Sourcing & GDPR
The world has started to take online privacy seriously, with GDPR leading the way. Here's what we've learned about GDPR and sourcing.
A guide to GDPR for sourcing
While we've gathered extensive legal advice during the past few years, Intro is not a law firm and this is not legal advice. We're just sharing our insights, to help you better understand how GDPR relates to sourcing.
There are three key concepts within the GDPR.
Data subjects are candidates that can be identified through their personal data. 'Personal data' has a broad definition and includes name, address, titles as well as cultural and genetic information.
The data controller is the entity which determines the purposes and means of the data processing. Typically, the employer is the one who decides why and how they process candidates' personal information. You remain the controller even if you use an external service like Intro or a recruiting agency.
A processor is an entity that process data at the instruction of the data controller. A controller can have several processors. If you use Intro to find and reach out to candidates, Intro is your processor.
Does the GDPR apply to us?
The GDPR applies to all organizations (even outside the EU) who process personal data of citizens of the European Union.
What can happen if we don't comply with GDPR?
The supervisory authority can sanction warnings, reprimands and corrective orders as well as fines up to €20 million (or up to 4% of your annual global turnover).
Is it legal for my organization to source candidates?
When you source passive candidates, you process personal data. In order to do this legally, you need follow the requirements set out in the GDPR.
If your organization is hiring and the data you process is for specified, explicit and legitime purposes, you're complying with GDPR. Since recruiting is considered a legitimate interest, you don't need explicit consent as long as you follow the requirements below. Note that this only applies for professional, non-sensitive, information. If you want to process genetic, religious or other sensitive information, you need explicit consent.
GDPR regulations state that you must email candidates 'within a reasonable period after obtaining the personal data, but at the latest within one month' to give them a notification that you're processing their information and the details of the processing.
When you notify the candidate that you're processing their data, you need to include the information required by Article 14 in GDPR, such as the purposes of the processing, what information you're processing, the sources, how and for how long you store the data, as well as informing the data subject about their rights under the GDPR.
The candidates must have the right to access, correct and ask for the data you're processing to be deleted.
Good news. Intro helps you be compliant. Scroll down to learn more.
Are we compliant if we use Intro?
Yes, our product is designed to help you make sure to follow the requirements outlined above. For example, we include a Privacy Notice with the first contact sent to the candidates, notifying them in a transparent way about the processing, as well as giving them a chance to control the processed data. Read more about our approach to candidates here.
As a processor, how is Intro complying with GDPR?