GDPR Compliance

Follow

Overview

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation intended to strengthen EU citizens' data privacy and protection.

As of May 25, 2018, all entities doing business in the EU, including talent recruitment in—or from—the EU, must comply with GDPR. Companies that do not meet the GDPR requirements risk serious fines, including €20 million or up to 4% of a company's global annual revenue.

Audience

All users

What is GDPR

Companies with an establishment in the EU and vendors that provide services to companies in the EU are impacted by GDPR.

GDPR identifies and governs three stakeholders: Data Controller, Data Processor, and Data Subject.

According to the regulation, a Data Controller is the organization or individual to whom the data is submitted; Evolve ATS customers are data controllers. Since the customer (You) requires the personal data of the applicant, contact, or new hire to evaluate and make hiring decisions or onboard a new hire, they are the Data Controller. The Data Controller (You) is legally responsible for meeting GDPR requirements.

The Data Processor is the entity that accepts instructions from the data controller related to the actions the controller wants to be taken concerning their data. In this case, that would be Evolve ATS, which collects the applicant, contact, or new hire data for the customer as part of the solutions we offer and processes the data on behalf of the customer. Evolve ATS is a data processor for its customers.

Finally, a Data Subject is defined as a living human being to whom personal data relates or identifies. In this case, that is the applicant, contact, or new hire in the EU who, by law, now has enhanced rights under GDPR.

Data Controller

(Evolve ATS Customer)

Data Processor

(Evolve ATS)

Data Subject

(Contact/ Applicant/ New Hire)
Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. A Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. The Data Subject represents natural persons who, in this case, are EU residents whom the regulation intends to protect.
Because you require personal data (sometimes including PII) for your hiring process, the Evolve ATS customer (You) is the controller. Because the Evolve ATS system is used to collect and process hiring data, Evolve ATS is the Processor. Controllers and processors must ensure that the Data Subject (your contact/applicant/new hire) protections in GDPR are met. For clarity in this document, the candidate indicates the Data Subject.

GDPR Requirements

GDPR requires obtaining unambiguous consent from your applicant/Contact/New hire by providing greater transparency to individuals about the data you are collecting and how it will be used, how long it will be kept in your database, and recording the consent.

For example, during the Apply process, you must state the purpose and have them explicitly express an action, such as clicking an I agree button, etc., and provide consent.

It also requires that you delete them from your database or give them an option or access to edit/correct their information when requested. GDPR also requires maintaining records of all processing activities to demonstrate compliance if/when the EU Data Protection Authority conducts an audit. It also requires you to document your data protection and processing methods clearly.

GDPR Requirement Evolve ATS Support
Right of Access and Portability

Download a resume and other files and copy them to different fields from the Candidate/Contact/New Hire pages using existing tools.

Right to Rectification Recruiter/Sourcer/Orchestrator will use existing tools to update.
Right to Object and Restrict Processing

Recruiter/Sourcer/Orchestrator will use existing tools to stop processing (via workflow states or contact status).

Ability to prevent Erasure.

GDPR in Evolve ATS

Evolve ATS provides self-service capabilities within the product that include:

  • Obtain and record consent from your applicants with customizable consent forms.
  • You can customize the data retention period.
  • Evolve ATS has in-product capabilities to delete or forget a candidate from your database when you receive a request from your applicant or contact. Deleting a candidate will remove the candidate completely. On the other hand, forgetting candidates will anonymize the data so that reporting/data integrity can be maintained. Please note that it is the customer's (Your) responsibility to provide a way for the applicant or contact to make a request to be deleted or forgotten.
  • Evolve ATS offers out-of-the-box compliance reports to report to meet GDPR compliance. For example, reports on when the data was anonymized and who gave consent, a summary of the number of candidates removed over a selected time frame, etc.

As a data processor:

  • Evolve ATS will maintain clear documentation policies and procedures of security measures to protect data.
  • Provide consistent records of personal data collected and document data flows.
  • Ensure all the information you need from the processing end meets your audit requirements.

GDPR Reporting and Auditing

Analytics offers Compliance Reports, including anonymized data reports, consent, and removed reports. The following Compliance Reports are available in Analytics:

  • Candidates Removed
  • Candidates Removed Summary
  • Candidate Consent
  • Candidate Consent Summary
  • Contacts Removed
  • Contacts Removed Summary
  • Contacts Consent
  • Contact Consent Summary
  • New Hires Removed
  • New Hires Removed Summary Report

FAQ's

Q. Do I have to set up consent forms?

A. Please check with your legal team. An updated Privacy Policy notice might suffice, depending on your circumstances, or you may have to set up explicit consent forms.
 

Q. Will Evolve ATS provide default or boilerplate Consent Form verbiage?

A. No, you should work with your legal team.

 

Q. Do I have to set up consent forms in all EU languages?

A. Please check with your legal team. You may be able to set it up just for the countries in which you operate.

 

Q. Do I have to seek consent from existing candidates or contacts?

A. Please check with your legal team. If you claim legitimate interest on historical data, then no. If your legal team requires you to do so, then yes.

 

Q. Can I re-seek consent to keep candidate/contact data alive longer?

A. Yes, you can go to the details pages at any time and trigger an email to re-seek consent.

 

Q. Do I need to seek consent from Employees?

A. You can claim legitimate interest here. Evolve ATS does not provide any support for this.

 

Q. Do I have to set up Auto Deletion policies?

A. Please check with your legal team. If the EU member state mandates that data must be deleted after a certain time period, then yes. If your legal or TA team wants to keep the candidate/contact database "clean", yes. If you only get a few EU applicants/contacts every year, you may choose to delete them manually.

 

Q. How does auto-delete work?

A. Deletion will occur when the specified number of months in the deletion policy has passed. The clock starts when the application or contact was created and is NOT based on the candidate/contact hitting a certain workflow status or state.

 

Q. Do I have to delete data if I get a request from an applicant/contact?

A. Please check with your legal team. You can claim legitimate interest and not delete it or delete it if your legal team gives you the go-ahead.

 

Q. Who can manually delete data?

A. Deletion of an Application record is only available to super-users. Using Custom Roles, you can grant this permission to other roles. Deletion of a Contact record is available to the Engage user role. Deletion of a New Hire record is available to the orchestrator role.

 

Q. What data gets deleted, and what are the repercussions?

A. If ALL data is deleted, the entire record (even from historical reporting) is removed. If only deleting PII, the record is removed from the UI, but it is available in Reports Auto-delete only deletes PII. The deletion operation is irreversible!

 

Q. What is defined as PII?

A. Name, email, residential address, phone number, etc. You will also have the ability to delete Custom Fields if you store PII in it.

 

Q. Can I re-seek consent automatically before auto-deletion?

A. Not at the moment. However, you can manually filter on the list page and re-seek consent via bulk action.

 

Q. Will Evolve ATS provide a Data Subject Rights Management Portal?

A. This is the customer's responsibility. You can use a privacy email alias, a Contact Us web form, or 3rd party software like OneTrust to manage requests.

 

Q. Are these capabilities only supportive of GDPR?

A. Not at all. This generic data privacy functionality can be used elsewhere (South Korea, Singapore, etc.)

 

Related Articles

Consent Policy Setup

Automatic Data Retention

Manual Data Deletion Requests (Right to be Forgotten)

Was this article helpful?
0 out of 0 found this helpful