This document is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes.
Background on the GDPR
Comeet has developed this document to explain about its platform’s compliance with the GDPR.
In April 2016, the European Parliament passed into law a sweeping reform in the areas of data protection and data privacy. The European General Data Protection Regulation (the “GDPR”) entered into effect on May 25, 2018 in each of the 28 EU member states. It replaced the European Data Protection Directive first enacted in the EU in 1995.
The GDPR encompasses dozens of pages and imposes strict obligations on companies and organizations in virtually every aspect of collecting, processing, handling and storing personal data. At the same time, the GDPR enhances the rights of data subjects to control how their personal data are collected and used. Remedies are also defined in the GDPR language.
Due to the extensive reach of the GDPR, European and non-European companies and organizations are affected and should conduct compliance reviews to ensure they meet the requirements.
To ensure that our data handling practices comply with GDPR (for both ourselves and our customers), we have been working on GDPR compliance for several months. The planning has included extensive conversations with companies and legal resources that operate inside and outside the EU. Our GDPR compliance planning has been guided by the following principles:
- No “One size fits all” roadmap – Companies have to respond differently to the new regulations based on various factors such as: the countries in the EU in which they operate, whether the company’s sole operations are in the EU, the channels used to acquire candidates and varying interpretations of the GDPR.
- Minimize the effect on operations outside the EU – Many of our customers operate globally; the EU is just one of several regions. We understand that, while they need to comply with GDPR, avoiding interruptions to operations in other regions is also critical. Therefore, a “business as usual” continuation is also very important.
- Flexibility & control – Rather than mandate rigidity, we want companies to have the control and flexibility to define and implement their own policies. This means enabling customers to manage their hiring processes and data collection and retention policies. This extends to defining separate policies for candidates who are unaffected by GDPR.
- Help companies to prepare – GDPR preparation takes time, time for internal activities as well as time for candidates to make consent decisions. Companies need to define their policies, edit email templates and notifications, and adjust automation rules before the GDPR takes effect. Moreover, some of our customers may begin obtaining consent from existing candidates to allow sufficient time for data opt-in consent.
- Enforce policies – We designed the new GDPR-related changes in Comeet similar to how we develop other product features, we give the organization the flexibility to define policies and limit the actions of employees to enforce these policies where needed to avoid mistakes.
- Automate – Automation is a key foundation of Comeet. We’re constantly seeking to automate actions and tasks.. New GDPR-related automation includes the way we request candidate consent so that candidates can grant consent or withdraw it.
- Make it simple – While the legal language of the GDPR may sound intimidating to many, recruiters, hiring managers and interviewers don’t need to be legal experts to follow the organization’s policies to comply with the new regulations, We’ve made the path to compliance clear, simple and accessible to everyone.
- Leverage the opportunity – GDPR compliance may be a burden to many, but we encourage you to recognize the opportunities in becoming compliant. These include clarifying your organization’s data-handling policies, improving the candidate experience and removing outdated resumes from your database.
GDPR Applicability to the Comeet platform
Comeet has worked diligently to comply with the GDPR.
The GDPR applies to businesses with an establishment in the EU. Establishment means any regular exercise of business activity. Every organization with an EU establishment that uses the Comeet platform must comply with the GDPR. This in turn assumes that the Comeet platform itself must handle data according to GDPR compliance requirements.
The GDPR also applies to businesses established outside the EU subject to each of the following:
- They collect and process personal data of EU data subjects.
- The processing activities are related to goods or services (paid or free) offered to EU data subjects.
EU applicants interact and use the applicant-facing portions of the Comeet platform. It may be that EU applicants’ use of the Comeet platform trigger the applicability of the GDPR with respect to the Comeet platform.
The respective roles of the data controller and a data processor
The recruiting organization (Comeet’s corporate customer) is the data controller under the GDPR and Comeet is the data processor under the GDPR processing the data for and on behalf of that organization.
A key GDPR concept is the distinction between the data controller and the data processor. Recognizing that not all organizations involved in processing personal data have the same degree of responsibility, the GDPR distinguishes between a data controller and a data processor.
Generally, the controller is the organization that exercises significant decision making as to the purposes for processing the data and chooses the methods for doing so. It is the organization that determines or controls issues such as:
- Whether to collect the personal data about candidates. For example, it is Comeet’s customer, the recruiting organization, that decides to collect data about candidates for open positions.
- Which data to collect about candidates. For example, it is Comeet’s customer, the recruiting organization, that determines which CV fields it wants to collect; the questions, if any, candidates must answer as part of an online questionnaire; and the information asked of candidates through the online candidate form on the recruiting organization’s career webpage.
- How long to retain data. For example, it is Comeet’s customer, the recruiting organization, that determines when to delete candidate information from the platform. Organizations can configure the platform to automatically delete the personal data of rejected candidates once the position has been filled.
- With whom data should be shared after hiring. For example, it is Comeet’s customer, the recruiting organization, that determines whether to export a hired candidate’s information to the organization’s internal HR systems.
- The legal basis for collecting the data. For example, it is Comeet’s customer, the recruiting organization, that determines whether to collect the data on the basis of the candidate’s affirmative consent, on the basis of local legislation permitting data processing of employment candidates or on the basis of the customer’s legitimate interests.
The processor, on the other hand, is an organization that determines issues such as:
- The technical methods for processing the data for and on behalf of the controller. Comeet — not the controller — has designed and developed the technical features of the platform’s data processing activities.
- The technical details of how the data is safeguarded. Comeet — not the controller — has designed and developed the data security features of the platform.
Our GDPR-compliant engagement agreements with our customers
Comeet has GDPR-driven contract provisions in place with its customers.
The GDPR requires that Comeet provide customers with written contracts that define the subject-matter and duration of Comeet’s processing activities for the customer, the nature and purpose of the processing, the type of personal data and categories of data subjects, as well as the obligations and rights of Comeet and its customers.
The GDPR also requires that these contracts define or confirm specific issues, such as:
- Data processing is conducted according to documented instructions from the customer
- Comeet personnel authorized to handle the customer’s personal data have committed themselves to confidentiality
- Comeet has implemented appropriate technical and organizational measures for data security
- Comeet assists customers with the customer’s data breach obligations and in customer’s performance of a data protection impact assessment
- Comeet deletes or returns the personal data to the customer after the end of the engagement between the Comeet and the customer
- Comeet makes available to the customer all information necessary to demonstrate compliance with the obligations laid down in the GDPR
- Comeet is required to allow for and contribute to audits, including inspections, conducted by the customer or another auditor mandated by the controller
- Comeet technically assists the customer, to the extent practicable, in the fulfilment of the customer’s obligation to respond to requests for exercising the data subject’s rights under the GDPR
Processing the data pursuant to documented customer instructions
The Comeet platform has GDPR-driven controls and configuration options in place through which customers, as data controllers, provide their data processing instructions to Comeet as a data processor.
The GDPR requires processors like Comeet to process personal data only pursuant to the documented instructions of their customer.
Through the Comeet platform’s various customer control and configuration options, the customer conveys to Comeet documented instructions regarding matters such as:
- With which partners to source candidates from
- Whether to source candidates from professional networks such as LinkedIn and what information to extract from those sources
- Whether or not to source candidates from a designated email address to which CVs are sent
- What information to seek from candidates through the online candidate form on the recruiting organization’s career webpage
- What questions to ask candidates through an online candidate questionnaire
- Whether to obtain candidate evaluation data from outside evaluation providers
- Whether to feed a candidate’s data from the Comeet platform to the organization’s HR system and when to delete candidate data
- Whether to obtain candidate profiles from the web, including professional profiles (such as Github, Stackoverflow, Behance) and social profiles (such as Facebook, Twitter, YouTube).
- Whether to obtain candidates contact details (email address, phone number) from the sources on the web.
Legal basis for data processing
The Comeet platform helps the recruiting organization document the legal basis for processing candidate data and helps seek the candidate’s unambiguous informed consent wherever the organization decides to rely on consent as the legal basis.
The GDPR provides that processing personal data shall be lawful only if and to the extent processing is performed pursuant to one or more of the recognized legal bases for data processing. Among the recognized legal bases for processing are the following:
- Where the candidate has freely given the recruiting organization his or her unambiguous informed consent to processing his or her personal data for one or more specific purposes; or
- Where processing is necessary for the purposes of the legitimate interests pursued by the recruiting organization except where such interests are overridden by the interests or fundamental rights and freedoms of the candidate which require protection of personal data; or
- Where local law provides an independent legal basis for processing personal data of candidates for recruitment purposes
Although it is up to the recruiting organization to analyze and determine the legal basis for its processing of candidate data, the Comeet platform assists the organization in substantiating the legal basis.
First, the Comeet platform helps the organization track the legal basis for processing candidate data. The platform attributes a record to each candidate, through which the organization can flag the legal basis used for processing that candidate’s data.
Second, where the organization determines that the candidate’s consent should serve as the legal basis for processing his or her data, the Comeet platform provides the organization an option to seek the candidate’s unambiguous informed consent at two levels of granularity:
- Processing his or her data for a specific position
- Processing his or her data for other positions or future available positions
Additionally, the platform provides consenting candidates an easy opt-out option to withdraw their consent at any time, consistent with the GDPR’s requirements.
Data Retention, deletion and pseudonymization
The Comeet platform adheres to defined policies for data retention, provides tools for manual and automated pseudonymization of candidate-data and offers flexibility in defining which candidates are data subjects protected by the GDPR.
The Comeet platform facilitates the organization’s defined policies for data retention. The organization can define how long candidate data is kept (e.g., on the basis of legitimate interest) before candidate consent is sought.
To address the need for removal of personal data, Comeet provides the organization tools for manual and automated pseudonymization of candidates data. The pseudonymization process only keeps non-identifying data and an encrypted form of identifying data, to allow the organization to re-identify and retrieve prior candidates’ hiring process history in the event that a candidate is re-sourced into the Comeet platform (e.g., applying for another position).
Comeet has many customers that are global companies that operate in the EU and other regions Comeet allows companies to define their policy as to which candidates are data subjects protected by the GDPR. The Comeet platform enables the company to define a data subject as any candidate who applies for positions in the EU, and optionally to candidates who apply from the EU or identify themselves as located in the EU.
Transitioning the legal basis into the GDPR era
The Comeet platform enables existing customers to seek the unambiguous informed consent of all their past and present candidates as a transitional step into the GDPR era.
When transitioning into the GDPR era, Comeet’s existing customers may determine that they wish to obtain (or re-obtain) the consent of candidates on file. To this end, the Comeet platform enables existing customers to contact all past and present candidates to seek their unambiguous informed consent at the levels of granularity outlined above.
Privacy Notice to candidates
The Comeet platform enables the recruiting organization to provide candidates a privacy notice consistent with the GDPR’s transparency principle.
Under the GDPR’s transparency principle, candidates must be given a privacy notice outlining various issues regarding the data processing practices taken. The notice must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The Comeet platform offers its customers a general-purpose privacy notice that customers may edit and present to candidates. Although customers may use the notice “as is”, they are encouraged to edit it for their specific circumstances.
The Comeet platform’s use of subcontractors for data processing activities is consistent with the GDPR’s requirements for subprocessors.
The GDPR permits processors, like Comeet, to use subcontractors for data processing activities (“subprocessors”), subject to three conditions.
First, Comeet performed prior due diligence into each proposed subprocessor’s data protection practices to confirm that the subprocessor provides sufficient guarantees that its processing meet GDPR requirements.
Second, Comeet’s customers need to authorize the use of subprocessors. Comeet, in its GDPR-driven contracts with customers, obtains from customers a general authorization to use subprocessors. Comeet maintains online an updated list of its subprocessors. Comeet also informs its customers of any intended changes concerning the addition or replacement of subprocessors, and gives customers the opportunity to object to such changes. (If the customer objects and the proposed change is a material component in the Comeet platform, Comeet reserves the right to terminate its agreement with that customer).
Third, Comeet entered into a data processing agreement with the subprocessor that is consistent with GDPR requirements for such engagements.
Cross-border data transfers
If Comeet processes data in non-EU territories, it does so under GDPR-recognized cross-border safeguards.
The GDPR restricts the cross-border transfer of personal data to jurisdictions outside the European Economic Area (EEA). As a general rule, personal data may only be transferred to jurisdictions recognized by the EU Commission as having an adequate level of data protection, or otherwise transferred under appropriate safeguards.
The Comeet platform stores personal data in Amazon Web Services’ storage servers located in the European Economic Area. In addition, Comeet and its sub-processors’ only process personal data in member states of the European Economic Area, in territories or territorial sectors (e.g., Privacy Shield) recognized by an adequacy decision of the European Commission as providing an adequate level of protection for personal data or through recipients subject to adequate safeguards under the GDPR (e.g., Model Clauses).
Assisting the customer with requests of data subjects seeking to exercise their GDPR rights
The Comeet platform provides tools to help the organization accommodate candidate requests to exercise their data protection rights under the GDPR.
The GDPR requires processors like Comeet to technically assist the customer, to the extent practicable, in the fulfilment of the customer’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.
To this end, the Comeet platform provides recruiting organizations a variety of tools to help accommodate candidate requests to exercise their rights in relation to their personal data, such as:
- Retrieving candidate data so that the organization may send the data to the candidate for review.
- Providing the organization tools to correct candidate data in response to a candidate’s request to do so.
- Allowing candidates to withdraw their consent or otherwise exercise their right to be forgotten, by giving the customer the tools to delete or choose to pseudonymize candidate data.
- Fetching candidate data in a structured format, so that the organization can send the data to the candidate seeking to exercise his or her right to data portability.
- Giving the recruiting organization control over whether or not to configure automated decision making (e.g., whether or not to reject a candidate automatically based on his/her responses to a questionnaire or an evaluation score).
Comeet implements appropriate technical and organizational measures to secure personal data.
The GDPR requires both controller and processors to implement appropriate technical and organizational measures to secure personal data, including encryption and security tests.
Comeet takes measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal data. These include managing database access privileges, use of firewalls, UTM (unified threat management protection system), virtual private network and subnet segregations and penetration testing conducted by an independent third party at least once a year. Comeet also uses a reputable third party auditor to perform an annual audit of its security controls.
In addition, Comeet restricts data access to a group of employees and contractors who need access to that information. These individuals are bound by confidentiality and data security obligations and are subject to disciplinary measures, including termination, if they fail to meet these obligations.
Handling data breaches
Comeet complies with the data breach responsibilities that the GDPR imposes on processors.
Pursuant to the GDPR’s requirements, Comeet shall without undue delay notify its customers of any security breach it becomes aware of regarding personal data that Comeet processes. Comeet endeavors to mitigate the breach and prevent its recurrence. Comeet also cooperates with its customers so that customers can address the data breach obligations imposed upon them.
For these purposes, Comeet is developing an appropriate data breach response plan and business continuity plan and conducting breach response training exercises.
This document is intended for informative purposes only. It does not constitute legal advice regarding the GDPR or any other matter, and may not be used or relied on for such purposes.
Have more questions? Contact us at firstname.lastname@example.org