Skip to main content

On CVWarehouse & the General Data Privacy Regulation (GDPR)

On CVWarehouse & the General Data Privacy Regulation (GDPR)

As of May 2018, the new European General Data Protection Regulation (GDPR) will apply.

In essence, GDPR compliance boils down to identifying which personal identifiable data are collected throughout an organization on its different data subjects and for whatpurpose:

  • Consumers (B2C)
  • Customers and business partners (B2B)
  • Candidates & Employees (Recruitment & HR)

Especially the transparency obligation to be able to inform a data subject about what data you collect for what purpose, to allow the data subject to amend and correct these data and to give or not give consent to use certain data can present quite a technological challenge if you want to give the data subject such control.

The right to be forgotten (remove a subject’s data altogether, even historic data) and the rulings on data portability (the obligation to send all data you keep on a data subject to the data subject in a machine-readable format (PDF, csv, XML)) evidently add to this challenge.

The obligation of executing all of the above change requests of a data subject in your organization within a month’s time will make you wish you had a system in place that takes care of that for you.

With CVWarehouse, all of the above requirements are already covered.

From day one, CVWarehouse took privacy seriously and took a bottom-up approach that allows the candidate to manage its personal data and information correctly (and actively give consent to use their data for the sole purpose of recruitment).

This  approach makes CVWarehouse GDPR compliant by design:

  • Candidates know which data and documents they share with your company for which job or even talent pool.
  • They control this sensitive data and are able to change or delete them real-time, any time.
  • When candidates want “to be forgotten” CVWarehouse takes care of that for them too.

So don’t worry about your candidates & GDPR, we had you covered from day one!


GDPR Communications



  • the right to obtain access to the personal data that are processed by CVWarehouse and if these personal data are inaccurate or incomplete, the rectification or completion of these data;
  • the right to have your personal data deleted or to have the processing limited;
  • the transfer of your personal data, either by providing you with a copy in a readable format or by transferring the data directly to another entity if requested so by you;
  • the right to withdraw your consent for personal mailings;
    Is CVWarehouse GDPR compliant?

    CVWarehouse has been audited on GDPR since 8 May 2017 and all actions are taken to be able to finalise the complete GDPR compliancy by May 25th 2018.

    Which measures are taken to make CVWarehouse GDPR compliant?
    • A legal and technical audit;
    • Re-writing all legal statements and agreements;
    • Signing processing agreements with both controllers and sub-processors;
    • Appointing a DPO;
    • Keeping an internal register;
    • Organisational measures to signing NDAs, foreseeing confidentiality in employment contracts, implementing a data breach policy, …
    Who is the DPO of CVWarehouse?

    Lieve Van de Loo

    +32 3 202 42 20

    Is CVWarehouse a controller or processor?

    CVWarehouse can be both:

    1. CVWarehouse is a controller : (1) in case of a "free application" on the CVWarehouse website, whereby the candidate provides its personal information but does not apply for a vacancy of a customer on the CVWarehouse site, or (2) when a candidate applies for a vacancy for CVWarehouse as an organization itself (not one of our customers),
    2. CVWarehouse is a processor : when a candidate applies for a specific online vacancy of a customer (potential employer) on the CVWarehouse website or on the own website of a customer. This means that the customers take the initiative to look for candidates and most of all process their personal data as they desire themselves (and not CVWarehouse, who only provides a technical solution/platform for customers to be able to do so).
    Do customers need an own privacy and cookie policy?

    Yes, in all cases where the customer is the Controller. Candidates need to accept both the privacy policy of CVWarehouse and of the company that they apply with. Customers need to provide their privacy policy to CVWarehouse to be able to integrate this in the application form.

    What happens with the information that a company attaches to a candidate file?

    This can be done when this information is given to the company by the candidate or are a result of a test. The company is responsible (as controller) for this and will ask a candidate for consent before information is attached to a candidate profile. This is not OK if a company keeps track of sensitive information about a candidate like religious or philosophical beliefs, sexual orientation, information about trade union membership, racial or ethnic origin, political opinions, genetic or biometric data, … which is forbidden by CVWarehouse (see terms and conditions).

    What happens to documents that a company attached when a candidate wishes to delete itself or is deleted by the company?

    All information about the candidate will be deleted, also in the company profile after 48 hours after such a request. The customer is responsible to delete all copies and backups of documents on their side within 2 working days. This process, now performed on demand by CVWarehouse, will be automated both for candidates and companies in the near future.

    Can a company input a candidate that didn’t apply through CVWarehouse and has no login?

    In this case, the candidate provided his CV to the company, so the company can input this data in the platform. The company is responsible (as controller) for this and will ask a candidate for consent. The company needs to put a procedure in place to remove this data when a candidate asks to be removed. If a candidate wants to access or rectify his/her data, the company needs to have a procedure to allow the candidate to exercise its rights, as the company is the controller of such data.

    If a file of a candidate needs to be deleted, can we keep the info anonymous in the database?

    Yes, if there is no link to a person after deleting, the data can be kept in the database (for instance for statistical purposes).

    What happens if companies work with Temp agencies in CVWarehouse?

    Then the temp agency has to be GDPR compliant and the company needs to make sure they have a data processing agreement with the temp agency about this.

    What happens to all reports with candidate data?

    All reports will be automatically deleted after 4 months, starting from the date of creation by the customer.

    Do CVWarehouse or its customers need a Data Processing Agreement with job boards like, Mitula, Glassdoor, etc.?

    For all partners with whom CVWarehouse cooperates that also process data from candidates (such as our data center partner), CVWarehouse has signed sub-processor agreements.

    For job board partners such as Indeed, Mitula, etc. this is not applicable as CVWarehouse only sends information about vacancies. Candidates who apply after they have found a vacancy via such a platform, always do so via a CVWarehouse application form. This way CVWarehouse customers are covered by the processing agreement that they have with CVWarehouse. No personal data is therefore being processed by the job boards, so no extra data processing agreement is necessary.

    What is the difference between an "open database system" and a "closed database system" and why is this important for GDPR?

    In an open database system, data subjects can add, manage and/or delete their personal details, for example by means of a personal login or profile account.

    In a closed database system, data subjects fill out a form with information, but don’t have any options afterwards to alter or remove their personal information.

    The CVWarehouse tool can be – at the same time – both a closed and an open system. For all candidates that create a CVWarehouse profile (and use it to apply), the tool is an open database system. For candidate information that was manually added to the tool by a recruiter for example or when applying is done without a profile but by filling in a registration form, the tool is a closed database system.

    The open part of the tool is completely transparent towards data subjects as they can always consult their profile to see which data they are sharing with a company and for which vacancy.

    They can also adjust the data themselves or submit a request for the deletion of their profile.

    As a result of this transparency, working with an open system results in less GDPR administration for organisations, as the profile options for candidates will solve most of the questions or requests of candidates.

    What is data retention and when is it needed?

    Data retention is how long one will use, possess or control information. In a recruitment context, GDPR stipulates that organizations should adopt a data retention policy (as part of a privacy policy) to indicate to data subjects/candidates why they are gathering the information and how long they will keep it.

    As a result hereof, it’s not allowed to keep personal information for a longer period than defined in your data retention policy.

    When drafting your privacy policy towards candidates, it is therefore of the utmost importance to clearly outline the scope of why you are collecting their information and for how long you will hold on to it.

    If you define the scope as gathering information for filling open vacancies, you limit your options more than when you define the scope as gathering information for filling vacancies and building a talent pool for future hiring needs.

    In light of this second scope, it is way more plausible to hold on to personal information of candidates for a longer period than just the duration of the recruitment process of the vacancy they applied for. It is up to you to define either one of these periods, depending on the option you choose.


    How can CVWarehouse help my company set up a Retention Period?

    If your organization has defined a Retention Period on your organization’s Privacy Policy, CVWarehouse has a feature that allows you to set up your own retention period.

    Based on these Retention Period ATS settings, CVWarehouse will delete candidate data from your database.

    Candidates will receive an email and are given the option to continue sharing their data with your organization for another renewed Retention Period.

    The CVWarehouse platform ensures a clear and transparent communication between organizations and candidates.

    With this feature, CVWarehouse helps you enforce your own Retention Period rules, be GDPR Compliant, and reassures you of a transparent, automated and traceable process.

    What information needs to be included in a privacy policy towards candidates?

    Your privacy policy towards candidates should be brief, easy to find and written in such a way that it is easy to understand for everyone that wants to read it.

    Ideally, your privacy statement will contain information about:

    • who you are as an organisation
    • which data you are gathering
    • why you gather personal data
    • who you may be sharing these data with and for what reason
    • how long you will store the data
    • which rights data subjects/candidates have and how they can exercise their rights
    • whether data are being sent or forwarded outside of the EU
    • who candidates can contact in case of questions or complaints
    What template can be used to create a privacy policy?

    CVWarehouse customers are free to use CVWarehouse’s privacy statement towards candidates as inspiration or a starting point for drafting their own privacy policy towards candidates. Keep in mind though that your own privacy policy will differ from the one CVWarehouse has, as certain aspects will be very different.

    Does a candidate have the right to request all internal information we have kept in their file?

    Candidates have the right to request more details about which personal data is being processed by you, including a copy of that information but exercising this right is limited as it cannot lead to another person’s rights and freedoms being adversely affected. Therefore, you could base yourself on this principle to not disclose all purely internal documents to a candidate.

    What is CVWarehouse's privacy statement towards candidates?

    Please click here to read.