Is CVWarehouse GDPR compliant ?
CVWarehouse has been audited on GDPR since 8 May 2017 and all actions are taken to be able to finalise the complete GDPR compliancy by May 25th 2018.
Which measures are taken to make CVWarehouse GDPR compliant?
- A legal and technical audit;
- Re-writing all legal statements and agreements;
- Signing processing agreements with both controllers and sub-processors;
- Appointing a DPO;
- Keeping an internal register;
- Organisational measures to signing NDAs, foreseeing confidentiality in employment contracts, implementing a data breach policy, …
Who is the DPO of CVWarehouse?
- Lieve Van de Loo
- +32 3 202 42 20
Is CVWarehouse a controller or processor?
CVWarehouse can be both:
- CVWarehouse is a controller : (1) in case of a “free registration” on the CVWarehouse website, whereby the candidate provides its personal information but does not apply for a vacancy of a customer on the CVWarehouse site, or (2) when a candidate applies for a vacancy for CVWarehouse as an organisation itself (not one of our customers),
- CVWarehouse is a processor : when a candidate applies for a specific online vacancy of a customer (potential employer) on the CVWarehouse website or on the own website of a customer. This means that the customers take the initiative to look for candidates and most of all process their personal data as they desire themselves (and not CVWarehouse, who only provides a technical solution/platform for customers to be able to do so).
What happens with the information that a company attaches to a candidate file?
This can be done when this information is given to the company by the candidate or are a result of a test. The company is responsible (as controller) for this and will ask a candidate for consent before information is attached to a candidate profile. This is not OK if a company keeps track of sensitive information about a candidate like religious or philosophical beliefs, sexual orientation, information about trade union membership, racial or ethnic origin, political opinions, genetic or biometric data, … which is forbidden by CVWarehouse (see terms and conditions).
What happens to documents that a company attached when a candidate wishes to delete itself or is deleted by the company?
All information about the candidate will be deleted, also in the company profile after 48 hours after such a request. This process, now performed on demand by CVWarehouse, will be automated both for candidates and companies in the near future.
Can a company input a candidate that didn’t apply through CVWarehouse and has no login?
In this case, the candidate provided his CV to the company so the company can input this data in the platform. The company is responsible (as controller) for this and will ask a candidate for consent. The company needs to put a procedure in place to remove this data when a candidate asks to be removed. If a candidate wants to access or rectify his/her data, the company needs to have a procedure to allow the candidate exercise its rights, as the company is the controller of such data.
If a file of a candidate needs to be deleted (when customer is the controller), can we keep the info anonymous in the database?
Yes, if there is no link to a person after deleting, the data can be kept in the database (for instance for statistical purposes).
What happens if companies work with Temp agencies in CVWarehouse ?
Then the temp agency has to be GDPR compliant and the company needs to make sure they have a data processing agreement with the temp agency about this.
What happens to all reports with candidate data ?
All reports will be automatically deleted after 4 months, starting from the date of creation by the customer.
Do CVWarehouse or its customers need a Data Processing Agreement with job boards like Indeed.com, Mitula, Glassdoor, etc.?
For all partners with whom CVWarehouse cooperates that also process data from candidates (such as our data center partner), CVWarehouse has signed sub-processor agreements.
For job board partners such as Indeed, Mitula, etc. this is not applicable as CVWarehouse only sends information about vacancies. Candidates who apply after they have found a vacancy via such a platform, always do so via a CVWarehouse application form. This way CVWarehouse customers are covered by the processing agreement that they have with CVWarehouse. No personal data is therefore being processed by the job boards, so no extra data processing agreement is necessary.
What is the difference between an “open database system” and a “closed database system” and why is this important for GDPR?
In an open database system, data subjects can add, manage and/or delete their personal details, for example by means of a personal login or profile account.
In a closed database system, data subjects fill out a form with information, but don’t have any options afterwards to alter or remove their personal information.
The CVWarehouse tool can be – at the same time – both a closed and an open system. For all candidates that create a CVWarehouse profile (and use it to apply), the tool is an open database system. For candidate information that was manually added to the tool by a recruiter for example or when applying is done without a profile but by filling in a registration form, the tool is a closed database system.
The open part of the tool is completely transparent towards data subjects as they can always consult their profile to see which data they are sharing with a company and for which vacancy.
They can also adjust the data themselves or submit a request for the deletion of their profile.
As a result of this transparency, working with an open system results in less GDPR administration for organisations, as the profile options for candidates will solve most of the questions or requests of candidates.
What is data retention and when is it needed?
As a result hereof, it’s not allowed to keep personal information for a longer period than defined in your data retention policy.
If you define the scope as gathering information for filling open vacancies, you limit your options more than when you define the scope as gathering information for filling vacancies and building a talent pool for future hiring needs.
In light of this second scope, it is way more plausible to hold on to personal information of candidates for a longer period than just the duration of the recruitment process of the vacancy they applied for. It is up to you to define either one of these periods, depending on the option you choose.
For those organisations that do wish to remove candidate information after this retention period, CVWarehouse is analysing the options to help automate this process. For now, a request can be made with CVWarehouse to perform this action.
Ideally, your privacy statement will contain information about:
- who you are as an organisation
- which data you are gathering
- why you gather personal data
- who you may be sharing these data with and for what reason
- how long you will store the data
- which rights data subjects/candidates have and how they can exercise their rights
- whether data are being sent or forwarded outside of the EU
- who candidates can contact in case of questions or complaints
Does a candidate have the right to request all internal information we have kept in their file?
Candidates have the right to request more details about which personal data is being processed by you, including a copy of that information but exercising this right is limited as it cannot lead to another person’s rights and freedoms being adversely affected. Therefore, you could base yourself on this principle to not disclose all purely internal documents to a candidate.