On CVWarehouse & the General Data Privacy Regulation (GDPR)

In essence, GDPR compliance boils down to identifying which personally identifiable data are collected throughout an organization on its different data subjects and for what purpose:

• Consumers (B2C)
• Customers and business partners (B2B)
• Candidates & Employees (Recruitment & HR)

Especially the transparency obligation to be able to inform a data subject about what data you collect for what purpose, to allow the data subject to amend and correct these data and to give or not give consent to use certain data can present quite a technological challenge if you want to give the data subject such control.

The right to be forgotten (remove a subject’s data altogether, even historic data) and the rulings on data portability (the obligation to send all data you keep on a data subject to the data subject in a machine-readable format (PDF, csv, XML)) evidently add to this challenge.

CVWarehouse is GDPR compliant since May 2018.

• A legal and technical audit;
• Re-writing all legal statements and agreements;
• Signing processing agreements with both controllers and sub-processors;
• Appointing a DPO;
• Keeping an internal register;
• Organizational measures to signing NDAs, foreseeing confidentiality in employment contracts, implementing a data breach policy, …

Lieve Van de Loo
This email address is being protected from spambots. You need JavaScript enabled to view it.
+32 3 202 42 20

CVWarehouse can be both:

1. CVWarehouse is a controller : (1) in case of a "free application" on the CVWarehouse website, whereby the candidate provides its personal information but does not apply for a vacancy of a customer on the CVWarehouse site, or (2) when a candidate applies for a vacancy for CVWarehouse as an organization itself (not one of our customers).
2. CVWarehouse is a processor: when a candidate applies for a specific online vacancy of a customer (potential employer) on the CVWarehouse website or on the own website of a customer. This means that the customers take the initiative to look for candidates and most of all process their personal data as they desire themselves (and not CVWarehouse, which only provides a technical solution/platform for customers to be able to do so).

Yes, in all cases where the customer is the Controller. Candidates need to accept both the privacy policy of CVWarehouse and of the company that they apply with. Customers need to provide their privacy policy to CVWarehouse to be able to integrate this in the application form.

This can be done when this information is given to the company by the candidate or are a result of a test. The company is responsible (as controller) for this and will ask a candidate for consent before information is attached to a candidate profile. This is not OK if a company keeps track of sensitive information about a candidate like religious or philosophical beliefs, sexual orientation, information about trade union membership, racial or ethnic origin, political opinions, genetic or biometric data, … which is forbidden by CVWarehouse (see terms and conditions).

All information about the candidate will be deleted, also in the company profile after 96 hours after such a request. The customer is responsible to delete all copies and backups of documents on their side within 4 working days.

In this case, the candidate provided his CV to the company, so the company can input this data in the platform. The company is responsible (as controller) for this and will ask a candidate for consent. The company needs to put a procedure in place to remove this data when a candidate asks to be removed. If a candidate wants to access or rectify his/her data, the company needs to have a procedure to allow the candidate to exercise its rights, as the company is the controller of such data.

Then the temp agency has to be GDPR compliant and the company needs to make sure they have a data processing agreement with the temp agency about this.

Yes, if there is no link to a person after deleting, the data can be kept in the database (for instance for statistical purposes).

All reports will be automatically deleted after 4 months, starting from the date of creation by the customer.

In an open database system, data subjects can add, manage and/or delete their personal details, for example by means of a personal login or profile account.

In a closed database system, data subjects fill out a form with information, but don’t have any options afterwards to alter or remove their personal information.

The CVWarehouse tool can be – at the same time – both a closed and an open system. For all candidates that create a CVWarehouse profile (and use it to apply), the tool is an open database system. For candidate information that was manually added to the tool by a recruiter for example or when applying is done without a profile but by filling in a registration form, the tool is a closed database system.

The open part of the tool is completely transparent towards data subjects as they can always consult their profile to see which data they are sharing with a company and for which vacancy.

They can also adjust the data themselves or submit a request for the deletion of their profile.

As a result of this transparency, working with an open system results in less GDPR administration for organisations, as the profile options for candidates will solve most of the questions or requests of candidates.

For all partners with whom CVWarehouse cooperates that also process data from candidates (such as our data center partner), CVWarehouse has signed sub-processor agreements.

For job board partners such as Indeed, Mitula, etc. this is not applicable as CVWarehouse only sends information about vacancies. Candidates who apply after they have found a vacancy via such a platform, always do so via a CVWarehouse application form. This way CVWarehouse customers are covered by the processing agreement that they have with CVWarehouse. No personal data is therefore being processed by the job boards, so no extra data processing agreement is necessary.

Data retention is how long one will use, possess or control information. In a recruitment context, GDPR stipulates that organizations should adopt a data retention policy (as part of a privacy policy) to indicate to data subjects/candidates why they are gathering the information and how long they will keep it.

As a result hereof, it’s not allowed to keep personal information for a longer period than defined in your data retention policy.

When drafting your privacy policy towards candidates, it is therefore of the utmost importance to clearly outline the scope of why you are collecting their information and for how long you will hold on to it.

If you define the scope as gathering information for filling open vacancies, you limit your options more than when you define the scope as gathering information for filling vacancies and building a talent pool for future hiring needs.

In light of this second scope, it is way more plausible to hold on to personal information of candidates for a longer period than just the duration of the recruitment process of the vacancy they applied for. It is up to you to define either one of these periods, depending on the option you choose.

If your organization has defined a Retention Period on your organization’s Privacy Policy, CVWarehouse has a feature that allows you to set up your own retention period.

Based on these Retention Period ATS settings, CVWarehouse will delete candidate data from your database.

Candidates will receive an email and are given the option to continue sharing their data with your organization for another renewed Retention Period.

The CVWarehouse platform ensures a clear and transparent communication between organizations and candidates.

With this feature, CVWarehouse helps you enforce your own Retention Period rules, be GDPR Compliant, and reassures you of a transparent, automated and traceable process.

Your privacy policy towards candidates should be brief, easy to find and written in such a way that it is easy to understand for everyone that wants to read it.

Ideally, your privacy statement will contain information about:

• who you are as an organisation
• which data you are gathering
• why you gather personal data
• who you may be sharing these data with and for what reason
• how long you will store the data
• which rights data subjects/candidates have and how they can exercise their rights
• whether data are being sent or forwarded outside of the EU
• who candidates can contact in case of questions or complaints

CVWarehouse customers are free to use CVWarehouse’s privacy statement towards candidates as inspiration or a starting point for drafting their own privacy policy towards candidates. Keep in mind though that your own privacy policy will differ from the one CVWarehouse has, as certain aspects will be very different.

Candidates have the right to request more details about which personal data is being processed by you, including a copy of that information but exercising this right is limited as it cannot lead to another person’s rights and freedoms being adversely affected. Therefore, you could base yourself on this principle to not disclose all purely internal documents to a candidate.

Please click here to read.