GDPR Compliance Module

GDPR Collection Setup – Administration Only

To comply with the General Data Protection Regulation (GDPR), it’s crucial to set up your system for proper data collection, retention, and processing. This setup is available only to users with administrative permissions. Below is a step-by-step guide to configuring GDPR settings in your ATS system.

1. GDPR Rules Toggle

• Location: Navigate to the GDPR Setup page under the system’s administrative settings.
• Activation: Switch the GDPR Rules toggle to ON to enable GDPR compliance for your system.
• When enabled, the system will automatically apply stricter data protection controls for candidates from EU regions, requiring explicit consent for data usage.

2. Privacy Policy Setup

• Purpose: The privacy policy explains how your company collects, processes, and protects personal data. Candidates must read and agree to this policy before applying for jobs.
• Steps:
  • Enter the Privacy Policy Link Text, which appears as a clickable link in the job application.
  • Insert the URL to your company’s privacy policy page or, if you don't have one, use the Privacy Policy HTML editor to provide a detailed policy directly within the system.

3. Notice & Consent Configuration

• Purpose: Customize how candidates are informed about their data rights and what they consent to.
• Steps:
  • Choose a GDPR Application Notice Template from the dropdown or set up a new one.
  • Ensure the COUNTRY field is added to job application forms, as it’s required to identify whether candidates fall under GDPR regulations.
  • Set up acceptance terms for candidates to acknowledge the privacy policy and indicate their consent to be contacted for future opportunities and shared with affiliated companies (if applicable).

4. Data Retention Policies

• Purpose: Define how long candidate data is retained and/or accessible based on their consent status.
• Steps:
  • For Candidates Who Have Provided Consent, set how long their data will be stored before it expires (e.g., 2 years).
  • For candidates where Legitimate Interest applies (no explicit consent), set how long data will be retained after their last activity (e.g., 3 months).
  • Define how long Candidates in the Removal Queue should remain before their data is permanently deleted (e.g., 2 days).
  • Optionally, enable the Limit Candidate View feature to restrict viewing of candidates whose consent has expired or been removed.

5. Email Templates for GDPR

• Purpose: Set up email templates that are sent to candidates in specific GDPR-related scenarios (e.g., consent requests, consent refresh reminders).
• Steps:
  • Choose or create default templates for various scenarios, such as candidates being submitted by vendors, receiving applications via email, refreshing consent, or confirming forgotten requests.

6. Sourcing Setup for GDPR

• Purpose: Control how sourced candidates are added to the system, ensuring GDPR compliance.
• Steps:
  • Enable the Allow Import/Add Candidate checkbox to permit importing candidates, but ensure the consent process is followed for GDPR-covered candidates.

Key Takeaways

• GDPR compliance is critical for protecting personal data, especially for candidates from the EU.
• Ensure clear communication with candidates through well-defined privacy policies and explicit consent forms.
• Data retention policies must be in place to ensure candidates' personal data is removed or anonymized after the consent period expires.
• Email templates must reflect the GDPR requirements and be tailored to candidate consent and data processing scenarios.

Make sure your GDPR settings are regularly reviewed and updated in line with changes in regulations or company policies.

Creating Custom Company-Specific Email Templates for GDPR Compliance

In your ATS system, you have the ability to create custom email templates specifically for GDPR-related processes. These templates help ensure compliance with GDPR regulations by sending appropriate communications to candidates regarding their data privacy and consent. The following guide outlines how to set up GDPR email templates, which is an Administrator Function.

Steps to Create GDPR Email Templates:

1. Navigate to the Email Templates Page:
   • Go to the GDPR Setup section in your system settings and click on the Email Templates tab.
   • Here, you can view any existing GDPR-specific templates or start creating new ones.
2. Click ‘Add Template’:
   • On the Email Templates page, click on the Add Template button to create a new GDPR-related email template.
3. Select Application Consent Type:
   • From the dropdown menu, select the Application Consent template type. This template type ensures that the email is related to consent gathering and privacy requests from candidates.
4. Customize Your Email Templates:
   • You can create and customize different email templates for a variety of GDPR-based scenarios, including:
     • Consent Requests: Send an email asking candidates for their consent to process their data.
     • Adding Candidates: When candidates are added to the system (e.g., imported by admins, submitted by vendors or employees), a consent email can be sent to confirm privacy acknowledgment.
     • Vendor or Employee Candidate Submissions: Send a consent request email automatically when a vendor or employee submits a candidate.
     • Request for Data Removal: When a candidate requests to be forgotten or have their data removed, the system can send a confirmation email, ensuring they are informed about the data removal process.
5. Use Specific Templates for Different GDPR Scenarios:
   • Each GDPR event can trigger a unique email template, allowing you to manage different situations:
     • Sourced Candidates: Use a template specifically designed to send privacy/consent links when candidates are added via sourcing.
     • Emailed Applications: When candidates email their resumes directly to the system, a consent link can be sent.
     • Refresh Consent: For candidates whose consent is about to expire, an email can be set up to request a refresh of their consent.
     • Forgotten Candidate Confirmation: When a candidate requests to be forgotten, this template can be used to confirm the request and acknowledge that the deletion process has begun.
6. Save and Assign the Templates:
   • Once your templates are created, save them and assign them to the appropriate GDPR-related functions within your system.
   • Ensure that each GDPR scenario (sourcing, vendor submission, data removal requests, etc.) has the correct email template assigned to it.

 Key GDPR Email Templates:

• Application Consent: Email sent when candidates apply and must provide consent to process their personal data.
• Sourced Candidates: For candidates added from external sources, asking for their consent.
• Vendor/Employee Submissions: Sent when candidates are submitted by third parties, such as vendors or employees.
• Refresh Consent: Notifies candidates to renew their consent before it expires.
• Forgotten Candidate Confirmation: Confirmation email when a candidate requests data removal.

By setting up these email templates, you ensure that your company remains GDPR compliant and that candidates are properly informed about how their data is processed and retained.

 

---

Hirebridge has consulted with legal professionals and done exhaustive research on GDPR, and how to best create tools to manage your candidate data. That said, we are not a legal organization and any information that we provide is general in nature and is not intended to act as "legal advice" for your specific organization.

We recommend that you and your team consult with independent legal counsel to get specific GDPR information as it relates to your organization receiving and managing data.

Here's how to access and configure the GDPR module settings:

Step 1: Visit the Administration area, then click on the General Data Protection Regulation (GDPR) Setup link:

 

The General Data Protection Regulation (GDPR) Setup page contains a suite of content tools and rules that can be customized based on your company's specific policies, which are as follows:

• Privacy Policy - Under the GDPR, organizations must have a transparent privacy policy explaining how it collects, processes and protects data. It also must give instructions to data subjects (candidates) on how to ask your company to delete and correct their data. We've provided one for you just in case your company does not have one.

For more details on Privacy Policy Setup select this Link

• Application Notice & Consent - The application privacy notice is what candidates subject to GDPR (EU Residents and Jobs located in the EU) will see, alerting them to click and review your privacy policy.

For more details on Application Notice & Consent setup select this Link

• Email Templates -Create and assign email templates to be sent out for consent requests and consent refresh requests, based on the situation

For more details on Email Templates setup select this Link

• Data Retention - Whether or not you are relying on CONSENT or LEGITIMATE INTEREST to process and store candidate data, you will need to set timers to determine how long you can retain that information. Once the timer expires, the candidate will move into the DELETE QUEUE and your Administrator with Data Privacy permissions will be notified.

 

For more details on Data Retention setup select this Link

 

NOTE: Once you have configured all of the GDPR settings you are now able to turn on the GDPR module.

Sourcing Candidates And GDPR Consent Notifications

After adding passive candidates to the pipeline for a job, or to your Prospect talent pool, GDPR regulations state that you must notify these candidates 'within a reasonable period after obtaining the personal data, but at the latest within one month to notify them that you are processing their information, and to provide them with details of the processing, and to allow them to choose to consent to further processing.

Article 14 of GDPR explains in detail the information that your organization should provide to these individuals.