Ensure your organization is GDPR ready with Greenhouse

As the leading talent acquisition suite, transparency has always been a cornerstone of Greenhouse values—we are committed to being accountable to individual’s rights to privacy, security, and control over their data.

General Data Protection Regulation (GDPR) Overview

In effort to expand EU data subjects’ control over their personal data, a landmark privacy law called General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 in the European Union (EU). All organizations that market, track or handle EU personal data are legally required to comply.

GDPR 101

What is the GDPR?

The General Data Protection Regulation (GDPR) is a result of four years of work by the European Union (EU) to harmonize privacy laws across Europe. In an increasingly data-driven world where complex international flows of personal data are exchanged at an ever-increasing rapid pace, the goal of this law is to empower and protect all EU citizens from privacy and data breaches.

What types of data does the GDPR protect?

  • Personal data relating to an identified or identifiable data subject in the EU, including:
    • Basic identity information such as name, address and ID numbers
    • Web data such as location, IP address, cookie data and RFID tags
    • Other personal information like health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation, provided that the personal information can be used to identify an EU data subject

What is the scope of the GDPR?

The GDPR applies to all companies processing personal European Union (EU) data subjects, regardless of the company’s location.

Are there penalties for non-compliance with the GDPR?

Yes. Under the GDPR, organizations that fail to comply with the law may face penalties of up to €20M or 4% of global annual turnover (revenue) in fines, whichever is higher.

Key Changes Under the GDPR

Personal Rights

Individuals have the right to:

  • Access their personal data and correct errors
  • Request erasure of their personal data
  • Object to processing of their personal data
  • Export their personal data

Controls and Notifications

Organizations will need to:

  • Protect personal data using appropriate security
  • Promptly notify supervisory authorities and affected data subjects in the event of a personal data breach
  • Ensure that all processing of personal data has an appropriate legal basis under the GDPR
  • Keep records detailing data processing

Transparent Policies

Organizations are required to:

  • Provide clear notice to data subjects of personal data collection
  • Outline processing purposes and use cases
  • Define data retention and deletion policies

IT and Training

Organizations will need to:

  • Train privacy personnel and employees on principles of GDPR compliance
  • Audit and update data and privacy policies
  • Appoint a Data Protection Officer (if required)
  • Create and execute compliant data processing agreements with vendors that have access to personal data

Greenhouse GDPR Readiness

Data Subject Consent

GDPR

GDPR

One question we’ve heard from some of our EU-based customers is “How does Greenhouse plan to help us get consent from individual job applicants to transfer their personal data to the US?”.

After speaking with a bunch of specialists and digging into the legal language, we found it’s actually a common misconception that companies are required to collect consent from every job applicant or prospect. In fact, there are even risks with asking for consent from applicants for processing their data! If candidates are asked for their consent when they apply, for example, they could then choose to revoke it at any time, which could put added pressure on your team. For a more detailed explanation, please read our legal memo.

Collecting resumes and other relevant personal information is a legitimate interest of a company trying to evaluate and hire candidates. Because of this, companies do not need to collect consent from job applicants. In addition, Greenhouse customers are not required to obtain consent from candidates to transfer their personal data from the EU to the US, because Greenhouse can commit to providing a level of protection for the data that is acceptable under EU law.

Our Approach

Our Approach

Because getting consent from applicants is not required under the GDPR and creates a greater burden on companies, Greenhouse expects that our EU customers will want to avoid it. We don’t currently have plans to build any new features to collect and store consent from candidates. However, our platform is flexible and customizable by design, so customers who wish to collect consent from candidates can do so through custom, click-through question boxes that can be posted on their job boards. In addition, customers can provide any notifications to candidates required by the GDPR on their job boards,including the requirement to alert candidates that their personal data will be transferred outside of the EU.

The Right to be Forgotten

GDPR

GDPR

EU data subjects have the “right to be forgotten” and, therefore, Greenhouse customers will be required to erase a candidate’s personal data when requested by the candidate. Companies also need to erase personal data when the business no longer has a legal basis to continue storing it under the GDPR.

Our Approach

Our Approach

Greenhouse allows you to:

  • Specify a timeframe based on your company’s specific policies of when your legal justification for keeping candidate data has expired (for example, one month after a candidate’s application is rejected) to automatically bulk delete candidate data
  • Generate candidate emails requesting permission to keep their data longer than your default timeline, and keep their data when candidates agree
  • Configure which data is deleted when a candidate asks to be forgotten (for example, you might decide to delete any personal data but keep anonymized information that would allow you to generate reports on pipeline conversion)
  • Delete a candidate's data by clicking a button on their profile

Enhanced Rights to Notice and Access

GDPR

GDPR

  1. Companies are required to provide a variety of details at the time personal data is collected (for example, when a candidate applies to a job), including why they are collecting certain information, how long it will be stored, and where it will be sent.
  2. The GDPR significantly enhances people’s right to access their own personal data, and companies will need to provide this data to candidates upon request in an efficient and easily portable format.

Our Approach

Our Approach

  1. Greenhouse has built a feature that allows companies to respond to and complete data requests from candidates. You’ll be able to configure what data should be accessible and send it to candidates in a CSV file by clicking a button on their profile.
  2. Greenhouse can include language approved by you on your job boards so that any necessary notifications and disclosures are made to candidates when they apply.

The Right to Object

GDPR

GDPR

People have a right to restrict their personal data from being used for direct marketing purposes.

Our Approach

Our Approach

If a candidate opts out, Greenhouse has a “do not email” feature which prevents users from sending any email to that candidate.

Greenhouse and Our
Sub-Processors

In effort to provide maximum transparency, we’ve compiled a comprehensive list of sub-processors Greenhouse works with along with details on what the data collected through these sub-processors are used for.

Sub-processors with access to Candidate personal data in Greenhouse Recruiting:

Greenhouse Sub-Processors: Why & How Data is Used
Amazon Web Services Servers and network infrastructure
Hireability Resume parsing
Sumo Logic Application and server logs
Zendesk Issue ticketing system
Rollbar Software exception reporting
Mailgun Email delivery
Google Analytics Product analytics
Google Apps Calendaring Interview calendaring
New Relic Application monitoring
Datadog APM Application monitoring

Security and Certifications

Greenhouse Certifications Description Content
SOC 2 Type 2 American Institute of Certified Public Accountants (AICPA) Statement on Controls Report Questions?
Contact us
ISO 27001 Certified Information Security Management System Questions?
Contact us

“Greenhouse is committed to transparency and has the utmost respect for individual’s data and privacy rights—compliance with the GDPR is our top priority.”

Daniel Chait CEO
Daniel Chait,
CEO

Status Page

Communication is key when it comes to security and any potential threats. To that end, we provide live system updates, available 24/7. 

See our comprehensive maintenance schedule and past incident history log

View Status Page

More Resources

Non Lawyers

For Non-Lawyers:

Greenhouse, EU Compliance, and the General Data Protection Regulation (GDPR)

Learn More

Legal Memo

Legal Memo:

Greenhouse and the General Data Protection Regulation (GDPR)

Learn More

Gdpr Green

On the Blog: 

Our Greenhouse Readiness Plan for General Data Protection Regulation (GDPR)

Learn More

Contact Us

Have more questions? If you are a current customer, get in touch with customer support here.

Have more questions but aren’t a customer? Get in touch with our team here.