We've recently received an uptick of inquiries into how Recruiterbox can help you comply with GDPR and other data privacy legislation. Below we're sharing some best practices, originally published last year when the GDPR changes first went in to effect.
Is Recruiterbox ready for GDPR?
Yes! Our team has been working hard to align with the principles of GDPR. You can read more about our full setup in this document here.
What actions should teams using Recruiterbox take?
As a Recruiterbox user you are the data controller when it comes to GDPR regulations. Your team should spend time researching and determining what this means for your own setup.
Below is information, recommendations and setups we've seen teams use, and ways Recruiterbox can help you meet your own GDPR goals.
Where is Recruiterbox data stored?
Recruiterbox data is stored on Amazon AWS servers. These are located in the United States.
Your team should determine if you'd like to collect consent from candidates as a part of the application process. If so, you can add this question directly to your application forms.
You can edit your application form within each opening under the "Job Settings" tab.
From here, we recommend using the question type of "Applicants can choose multiple options," and only leaving one option of "Yes".
Make sure you also check that this is a required field:
This requires them to check "Yes" to this consent if they wish to submit their application.
Your team can determine the wording of the consent, to your own specifications.
Deletion of candidate data
Recruiterbox does not delete candidate data on your behalf.
We maintain all data in your account, unless you request the deletion of it upon termination of your account, or through the deletion options inside your account.
Your team should determine your own policy for deletion of candidate data. Inside Recruiterbox you have options to delete candidate data:
- In bulk from the candidate dashboard:
- Individually from the candidate's profile:
- You can also utilize the advanced search to find candidates by their application date, should your team want to purge candidates after a certain period of time:
All deletion of data is fully permanent. Keep in mind that deleted data can not be recovered.
Note: When you delete data from within Recruiterbox we only delete information available within the application.
All candidate emails received by users directly into their inbox, interview evaluation summaries, calendar invites, etc. which reside in applications outside of Recruiterbox will need to be manually deleted from each user who potentially interacted with the candidate.
EEOC Data Collection Considerations
Recruiterbox has a feature for EEOC collection and management. This feature is setup to voluntarily request EEOC data from candidates. Each team can determine if they'd like to turn on this collection on an opening by opening basis.
Our EEOC feature is designed with United States regulations and hiring in mind, however, this feature is an option for customers regardless of location.
Should your team decide to collect this data, below is some information on how this is viewed by GDPR.
EEOC data includes race and ethnic origin information, which falls into GDPR's standards for "Sensitive Personal Data."
GDPR provides several cases where this is allowed, specifically around employment, especially if the company also requires it to fulfill EEOC guidelines.
Collection is allowed where "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment."
We encourage your team to review your collection practices around this data, the EEOC and GDPR guidelines specifically, and determine your own polices for the usage of this information.
If you and your team have any more questions about Recruiterbox and EEOC, please reach out to us at firstname.lastname@example.org!