Skip to main content

On CVWarehouse & the General Data Privacy Regulation (GDPR)

On CVWarehouse & the General Data Privacy Regulation (GDPR)

As of May 2018, the new European General Data Protection Regulation (GDPR) will apply.

In essence, GDPR compliance boils down to identifying which personal identifiable data are collected throughout an organization on its different data subjects and for whatpurpose:

  • Consumers (B2C)
  • Customers and business partners (B2B)
  • Candidates & Employees (Recruitment & HR)

Especially the transparency obligation to be able to inform a data subject about what data you collect for what purpose, to allow the data subject to amend and correct these data and to give or not give consent to use certain data can present quite a technological challenge if you want to give the data subject such control.

The right to be forgotten (remove a subject’s data altogether, even historic data) and the rulings on data portability (the obligation to send all data you keep on a data subject to the data subject in a machine-readable format (PDF, csv, XML)) evidently add to this challenge.

The obligation of executing all of the above change requests of a data subject in your organization within a month’s time will make you wish you had a system in place that takes care of that for you.

With CVWarehouse, all of the above requirements are already covered.

From day one, CVWarehouse took privacy seriously and took a bottom-up approach that allows the candidate to manage its personal data and information correctly (and actively give consent to use their data for the sole purpose of recruitment).

This  approach makes CVWarehouse GDPR compliant by design:

  • Candidates know which data and documents they share with your company for which job or even talent pool.
  • They control this sensitive data and are able to change or delete them real-time, any time.
  • When candidates want “to be forgotten” CVWarehouse takes care of that for them too.

So don’t worry about your candidates & GDPR, we had you covered from day one!

CVWAREHOUSE & GDPR – FREQUENTLY ASKED QUESTIONS

  • the right to obtain access to the personal data that are processed by CVWarehouse and if these personal data are inaccurate or incomplete, the rectification or completion of these data;
  • the right to have your personal data deleted or to have the processing limited;
  • the transfer of your personal data, either by providing you with a copy in a readable format or by transferring the data directly to another entity if requested so by you;
  • the right to withdraw your consent for personal mailings;
    Is CVWarehouse GDPR compliant?

    CVWarehouse has been audited on GDPR since 8 May 2017 and all actions are taken to be able to finalise the complete GDPR compliancy by May 25th 2018.

    Which measures are taken to make CVWarehouse GDPR compliant?
    • A legal and technical audit;
    • Re-writing all legal statements and agreements;
    • Signing processing agreements with both controllers and sub-processors;
    • Appointing a DPO;
    • Keeping an internal register;
    • Organisational measures to signing NDAs, foreseeing confidentiality in employment contracts, implementing a data breach policy, …
    Who is the DPO of CVWarehouse?

    Lieve Van de Loo

    Lieve.VandeLoo@cvwarehouse.com

    +32 3 202 42 20

    Is CVWarehouse a controller or processor?

    CVWarehouse can be both:

    1. CVWarehouse is a controller : (1) in case of a "free application" on the CVWarehouse website, whereby the candidate provides its personal information but does not apply for a vacancy of a customer on the CVWarehouse site, or (2) when a candidate applies for a vacancy for CVWarehouse as an organization itself (not one of our customers),
    2. CVWarehouse is a processor : when a candidate applies for a specific online vacancy of a customer (potential employer) on the CVWarehouse website or on the own website of a customer. This means that the customers take the initiative to look for candidates and most of all process their personal data as they desire themselves (and not CVWarehouse, who only provides a technical solution/platform for customers to be able to do so).
    Do customers need an own privacy and cookie policy?

    Yes, in all cases where the customer is the Controller. Candidates need to accept both the privacy policy of CVWarehouse and of the company that they apply with. Customers need to provide their privacy policy to CVWarehouse to be able to integrate this in the application form.

    What happens with the information that a company attaches to a candidate file?

    This can be done when this information is given to the company by the candidate or are a result of a test. The company is responsible (as controller) for this and will ask a candidate for consent before information is attached to a candidate profile. This is not OK if a company keeps track of sensitive information about a candidate like religious or philosophical beliefs, sexual orientation, information about trade union membership, racial or ethnic origin, political opinions, genetic or biometric data, … which is forbidden by CVWarehouse (see terms and conditions).

    What happens to documents that a company attached when a candidate wishes to delete itself or is deleted by the company?

    All information about the candidate will be deleted, also in the company profile after 48 hours after such a request. The customer is responsible to delete all copies and backups of documents on their side within 2 working days. This process, now performed on demand by CVWarehouse, will be automated both for candidates and companies in the near future.

    Can a company input a candidate that didn’t apply through CVWarehouse and has no login?

    In this case, the candidate provided his CV to the company, so the company can input this data in the platform. The company is responsible (as controller) for this and will ask a candidate for consent. The company needs to put a procedure in place to remove this data when a candidate asks to be removed. If a candidate wants to access or rectify his/her data, the company needs to have a procedure to allow the candidate to exercise its rights, as the company is the controller of such data.

    If a file of a candidate needs to be deleted, can we keep the info anonymous in the database?

    Yes, if there is no link to a person after deleting, the data can be kept in the database (for instance for statistical purposes).

    What happens if companies work with Temp agencies in CVWarehouse?

    Then the temp agency has to be GDPR compliant and the company needs to make sure they have a data processing agreement with the temp agency about this.

    What happens to all reports with candidate data?

    All reports will be automatically deleted after 4 months, starting from the date of creation by the customer.

    Do CVWarehouse or its customers need a Data Processing Agreement with job boards like Indeed.com, Mitula, Glassdoor, etc.?

    For all partners with whom CVWarehouse cooperates that also process data from candidates (such as our data center partner), CVWarehouse has signed sub-processor agreements.

    For job board partners such as Indeed, Mitula, etc. this is not applicable as CVWarehouse only sends information about vacancies. Candidates who apply after they have found a vacancy via such a platform, always do so via a CVWarehouse application form. This way CVWarehouse customers are covered by the processing agreement that they have with CVWarehouse. No personal data is therefore being processed by the job boards, so no extra data processing agreement is necessary.

    What is the difference between an "open database system" and a "closed database system" and why is this important for GDPR?

    In an open database system, data subjects can add, manage and/or delete their personal details, for example by means of a personal login or profile account.

    In a closed database system, data subjects fill out a form with information, but don’t have any options afterwards to alter or remove their personal information.

    The CVWarehouse tool can be – at the same time – both a closed and an open system. For all candidates that create a CVWarehouse profile (and use it to apply), the tool is an open database system. For candidate information that was manually added to the tool by a recruiter for example or when applying is done without a profile but by filling in a registration form, the tool is a closed database system.

    The open part of the tool is completely transparent towards data subjects as they can always consult their profile to see which data they are sharing with a company and for which vacancy.

    They can also adjust the data themselves or submit a request for the deletion of their profile.

    As a result of this transparency, working with an open system results in less GDPR administration for organisations, as the profile options for candidates will solve most of the questions or requests of candidates.

    What is data retention and when is it needed?

    Data retention is how long one will use, possess or control information. In a recruitment context, GDPR stipulates that organisations should adopt a data retention policy (as part of a privacy policy) to indicate to data subjects/candidates why they are gathering the information and how long they will keep it.

    As a result hereof, it’s not allowed to keep personal information for a longer period than defined in your data retention policy.

    When drafting your privacy policy towards candidates, it is therefore of the utmost importance to clearly outline the scope of why you are collecting  their information and for how long you will hold on to it.

    If you define the scope as gathering information for filling open vacancies, you limit your options more than when you define the scope as gathering information for filling vacancies and building a talent pool for future hiring needs.

    In light of this second scope, it is way more plausible to hold on to personal information of candidates for a longer period than just the duration of the recruitment process of the vacancy they applied for. It is up to you to define either one of these periods, depending on the option you choose.

    For those organisations that do wish to remove candidate information after this retention period, CVWarehouse is analysing the options to help automate this process. For now, a request can be made with CVWarehouse to perform this action.

    What information needs to be included in a privacy policy towards candidates?

    Your privacy policy towards candidates should be brief, easy to find and written in such a way that it is easy to understand for everyone that wants to read it.

    Ideally, your privacy statement will contain information about:

    • who you are as an organisation
    • which data you are gathering
    • why you gather personal data
    • who you may be sharing these data with and for what reason
    • how long you will store the data
    • which rights data subjects/candidates have and how they can exercise their rights
    • whether data are being sent or forwarded outside of the EU
    • who candidates can contact in case of questions or complaints
    What template can be used to create a privacy policy?

    CVWarehouse customers are free to use CVWarehouse’s privacy statement towards candidates as inspiration or a starting point for drafting their own privacy policy towards candidates. Keep in mind though that your own privacy policy will differ from the one CVWarehouse has, as certain aspects will be very different.

    Does a candidate have the right to request all internal information we have kept in their file?

    Candidates have the right to request more details about which personal data is being processed by you, including a copy of that information but exercising this right is limited as it cannot lead to another person’s rights and freedoms being adversely affected. Therefore, you could base yourself on this principle to not disclose all purely internal documents to a candidate.

    What is CVWarehouse's privacy statement towards candidates?

    I. Who are we?

    CVWarehouse NV (hereafter “CVWarehouse”), operates the CVWarehouse candidate portal and the company portal on the CVWarehouse website and is the controller or processor (see further) for the processing of personal data.

    You are able to contact us through following coordinates:

    CV WAREHOUSE NV
    Lambermontstraat 10
    2000 Antwerp
    Belgium

    Tel: +32 3 202 42 20
    Fax: +32 3 248 64 91
    E-mail: info@cvwarehouse.com

    We have appointed a Data Protection Officer ('DPO') that oversees all privacy related matters within CVWarehouse. The contact details for our DPO are:

    Mme Lieve Van de Loo

    Tel: +32 3 202 42 20

    E-mail: lieve.vandeloo@cvwarehouse.com

     

    II. Which personal data do we process?

    We may collect information from visitors of our website in various ways, in particular:

    Anonymous aggregated information

    This is information about all our visitors combined, such as the sections of our website visitors most frequently go to, and the services that they prefer to use. To protect our visitors' rights to privacy, this information is anonymous and aggregated. Therefore no individual CVWarehouse visitor can be identified on the basis of this information. We may use such information to generate anonymous traffic numbers which we may disclose to our clients and the public.

    In our log files (which are files that contain data about events for future reference), we may collect and store Internet Protocol addresses for data safety reasons. We may also use Internet Protocol addresses to draw up anonymous statistics, in order to measure the number of people on our website (traffic) and load balance our systems accordingly to provide optimal response times. We may use these anonymous statistics for accounting purposes to calculate the number of clicks received via our own or websites of our business partners, but we will not use this information to identify visitors of the website.

    Personal data of candidates

    Providing us or our customers (companies you may apply with) with your personal data will lead to the processing of such data by CVWarehouse. We will process all the personal data you provide us with, such as (but not limited to) identity and contact details (name, address, tel. number, e-mail address, date and place of birth, marital status, nationality, sex,…), profession, education, memberships and possibly also sensitive information (such as health data) if such data is provided by you.

    III. Why do we process your personal data?

    We process your personal data to provide you with our services (allowing you to create and use a CVWarehouse profile) and thus to execute the agreement we have with you or because our customers use a job site that is provided and powered by us to process personal data of candidates that apply with them. Filling out a candidate profile and uploading a CV in a free text document for a vacancy of our customers offers the opportunity to CVWarehouse customers to process personal information in the search for the right candidates for their vacancies.

    If a candidate registers on our website directly to create a profile (“free registration”) that candidate can get into contact with potential employers, when the candidate decides to disclose its profile to a potential employer.

    We will also process your personal data for personal mailings if you consent to this by flagging the option "Yes, I want CVWarehouse NV to keep me informed confidentially of future opportunities, a broader network of jobs and candidates". Consenting to this will allow us to send you mailings, basing ourselves on your profile information, in relation to job opportunities of our customers. Again, your data will only be passed on to such other party after you decide yourself you wish to share your personal data when you are interested in a job opportunity.

    Please visit our FAQ section for more practical information on this topic.

    IV. With whom is the collected personal data shared?

    Contrary to other recruitment sites, CVWarehouse never gives any third party access the personal data of candidates that they have transferred directly to CVWarehouse, without the candidate itself deciding thereto (see above section). This way we assure more privacy and safety of use of such personal information than commonly available in this market space. All information provided remains private and is solely used for the purposes described on our website.

    Firstly, the bulk of collected personal data is only available to employees of CVWarehouse, who have signed a specific non-disclosure agreement concerning the processing of such data. Every customer that uses the company portal on our websites enters into a non-disclosure agreement with us and can only view the details of candidates who have decided to disclose their data to these specific companies or the candidates that have applied directly with them.

    There are two possible scenarios in which your personal data can be shared:

    1. In case of a "free registration" on the CVWarehouse website, whereby you provide your personal information but do not apply for a vacancy on our site, your data is submitted only to CVWarehouse. Your data will only be passed on to a potential employer after you explicitly decide thereto by disclosing your data. When you apply for a vacancy for CVWarehouse as an organization itself (not one of our customers), your data will only be processed by CVWarehouse and will never be transferred to a third party.
       
    2. When you apply for a specific online vacancy of a customer (potential employer) on the CVWarehouse website or on the own website of a customer, your personal data will be processed by that customer and will also be visible for CVWarehouse, as we provide the technical means for such processing by our customers.

    In the first case, CVWarehouse acts as controller for your personal data, as you add your personal data to our database to allow you to create a profile. In the second case, the potential employer (our customer) is the controller and CVWarehouse is merely a processor as it provides a job site used by the company to process your personal data. In both abovementioned cases (save for when you apply with CVWarehouse for a job within our organization), our customers are also solely responsible as controller for the information that they add to a candidate profile themselves following a job interview. Although our customers contractually agree to use your data for their own company recruitment needs only, non-compliance by such companies with this contractual obligation can be notified to our Support Department.

    Today, a candidates profile is only accessible on the CVWarehouse site in the company login section, by employers who have entered into a contractual relationship with CVWarehouse. A CV may, however, be made accessible in the future via other websites of CVWarehouse subsidiaries or branches in other EU countries and possibly the US and Asia Pacific countries. In such case, a candidate will be notified in a timely fashion and will be asked to consent to this through the profile login or by e-mail.

    Secondly, apart from CVWarehouse and its customers, personal data can also be shared with our technical partners, in order to be able to provide you with our services. Our Website is hosted on a server in the EU that is being maintained by CEGEKA, which has access to our databases to ensure the contractual maintenance, but cannot access login and password protected areas. Nevertheless, CEGEKA has entered into a non-disclosure agreement with us. We also work with a limited amount of external parties to provide our customers and candidates with some of the functionalities on our website. If and insofar as this is necessary for technical administration and maintenance, CVWarehouse may thus technically forward your data to ensure optimal use of our systems.

    V. How long do we store personal data of candidates?

    Your personal data will not be kept our database when you are not making use of our services anymore by deleting your profile.

    We will also delete your profile and all personal data in it if you request us to do so rather by doing that yourself, by notifying us or our DPO directly by using the contact details mentioned above. Such a request will also result in our customers (who you may have applied with for a job) not being able to consult your personal data anymore as your profile will be deleted.

    For information on how long your personal data is stored by our customers who you applied with directly through their website, we refer to the privacy policy of the customer(s) in question.

    VI. Your rights and how to exercise them?

    You have several rights concerning the personal data you provide us with, which you may exercise by notifying us or our DPO directly by using the contact details mentioned above.

    When we are not the controller of your personal data but merely processor (see section IV), we will forward your questions or complaints to the actual controller, our customer, that controls your personal data and is as such responsible for facilitating you in exercising your rights and answering any questions you may have.

    Should you feel that your inquiry with us has not been addressed in a satisfactory manner, you have the right to lodge a complaint with the supervisory data authority:

     

    «  Autorité de protection des données – Gegevensbeschermingsautoriteit »

    Drukpersstraat 35
    1000 Brussels

    +32 (0)2 274 48 00
    commission(at)privacycommission.be

     

    VII. Links to other websites

    CVWarehouse websites may contain links to other websites which are outside the control, influence or responsibility of CVWarehouse. CVWarehouse is not responsible for the protection of personal data or data security practices of other websites or companies operating them. We therefore strongly recommend you to read the privacy policies of such other websites in order to enable you to find out how they may process your personal data. CVWarehouse is not responsible for the use they may make of your personal data. Although we screen the companies and the opportunities, CVWarehouse has no control over, and is hence not responsible for the legality, reliability, quality, truth or accuracy of the job offers posted on its website. We encourage you to promptly inform us if you would obtain knowledge of improper or fraudulent practices through websites linked to the sites of CVWarehouse and/or by companies or persons responsible for or contributing to such practices. The same holds for websites of third-parties that link into our websites.

    VIII. Data Safety

    To access private data, companies as well as candidates need to login explicitly and submit a password or other kinds of exclusive authentication. The authentication security is enabled through various security methods like intrusion detection, firewalls, encryption, manual procedures and other. Additionally, passwords or any other authentication information will never be communicated by email, as we cannot ensure conclusive safety measures on all browser and email platforms where such information would pass through. Please refer to the FAQ section for further details on loss of authentication details and unlocking blocked accounts.

    IX. Cookies

    Cookies are tiny files that your Web browser places on your hard disk to facilitate surfing websites and to enhance online experience. Cookies are typically used to store information about your preferences for the use of our website.

    If you oppose the use of (certain) cookies you can configure your browser to refuse them in the privacy settings of your browser, which however may result in some inconveniences while surfing on our site. Please view the help-section of your browser for further assistance.

    CVWarehouse uses the following cookies:

    • Technically required cookies:

      These cookies are required to enable core site functionality and cannot be disabled or rejected. These cookies only stay active during your session on our website and are deleted by your browser as soon as you log out. We currently use f.i. following cookies: cookies to determine if you consented to the use of cookies, remembering language choice, providing navigation facilities, enabling the search function.

     

    • Third party and analytical cookies:

      We use third party and analytical cookies to enhance the users' possibilities when navigating the website and for our marketing purposes as it provides us with an insight on visitors (number of visitors, how the website is used, which pages are viewed mostly,…). These cookies do not stay active for more than 2 years and do not provide us with the possibility to identify you when using the website. When using the third party cookies, you may be identified by that third party (f.i. through the social media buttons), but we do not control this information ourselves. We refer to the privacy policy of these third parties if you wish to know more regarding the use of your personal data by those third parties. Our customers may customize their jobsite (as powered by ys) by placing cookies that they control and we do not have any insight into. We refer to the cookie policy of the customers for this.

     

    We currently use the following third party and analytical cookies ourselves:

    Google Analytics (to provide us with statistics); AddThis (to provide the Social Media Share buttons).