GDPR

General Data Protection Regulation (GDPR)

GDPR overview

What is the GDPR?
The General Data Protection Regulation (GDPR) is the result of four years of work by the European Union (EU) to harmonize privacy laws across Europe. The goal of this law is to empower and protect all EU citizens from privacy and data breaches.

What types of data does the GDPR protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Other personal information like health and genetic data, biometric data, racial or ethnic data, political opinions and sexual orientation

What is the scope of the GDPR?
The GDPR applies to all companies processing personal European Union (EU) data subjects, regardless of the company’s location.

Are there penalties for non-compliance with the GDPR?
Organizations that fail to comply with the law may face penalties of up to €20 million or 4% of global annual turnover (revenue) in fines, whichever is higher.

Greenhouse GDPR features enable our customers to be 100% privacy compliant.


Greenhouse GDPR capabilities for the right to be forgotten

Greenhouse customers who must comply with GDPR are required to erase a candidate’s personal data when requested by the candidate.

Companies also need to erase personal data when the business no longer has a legal basis to continue storing it under the GDPR.


Local time frame for keeping candidate data

What the regulation requires
Data subjects may request that a company delete any personally identifiable information (PII) that is known about them.

What is the feature?
Specify a time frame to keep personal candidate data and bulk-erase it when that time elapses. Additionally, configure which data is deleted when a candidate asks to be forgotten.

How to do it
Organizations may choose which data about a candidate should be anonymized to ensure non-PII such as stage transition data is not impacted.

Candidate deletion also available on demand via API.


Automated consent extension

What the regulation requires
Organizations may not keep data for longer than required for “legitimate interest” or the time period of “explicit consent” provided by a candidate.

What is the feature?
Allow organizations to automatically request an extension of the consent period.

How to do it
Generate emails to candidates requesting permission to keep their data longer than your default time frame, and keep their data when candidates agree.


For enhanced rights to notice and access

Companies are required to provide a variety of details at the time personal data is collected (for example, when a candidate applies to a job), including why they are collecting certain information, how long it will be stored and where it will be sent.

The GDPR significantly enhances people’s right to access their own personal data, and companies need to provide that data to candidates upon request in an efficient and easily portable format.

What the regulation requires
Data subjects have a right to access any personal data that is being processed by a company.

What is the feature?
Easily and quickly fulfill any data requests from candidates using Candidate Packets.

How to do it
Click a few buttons to configure the components you want to share and send it to candidates.


For the right to object

People have an unequivocal right to object to their personal data being processed for direct marketing purposes and related profiling.

What the regulation requires
Data subjects have the right to opt out of their data being kept and used by companies, which means they should not be contacted.

What is the feature?
The “Do not email” feature prevents any Greenhouse-generated emails being sent to the candidate.

How to do it
Select the checkbox to activate.



Find out more in these resources

For non-lawyers:
Greenhouse, EU compliance and the General Data Protection Regulation (GDPR)
Learn more

Legal memo:
Greenhouse and the General Data Protection Regulation (GDPR)
Learn more

On the blog:
Our Greenhouse readiness plan for the General Data Protection Regulation (GDPR)
Learn more

Contact us

Have more questions? If you are a current customer, reach out to customer support. If you aren’t a customer, get in touch with our team.