General Data Protection Regulation (GDPR)

GDPR overview

What is the GDPR?

The General Data Protection Regulation (GDPR) is an European Union (EU) law that was drafted in an attempt to harmonize privacy laws across Europe. The goal of this law is to empower and protect EU citizens’ fundamental right to data privacy.

What types of data does the GDPR protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags, provided such data can be used to identify an EU individual
  • Other personal information like health and genetic data, biometric data, racial or ethnic data, political opinions and sexual orientation, to the extent such data can be used to identify an individual

What is the scope of the GDPR?

The GDPR applies to all companies that process personal data relating to European Union (EU) data subjects, regardless of the company’s location.

Are there penalties for non-compliance with the GDPR?

Organizations that fail to comply with the law may face penalties of up to €20 million or 4% of global annual turnover (revenue) in fines, whichever is higher.

Greenhouse GDPR features enable our customers to process personal data relating to their candidates in compliance with the GDPR.

Greenhouse GDPR capabilities for the right to be forgotten

Greenhouse has built-in functionality that makes it easy for customers to comply with data deletion requests from candidates and to set up bulk deletion processes based on predetermined, company-specific retention periods.

Local time frame for keeping candidate data

What the regulation requires
Under the GDPR, data subjects have the right to request that a company delete any personal data that is known about them. In addition, companies are required to delete data when they no longer have a legal basis (for example, legitimate interest or consent) to continue processing the data.

What is the feature?
This feature allows you to specify a timeframe to keep personal data and bulk-erase it when that time expires. Additionally, configure which data is deleted when a candidate asks to be deleted or withdraws consent.

How to do it

Organizations may choose which data about a candidate should be anonymized to ensure non-personal data such as stage transition data is not impacted.

One-off candidate deletion is also possible with one click within this application. When data is deleted within the customer’s Greenhouse account, it is simultaneously deleted on Greenhouse’s end, although backups are retained for an additional 30 days.

Automated consent extension

What the regulation requires
Companies should not retain personal data beyond the point that they have a “legitimate interest” in the data or after the time period of “explicit consent” provided by a candidate has elapsed.

What is the feature?
This feature allows organizations to automatically request an extension of the consent period.

How to do it
Generate emails to candidates requesting permission to keep their personal data longer than the company’s preset default timeframe, and retain that personal data when candidates agree.

For enhanced rights to notice and access

The GDPR significantly enhances people’s right to access their own personal data, and companies need to provide required notifications to data subjects at the time of collection, and must be able to provide that data to candidates upon request in an efficient and easily portable format.

What the regulation requires

Companies are required to notify candidates of a variety of details at the time personal data is collected (for example, when a candidate applies to a job), including why they are collecting certain information, how long it will be stored and where it will be sent.

Data subjects have a right to request access to any personal data relating to them that is being processed by a company.

What is the feature?
Greenhouse’s Candidate Packets functionality allows you to easily and quickly fulfill data access requests from candidates using.

How to do it
Click a few buttons to configure the components you want to share and send them to candidates in a PDF file.

For the right to object

The GDPR gives EU data subjects the right to object to their personal data being processed for direct marketing purposes and related profiling.

What the regulation requires
Data subjects have the right to object to their personal data being used by companies for marketing purposes, and those who have objected should not be contacted.

What is the feature?

The “Do not email” feature prevents any Greenhouse-generated emails being sent to the candidate.

How to do it
Select the checkbox to activate.

Find out more in these resources

For non-lawyers:
Greenhouse, EU compliance and the General Data Protection Regulation (GDPR)
Learn more

Legal memo:
Greenhouse and the General Data Protection Regulation (GDPR)
Learn more

On the blog:
Our Greenhouse readiness plan for the General Data Protection Regulation (GDPR)
Learn more

Contact us

Have more questions? If you are a current customer, reach out to customer support. If you aren’t a customer, get in touch with our team.