On CVWarehouse & the General Data Privacy Regulation (GDPR)

In essence, GDPR compliance boils down to identifying which personally identifiable data are collected throughout an organization on different data subjects the organization comes into contact with and for which purpose and making sure all GDPR-related principles and obligations are applied to the processed personal data (and making sure this continues to be the case in an ever-evolving landscape).

Especially the transparency obligation to be able to inform a data subject about which data you collect for which purpose, to allow the data subject to amend and correct these data and to give or not give consent to use certain data can present quite a technological challenge if you want to give the data subject such control. We at CVWarehouse have chosen to implement the necessary technical means to do so. You are able to read more on this in our privacy statement.

Although being compliant is an ever-ongoing process, CVWarehouse is striving to be GDPR compliant since before May 2018 (the entry into force of GDPR) and follows up closely on all GDPR-related matters to implement the necessary changes as fast as possible.

• • A legal and technical audit was conducted pre-GDPR;
  • Re-writing all legal statements and agreements;
  • Re-assessing operational work flows and screening suppliers;
  • Signing processing agreements with both controllers and sub-processors;
  • Appointing a DPO;
  • Keeping an internal register;
  • Organizational measures to signing NDAs, foreseeing confidentiality in employment contracts, implementing internal policies such as a data breach policy, …
  • Keeping track of where data is processed and located, as well as making sure the necessary safeguards are in place;
  • Implementing and constantly updating technical and organizational measures.

Lieve Van de Loo
This email address is being protected from spambots. You need JavaScript enabled to view it.
+32 3 202 42 20

CVWarehouse can be both:

1. CVWarehouse is a controller : (1) in case of creating a profile on the CVWarehouse website, whereby the candidate provides its personal information but does not apply for a vacancy of a customer on the CVWarehouse site (this is possible later on with the profile that was created), or (2) when a candidate applies for a vacancy for CVWarehouse as an organization itself (not one of our customers).
2. CVWarehouse is a processor: when a candidate applies for a specific online vacancy of a customer (potential employer) on the CVWarehouse website or on the own website of a customer (that is supported by CVWarehouse) . This means that the customers process the personal data of the candidate as they desire themselves (and not CVWarehouse, which only provides a technical solution/platform for customers to be able to do so).

Yes, in all cases where the customer is the controller, which is for all processing concerning personal data of a candidate’s application. Candidates need to accept the privacy policy of the company that they apply with (and the privacy policy of CVWarehouse when creating a profile) Customers need to provide their privacy policy to CVWarehouse to be able to integrate this in the application form. The same goes for the cookies that a customer wishes to implement on the job site: a cookie policy needs to be provided to CVWarehouse to be able to implement the cookies.

This can be done when this information is given to the company by the candidate during an interview or are a result of a test. The company is responsible (as controller) for this as it concerns application data and will ask a candidate for consent before such information is attached to a candidate file. It is not allowed for companies to keep track of sensitive information about a candidate like religious or philosophical beliefs, sexual orientation, information about trade union membership, racial or ethnic origin, political opinions, genetic or biometric data, … which is forbidden by CVWarehouse (see our terms and conditions for customers).

All information about the candidate will be deleted, also in the company profile, 14 days after such a request. A notification will be sent to the customer following a deletion request. The customer is, as a separate controller, responsible to delete all copies and backups of documents on their side.

In this case, the candidate provided its CV to the company, so the company can input this data in the platform. The company is responsible (as controller) for this and will ask a candidate for consent before doing so. The company needs to put a procedure in place to remove this data when a candidate asks to be removed (or wants to exercise other rights such as a rectification of data), as unlike a candidate with a profile, such requests are not part of an automated process.

Yes, if there is no link to a person after deleting, the data can be kept in the database (for instance for statistical purposes).

All reports will be automatically deleted after 4 months, starting from the date of creation by the customer.

In an open database system, data subjects can add, manage and/or delete their personal details, for example by means of a personal login or profile account.

In a closed database system, data subjects fill out a form with information, but don’t have any options afterwards to manage or delete their personal information.

The CVWarehouse tool can be – at the same time – both a closed and an open system. For all candidates that create a CVWarehouse profile (and use it to apply), the tool is an open database system.

The CVWarehouse tools behaves as a closed data base system when:

• Companies manually add candidate information
• Candidates apply without creating or using a profile (by just filling in a registration form)
• Companies work with HR Partners that supply them candidate information.

The open part of the tool is completely transparent towards data subjects as they can always consult their profile to see which data they are sharing with a company and for which vacancy.

They can also adjust the data themselves or submit a request for the deletion of their profile.

The closed part of the tool establishes that the management of the data and answering requests of candidates has to be directly handled by companies themselves.

As a result of this transparency, working with an open-system results in less GDPR administration for companies, as the profile options for candidates will solve most of the questions or requests of candidates, following the privacy-by-design principle of GDPR.

Companies (CVWarehouse customers) can work with HR Partners or Temp Agencies (“recruitment agencies”). The purpose or recruitment agencies is to offer suitable candidates and profiles to positions that Companies are looking to fill.

Recruitment agencies can propose candidates to Companies using means outside of CVWarehouse platform. Candidate data may then be manually added to the Company’s CVWarehouse environment by the Companies.

Alternatively, CVWarehouse provides Companies a secure way for the recruitment agencies to propose candidates and submit their data directly in the platform, as an additional optional feature. This feature (called HR Partner Portal) falls under the terms of use in place between CVWarehouse and the recruitment agencies.

Companies indicate which recruitment agencies they work with and CVWarehouse will provide an access to the HR Partner Portal but is not involved in any existing agreement, or any lack thereof, between the Companies and recruitment agencies.

In both situations, using the HR Partner Portal or if recruitment agencies send companies candidates by any other mean that’s outside of CVWarehouse’s scope, CVWarehouse platform behaves as a closed database (see previous question to learn what a closed database means).

As candidates share their data with recruitment agencies, all the requests and agreements regarding candidate data fall under the responsibility of the recruitment agencies, and are handled directly between Candidates and recruitment agencies.

For all partners with whom CVWarehouse cooperates that also process data from candidates on behalf of CVWarehouse (such as our data hosting partner), CVWarehouse has signed sub-processor agreements.

For job board partners such as Indeed, Mitula, etc. this is not applicable as CVWarehouse only sends information about vacancies and job boards consider themselves separate controllers. Candidates who apply after they have found a vacancy via such a platform, always do so via a CVWarehouse application form, unless a job board would require that this is done differently on the job board itself.

Data retention is how long one will process and retain information (e.g. personal information). GDPR stipulates that organizations should adopt a data retention policy (as part of a privacy policy) to indicate to data subjects (in the recruitment context to candidates) why they are gathering the information and how long they will keep it.

As a result hereof, it’s not allowed to keep personal information for a longer period than defined in your data retention policy, which should be the period in which it is strictly needed to process and keep personal data.

When drafting your privacy policy towards candidates, it is therefore of the utmost importance to clearly outline the scope of why you are collecting their information and for how long you will hold on to it.

If you define the scope as gathering information for filling open vacancies, you limit your options more than when you define the scope as gathering information for filling vacancies and building a talent pool for future hiring needs.

In light of this second scope, it is way more plausible to hold on to personal information of candidates for a longer period than just the duration of the recruitment process of the vacancy they applied for, as you will be using the personal information also for future vacancies. It is up to you to define either one of these periods, depending on the option you choose and also depending on the fact if you need to keep an official talent pool (which is  foreseen as an option in the Retention Period ATS settings)

If your company has defined a retention period on your companies’ privacy policy, CVWarehouse has a feature that allows you to implement this retention period.

Based on these Retention Period ATS settings, CVWarehouse will delete candidate data from your database when the predetermined retention period ends.

Candidates will receive an email and are given the option to continue sharing their data with your company for a longer retention period.

The CVWarehouse platform ensures a clear and transparent communication between companies and candidates.

With this feature, CVWarehouse helps you enforce your own retention period rules, be GDPR Compliant, and reassures you of a transparent, automated and traceable process of retaining data.

Your privacy policy towards candidates should be brief, easy to find and written in such a way that it is easy to understand for everyone that wants to read it.

Ideally, your privacy statement will contain information about:

• who you are as an company and if you have a DPO
• which data you are gathering
• why you gather personal data and on which legal basis
• who you may be sharing these data with and for what reason
• how long you will store the data
• which rights data subjects/candidates have and how they can exercise their rights
• whether data are being sent or forwarded outside of the EEA and if so, through which mechanisms the data is safeguarded
• who candidates can contact in case of questions or complaints

CVWarehouse customers are free to use CVWarehouse’s privacy statement towards candidates as inspiration or a starting point for drafting their own privacy policy towards candidates. Keep in mind though that your own privacy policy will differ from the one CVWarehouse has, as certain aspects will be very different.

Candidates have the right to request more details about which personal data is being processed by you, including a copy of that information but exercising this right is limited as it cannot lead to another person’s rights and freedoms being adversely affected. Therefore, you will need to assess a request on a case-by-case basis.

Please click here to read.