Our greenhouse readiness plan for general data protection regulation (GDPR)

GDPR blog header

Filed under:

Here at Greenhouse, we know how important data protection is in the world of Talent Acquisition and employment law, and for all of us as individuals. A new, wide-sweeping data protection law called the General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. This law regulates collecting and processing personal data and it will have a significant impact on companies with operations or offices located in the EU.

This is why we’re sharing our GDPR readiness plan with you, so you can rest assured your Greenhouse data is prepared for the new regulations. Every aspect of our Greenhouse Talent Acquisition technology suite has undergone evaluation to ensure that we’re helping you mitigate risk at every turn. As we make the necessary changes to ensure GDPR compliance before May 25, all Greenhouse customers will automatically have these features enabled.

What is GDPR?

Adopted by the European Parliament in April of 2016, the General Data Protection Regulation requires businesses to protect the personal data and privacy of European citizens for transactions that occur within European states. Personal data includes names, photos, email addresses, bank details, posts on social networking websites, medical information, or even a computer IP address.

In addition, the GDPR regulates the exportation of personal data outside of the European Union. Whether or not you are geographically located within the European Union, GDPR impacts your organization as long as you are processing and storing personal data of individuals who live there.

ERE has a helpful GDPR resource article so you can learn more about the Regulation, including the potential impact of failing to comply by May 2018.

Greenhouse’s Plan to Support Compliance

We’ve been working with legal experts to make sure that Greenhouse remains completely compliant with how we handle customer data and has the tools necessary to help our customers properly manage their candidate data.

Here are some helpful assets for recruiting teams and other non-lawyers to understand the features we’ll implement over the coming months to help with these compliance efforts. If you’d like more detailed information about our GDPR plans to share with your legal team, you can read our legal memo here.

Data Subject Consent


One question we’ve heard from some of our EU-based customers is “How does Greenhouse plan to help us get consent from individual job applicants to transfer their personal data to the US?”

After speaking with a bunch of specialists and digging into the legal language, we found it’s actually a common misconception that companies are required to collect consent from every job applicant or prospect. In fact, there are even risks with asking for consent from applicants for processing their data! If candidates are asked for their consent when they apply, for example, they could then choose to revoke it at any time, which could put added pressure on your team. For a more detailed explanation, please read our legal memo.

Collecting resumes and other relevant personal information is a legitimate interest of a company trying to evaluate and hire candidates. Because of this, companies do not need to collect consent from job applicants. Similarly, Greenhouse customers are not required to obtain consent from candidates to transfer their personal data from the EU to the US, because Greenhouse can commit to providing a level of protection for the data that is acceptable under EU law.

Our Approach

Because getting consent from applicants is not required under the GDPR and creates a greater burden on companies, Greenhouse expects that our EU customers will want to avoid it. We don’t currently have plans to build a feature to collect and store consent from candidates. However, we will include language on our job boards to meet the requirement that companies alert candidates that they will transfer personal data to another country.

The Right to be Forgotten


People have the “right to be forgotten” and Greenhouse customers will be required to erase a candidate’s personal data when requested by the candidate. Companies also need to erase personal data when it’s deemed no longer necessary for the business to continue storing it.

Our Approach

Greenhouse plans to build tools allowing you to:

•Specify a timeframe based on your company’s specific policies of when your legal justification for keeping candidate data has expired (for example, one month after a candidate’s application is rejected) to automatically bulk delete candidate data;

•Generate candidate emails requesting permission to keep their data longer than your default timeline, and keep their data when candidates agree;

•Configure which data is deleted when a candidate asks to be forgotten (for example, you might decide to delete any PII but keep information that would allow you to generate reports on pipeline conversion);

•Delete a candidate’s data by clicking a button on their profile

Enhanced Rights to Notice and Access


1. Companies are required to provide a variety of details at the time data is requested (for example, when a candidate applies to a job), including why they are requesting certain information, how long it will be stored, and where it will be sent.

2. The GDPR significantly enhances people’s right to access their own personal data, and companies will need to provide this data to candidates upon request in an efficient and easy format.

Our Approach

1. Greenhouse will include language on job boards so that any necessary notifications and disclosures are made to candidates when they apply.

2. Greenhouse will allow companies to respond to and complete data requests from candidates. You’ll be able to configure what data should be accessible and send it to candidates in a CSV file by clicking a button on their profile.

The Right to Object


People have a right to restrict their personal data from being used for direct marketing purposes.

Our Approach

If a candidate opts out, Greenhouse has a “do not email” feature which prevents users from sending any email to that candidate.

Data Security


Article 32 of the GDPR requires data controllers and processors to apply a reasonable level of security to the data collected against loss, unauthorized changes, or data breach.

Our Approach

Greenhouse maintains a comprehensive information security program to ensure that all of the data and infrastructure is secure and always available. As part of our program we have regular third party audits of our applications, infrastructure, security controls, and processes.

We are excited to announce that we have obtained ISO 27001 certification which further provides assurance that our security program meets rigorous international standards for breadth and quality. Our ISO 27001 certification in addition to our SOC 2 Type 2 attestation provides assurance that Greenhouse will keep your data secure.

GDPR and data privacy compliance are a priority for our customers and for all of us here at Greenhouse. We’ll continue to make efforts in this area and keep you and your teams informed on the latest features and updates we’re rolling out in the coming months. Keep checking back on our blog for more information.

Looking for more information? Look no further than these additional resources:

For Non-Lawyers: Greenhouse, EU Compliance, and the General Data Protection Regulation (GDPR)

Learn More

Legal Memo: Greenhouse and the General Data Protection Regulation (GDPR)

Learn More