by GDPR Associates | 15th June 2019 5:34 pm
A new, wide-sweeping data protection law called the General Data Protection Regulation, or the GDPR, went into effect on May 25, 2018, which had significant impact on companies that collect and process personal data belonging to data subjects located within the EU member states. Here at Greenhouse, we have worked hard to both to ensure our own compliance with the new law and to build features that will assist our customers in their compliance efforts. In this memo, we hope to provide a brief overview of what we have accomplished in that regard and answer some questions you might have, but please feel free to reach out to our support team about any additional concerns that aren’t addressed here. Click here for more information on Greenhouse GDPR functionality.
Like its predecessor data protection frameworks, the GDPR distinguishes between data controllers and data processors. Under the GDPR, our customers are the controllers with respect to the data collected and stored on Greenhouse, because they ultimately “determine the purposes and means of the processing of personal data.” This makes sense because, as between you and Greenhouse, you own the data submitted by your applicants and you decide to process it in the first place, how to process it, and when to delete it. By contrast, the GDPR defines processor as the person or entity “which processes personal data on behalf of the controller,” and that is the role Greenhouse plays in this context.
Now that we are clear on the definitions of controller and processor, we can discuss some of the primary ways that Greenhouse and Greenhouse customers are impacted by implementation of the GDPR.
Data Security Standards
The GDPR obligates a controller to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements and protect data subjects’ rights. In order to meet that standard, processors must comply with the measures outlined in Article 32, which require both controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including, for example:
Greenhouse already implements the measures listed above. In addition, we received our first SOC2, Type II certification, and ISO 27001 certification.
Data Subject Consent
One question we’ve heard from some of our EU-based customers is “How does Greenhouse plan to help us get consent from individual job applicants to transfer their personal data to the US?” The concern underlying this query is certainly understandable—it is daunting for a company to imagine that it might be required to obtain individual and freely-given consent from every single one of its job applicants, not to mention prospective candidates found on LinkedIn and elsewhere on the Internet, and the administrative headaches associated with such a scheme would be unavoidable. However, the notion that the GDPR requires a controller to obtain consent from each data subject before it can lawfully process his or her personal data is actually a common misconception. On the contrary, according to Article 6 of the GDPR, consent is just one of six distinct legal grounds upon which a controller can process personal data. So long as just one of the following conditions applies, processing will not run afoul of the GDPR:
Because collecting resumes and other relevant information is an entirely “legitimate interest” of a company who is trying to evaluate candidates for employment, and it would indeed be expected by the applicants, there is no need to obtain consent from individuals who apply to jobs through Greenhouse. Relying on consent is cumbersome, not only because it puts the onus on a company to ask for it in the first place, but because it imposes additional ongoing obligations on the company, like ensuring that data subjects can withdraw consent at any time or placing the burden of proof that the consent given adheres to specific requirements on the company. In short, not only is obtaining consent from applicants to process their data not required under the GDPR, but it is also not preferable.
Similarly, the GDPR does not require Greenhouse customers to obtain consent from job applicants to transfer their personal data from the EU to the US. Rather, as has been the case since the Safe Harbor was invalidated in 2015, controllers can lawfully transfer personal data to a processor in the US provided that the processor has sufficient safeguards in place to ensure that the data will be afforded an appropriate level of protection. Article 46 of the GDPR explicitly states that data transfer to the US is legal if the controller and processor have entered into standard contractual clauses adopted by the EU Commission (an example is the “Model Clause” contract that Greenhouse has already entered into with many of its customers) or if an approved certification mechanism demonstrates the processors commitment to certain data protection safeguards (an example is the Privacy Shield). Therefore, Greenhouse customers do not need to get consent from data subjects to either process their personal data or to transfer it into the US.
Just as it is not preferable to rely on data subjects’ consent as a legal means for processing data, a similar rationale cautions against predicating the legality of a transfer of data to the US upon consent. Article 49makes clear that the parties should only rely on consent as a last resort, if the Model Clauses or another non-consent-based mechanism is not available, because using consent as the condition predicate will subject the parties to heightened restrictions and documentation requirements.
Given all of the above, Greenhouse expects that its EU customers will want to avoid depending on getting consent from data subjects in order to legally transfer data to Greenhouse. Accordingly, we do not have plans to build functionality to collect and store such consent on the platform. We will, however, have language built into our job boards to meet the requirements of Article 13, which mandate that a controller provide clear and concise language to data subjects at the time of data collection indicating that the controller intends to transfer personal data to a third country, with reference to the safeguards in place that render the transaction legal.
The Right to Be Forgotten
In keeping with its general goal of expanding individuals’ control over the use of their personal data, the GDPR confers a new right upon data subjects: The right to be forgotten, also referred to as the right to erasure, which is discussed in Article 17. According to the law, controllers must erase personal data (1) upon the request of the data subject to which it pertains; or (2) when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” As the data controller, it is up to you to decide the point in the application/hiring process at which you no longer have a legitimate interest in retaining a candidate’s personal data, and such determinations will depend on your company’s specific processes and practices.
Greenhouse has built easily configurable tools that will allow you to comply with these obligations quickly and efficiently, enabling you to:
Enhanced Rights to Notice and Access
In addition, the GDPR will increase a controller’s obligations regarding the information it is required to provide to data subjects. Among the items that must be disclosed at the time personal data is collected are the purposes of the processing, any recipients of the data, whether the data will be transferred internationally and under what legal grounds, and how long the data will be stored. Additionally, controllers must notify data subjects of their rights to request access to the data or lodge a complaint with a supervisory authority. This is language that Greenhouse has built into job boards so that all the necessary notifications and disclosures are made at the time that a candidate applies to a job.
Pursuant to Article 15, data subjects now have a more robust right to access their personal data that is being processed. Greenhouse has built a feature that will enable our customers to easily respond to and execute upon requests from individuals to access the personal data concerning them. Specifically, you can preconfigure which data should be made available to a candidate who has submitted a request for access, and then permission the access by clicking a button on the candidate profile. The data will then be provided to the candidate in the form of a CSV file, which will satisfy the GDPR requirement of data portability set forth in Article 20.
The Right to Object
Article 21 of the GDPR grants data subjects an unequivocal right to object to their personal data being processed for direct marketing purposes and related profiling. If a candidate makes this objection, Greenhouse already has a “do not email” feature in place which, when enabled, will prevent Greenhouse from sending any email to that candidate.
This article was originally posted here:
Source URL: https://www.gdpr.associates/legal-memo-greenhouse-and-the-general-data-protection-regulation-gdpr/
Copyright ©2020 GDPR Associates unless otherwise noted.