On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect. It’s a legislation that gives residents of the European Union more control over their data. As an employer, GDPR applies to you if you deal with the personal data of EU citizens, even if your business does not have a physical presence in the EU.

As your ATS vendor, we are committed to help you meet your GDPR obligations. Over the past few months, we have made several changes to our products as well as our policies. In this article, we will give you a brief overview of the tools we now offer.

Before we proceed, there are a few key roles that GDPR defines that you need to keep in mind: the data subject, the data controller and the data processor.

Data subject is any person whose personal data is being collected, held or processed. In the context of recruitment, data subjects are the applicants to your job openings.

Data collector is the person (or the business) that decides the specific purpose and means of collection of data (that's you, as the employer).

Data processor is someone who processes data in any way (that's enlist). Here’s a link to understand more about this.

Under GDPR data subjects have certain rights. Here’s an overview of what we’ve built to help you comply:

Right to be informed

You can inform candidates about how you process and store their data and get their consent before they submit their application. Learn more.

Right to erasure

If a candidate requests their data to be deleted, you can completely delete their data from enlist. Learn how to do that.

Right of access

If a candidate requests access to their data, you have the ability to do so. Learn how to export a candidate's data.

Right to rectification

If a candidate requests to rectify inaccurate personal data, you can do so. Learn how to edit a candidate's details.

In addition to these rights, GDPR requires that you retain personal data no longer than necessary. With enlist, you can set a time period after which inactive candidates' data will automatically be deleted. Learn how to do that.

The right to erasure, rectification and access to collected data require that you provide the applicants with an email address where they can contact you to make those requests. There are a couple of ways to do this: you can add the email address of the contact person to your privacy notice or you can create an email template with the contact details.

Did this answer your question?