here for a more in depth explanation of GDPR.

Luckily, Greenhouse Recruiting comes ready-built with features and tools to help manage candidate data.

Note: Always consult with legal counsel when you have questions about how GDPR affects your organization.

GDPR setup

GDPR features are available to all Greenhouse Recruiting customers. However, some of the customization must be configured by Site Admins. Most configuration is completed on the Privacy and Compliance section of the Configure Configured_Icon.png page.


Additionally, we recommend seeking legal advice when configuring these settings, as GDPR may affect specific organizations differently.

See the following sections for more information:

For a list of all GDPR topics, click this link.

Click here for a Greenhouse Legal Memo on GDPR.

Configure legal basis for GDPR

Part of your organization setup requires selecting your data retention policy as it relates to candidates and prospects. This setting can be updated under the Privacy and Compliance section of the Configure Configured_Icon.png page.


Note: If using the Explicit Consent legal basis and a data retention rule is enabled for the job, or if using the Legitimate Interest legal basis and a data collection rule is enabled for the job, then when manually adding candidates an email address will be required so that the candidate may be notified of your GDPR policy.

See this topic for more information.

Appoint a Data Protection Officer (DPO)

An organization who is a data controller or a data processor may be required to appoint a Data Protection Officer (DPO) as a point of contact for their organization.

A DPO can be defined in two different ways:

  • Opening the user's account in Account Settings.
  • In the Privacy and Compliance section of the Configure Configured_Icon.png page.

If your organization is not required to appoint a DPO, you can list the individual at your company responsible for data privacy.


Click here for a more in depth explanation of the Data Protection Officer.

Choosing a new Data Protection Officer

If a user is marked as the DPO for the organization, their account cannot be deactivated. If you need to deactivate the employee's account, you must appoint a new DPO before their account can be deactivated.

Select GDPR Compliant Offices

Because GDPR may not affect all parts of the organization, you can choose to deactivate the features in certain offices that may be outside the EU.

When an office is not marked as a GDPR office, the features in this article won't be available. However, the do not email and candidate packets features are available in all organizations, regardless of GDPR status.

You can select your GDPR offices under the Configure Configured_Icon.png gear icon, then click Privacy and Compliance on the left. Click Offices that Need to Comply to GDPR.

Configure data retention rules

Under GDPR, individuals have a "right to be forgotten," which means an organization must be able to delete their information at their request. Additionally, companies must also delete data when they no longer have a legal basis to keep it. In this case, a "legal basis" means the data is no longer necessary for the organization's legitimate business interested.

In Greenhouse Recruiting, you can define a "retention time" for your system's data. Then, you can have members of your organization be notified when a candidate has been rejected from all job applications and notified when a candidate has been rejected from all job applications and the retention time has passed.

Choose the data to be deleted

You can choose the parts of the candidate's profile and define the retention time under the ConfigureConfigured_Icon.png menu. (Configure Configured_Icon.png > Privacy and Compliance > Delete Candidates' Personal Data.)


When you toggle this setting on, select the checkboxes to choose which data to flag.

Click here for more information on setting up your data retention rules.

Tip: We recommend to avoid selecting data you want to preserve in reports

Receive data retention notifications

When a candidate has been rejected from all jobs in Greenhouse Recruiting and the data retention period has passed, the selected users will be notified that a candidate's personal data can be deleted. This deletion does not occur automatically, and must be completed by a user.

A candidate's data retention period will be reset if they are converted to a prospect.

Delete a candidate's data

After you receive a notification, you can delete the data under the Notifications menu. When a candidate's data has been deleted, an entry will be added to their Activity Log.

Click here for more information on deleting a single candidates data. If you need to remove the data of more than one candidate, see Delete Candidates' Personal Data in Bulk.

Configure GDPR Notifications on job posts

You can place a GDPR notification on all job posts by adding a custom question. To add the custom question to all jobs, it is easiest to first add the question to a single job, and make it available on all jobs through a bulk action.

Click here for more information on configuring these questions.

Note: Remember to consult with legal counsel for notification language as it relates to your organization.

Configure GDPR email notifications for non-job board candidates

If a candidate, prospect, or referrals were entered into Greenhouse Recruiting outside of a job post (such as a referral process, a manual addition, or an agency submission), they will not have the opportunity to review the GDPR notification in the job post. The Email GDPR Information feature allows you to email notification to individuals added to your account outside of a job post.

You can configure this email template on the the Privacy and Compliance section of the Configure Configured_Icon.pngpage. Click here for more information.


Configure and download Candidate Packets

GDPR increases the rights of candidates to have access to their own data. Using Greenhouse Recruiting, you can quickly and efficiently product candidate information using candidate packets.

Candidate packets can be initially configured on the Configure Configured_Icon.png page. See this topic for more information on configuring these packets.

Once a packet has been setup, you can download the information for a specific candidate on their candidate profile. Click here for more information on downloading candidate packets.


Note: All admin users can download a candidate packets. However, if a candidate packet contains private information, it will only be downloadable by users who have the permission to view private candidate data.

Resend consent email

For organizations using the Explicit Consent legal basis, it's possible to resend a GDPR consent request email to a candidate. Resending GDPR consent request emails can serve to remind candidates to review your organization's GDPR policy and to consent or decline an active consent request.

Provided the following is true, you can resend a consent email to a candidate:

  • The organization's GDPR is set to Explicit Consent legal basis.
  • The candidate has an active GDPR consent request, meaning a request has been sent and the timer for that request has not yet expired.
  • The candidate has a valid email address.

To resend a consent email, navigate to the candidate profile and click Resend consent email at the top.


Mark a candidate as Do Not Email

Under GDPR, individuals can request that their email not be used for direct marketing purposes. To ensure that no marketing emails are sent from Greenhouse Recruiting, you can mark the candidate as Do Not Email on their candidate profile.