Skip to main content
SmartRecruiters

Compliance and GDPR Tools for Candidates

Included in:
  • SmartStart
  • SmartRecruit

 

All candidates who apply to jobs via SmartRecruiters have the option to set up a Candidate Portal, which provides them with tools for managing their applications, personal information, and consent in accordance with GDPR requirements.

Introduction

SmartRecruiters’ Candidate Control feature supports compliance with GDPR’s data subject rights:

Provide consent

There are four ways to obtain consent from your candidates:

  1. Default or country level privacy policy settings

    Once setup, all Candidates who apply to a SmartRecruiters job ad or who fill our a Community Lead Capture Form will see a check box at the bottom to review and consent to your privacy policy. The below screenshots align to single consent. 

    Default, when nothing is configured With the privacy policy set up
    clipboard_e18cf24bb70b97cffe3faea25e35adcaa.png clipboard_e07ff897d6abda436d91cc91bf94147dd.png
  2. Recruiter uploads a resume into the system

    System identifies if the candidate already exists in the system. If yes, it will pick up the same consent status as the existing candidate profile.

    If a new profile is created, then consent will be required and the recruiter will need to send the consent request to the candidate via SmartRecruiters (details below under managing candidate consent).

    This is the SmartRecruiters default template that the candidate will receive:

    For jobs with GDPR settings turned off: For jobs with GDPR settings turned on:

    Hi [Candidate First Name] [Candidate Last Name],

    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes.

    [Review policy] 

    You can view, update, or delete your profile at any time.

    Thank you,

    [Company] Recruiting Team”

    Hi [Candidate First Name] [Candidate Last Name],

    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes. If you do nothing, your profile will be deleted in 30 days.

    [Review policy] 

    You can view, update, or delete your profile at any time.

    Thank you, 

    [Company] Recruiting Team

    These templates are configurable under “Settings > Templates > Custom Consent Request

  3. Employee refers a candidate to a job in your company

    Referrer is asked to confirm that they have permission from the candidate to submit their information prior to submitting a referral.

    Once the referral is made, the candidate is added in the Lead status to a job, and will receive the following email:

    For jobs with GDPR settings turned off: For jobs with GDPR settings turned on:

    Dear [Referral First Name] [Referral Last Name],

    [Referrer First Name Referrer Last Name] referred you to the position of [JobTitle] in[JobLocation] at [Company]. If you're interested in the position, you can apply by viewing the job ad here [link] and clicking "I'm Interested".

    Thank you,

    [Company] Hiring Team

    Dear [Referral First Name] [Referral Last Name],

    [Referrer First Name Referrer Last Name] referred you to the position of [JobTitle] in[JobLocation] at [Company]. If you're interested in the position, you can apply by viewing the job ad here [link] and clicking "I'm Interested".  If you do not, your information will be deleted from[Company] in 30 days.

    Thank you,

    [Company] Hiring Team

  4. Application API

    Companies and partners who have built a custom application experience using our Application API should ensure that they present candidates with the appropriate privacy policies and collect the candidate’s consent. Make sure to align the integration according to whether single or separated consent is selected in configuration. Also make sure to specify the candidate’s consent by setting the consent property to true in a POST request to the /postings/:uuid/candidates endpoint. The property is false by default.

Kindly note the retention period of each application is based on the GDPR setting used at the time the consent is sent. 

For example, if the GDPR setting is turned on when the consent is sent to the candidate, the candidate profile will still be deleted after the retention period if no consent is obtained even if the GDPR setting was changed to off within that period.

Declining consent

Candidates who were manually added to a company’s SmartRecruiters but did not apply (e.g., those referred, found via LinkedIn, or added by an external recruiting agency) may not have provided consent for the use of their information.

Companies can request consent by email. Candidates will receive an email asking them to provide consent or decline the request. 

ProvideConsent.png

Once it’s requested, candidates have up to 30 days to accept and provide consent. SmartRecruiters will remind candidates twice to provide consent:

  • 7 days prior to the deadline, and
  • 48 hours prior.

If the candidate declines, or does not take action, and the company has activated GDPR settings for the job, SmartRecruiters will delete the profile at the company.

Edit profile

Candidates have the option to create an account with SmartRecruiters Candidate Portal. Here, candidates can access their SmartProfile, which is a current snapshot of the information that SmartRecruiters has on file for the candidate. 

This is the Main page view, which displays the candidate's Active Job Applications and current SmartAcademy articles

SP1.jpg

Candidates can modify the information on the SmartProfile by clicking on Menu -> My SmartProfile. Candidates also have the ability to Export to PDF.

SP2.jpg

In this view, candidates can edit, add, or delete the experience, education, and personal information after applying to a job. The profile completeness bar indicates the completion status and provides suggestions about boosting the candidate's SmartProfile. The candidate has to Save after making any changes to the draft.

Once edits are saved, candidates can click Publish Now to publish the edits to their existing active applications.

SP4.jpg

Publication syncs the SmartProfile with all existing, active applications at all companies to which the candidate has applied to using the same email. Hiring team members working on these jobs will see the edits immediately, but will not receive a notification that updates were made.

SP5.jpg

The SmartRecruiters candidate portal can be accessed from this link

Download profile

Candidates can download the contents of their SmartProfile from the Candidate Portal. Just navigate to the Settings page, and click Export as JSON to download this information in JSON format.

ExportJSONProfile.png

This file contains the most recent profile data, including any edits made by the hiring team, such as changing your contact information.

Revoke consent to company

When a candidate applies to a company, SmartRecruiters creates a candidate profile for them in the company's account. Any applications submitted to the company are associated with that profile, as long as the candidate uses the same email address for each application. 

Candidates can revoke their consent to a specific company for the use of their information by deleting their candidate profile at the company. Doing so will delete their profile at the company, all applications associated with that profile, and all information contained in the profile and applications.

To delete a candidate profile from a specific company:

  1. In the Candidate Portal, click My Applications in the left-hand navigation menu.MyApplications.png
  2. In the list of companies, find that company and click on the application.
  3. Click View Options at the bottom of the page.ViewOptions_CP.png
  4. In the popup, select Delete my profile from [Company Name] from the list.DeleteProfile.png
  5. Check the options to confirm awareness of the consequences of deleting. 
  6. Confirm the action.

Once completed, SmartRecruiters will delete all information contained in that profile from the company account. The company will be able to see that a candidate existed, but no one will be able to identify the candidate. SmartRecruiters will retain the candidate information in their Candidate Portal, including their SmartProfile and any other applications to other companies.

Thus, if a candidate has applied to more than one company, they'll have more than one candidate profile. If they've applied to the same company and used a different email address, they'll have more than one candidate profile at the company. This is because SmartRecruiters uses last name and email as unique identifiers.

Revoke consent to SmartRecruiters

Candidates can also revoke their consent to SmartRecruiters for the use of their information by deleting their Candidate Portal account.

Each Candidate Portal account collects applications that a candidate submits using the same email address. Applications are grouped by company, and associated with a single candidate profile at each company.

Thus, if a candidate has applied to more than one company, they'll have more than one candidate profile, but if they use the same email address to apply, they'll be able to access all of those applications in the same Candidate Portal. Candidates can totally delete all information in SmartRecruiters that is associated with that email address (applications and candidate profiles at different companies) by deleting their Candidate Portal account. 

To delete a Candidate Portal account:

  1. In the Candidate Portal, click Settings in the left-hand navigation menu.CandidatePortal_Settings.png
  2. Click Delete My SmartRecruiters account at the bottom of the page, in the Manage your account section.DeleteCandidatePortal.png
  3. Check the options to confirm that awareness of the consequences of deleting the account.DeleteCandidateProfile.png
  4. Confirm the action.

Deleting a Candidate Portal account is the same as deleting, one by one, all profiles at each company to which the candidate applied using the same email address. SmartRecruiters will also delete the Candidate Portal account associated with that email address, and all information associated with that email. The candidate will not be able to log in using the same email address again.

Remember that if candidates who've submitted multiple applications using different email addresses will receive a Candidate Portal account for each email. Deleting one of these accounts will not affect the others.

Deleting candidate data

SmartRecruiters deletes data in a candidate's profile at a company when:

  • the candidate has no prior consent on file and declines to provide consent to a company (e.g., a referral).
  • the candidate has no prior consent on file and does not reply to the company request for consent within 30 days (GDPR setting is active).
  • the candidate has prior consent, but revokes that consent.
  • the candidate withdraws or is rejected, and the data retention period ends.
  • the candidate deletes their candidate profile in the Candidate Portal. 

In each case, SmartRecruiters immediately deletes the candidate's profile from the company's account, and notifies them with this email:

Subject: Deletion Confirmation at [Company]
 
Text: Dear [Candidate First Name] [Candidate Last Name], 


We confirm that your profile was deleted from [Company]'s account. 

Thank you, 
SmartRecruiters

We’ll also notify recruiters on the hiring team, if any. If the user is no longer active, an email will not be sent.

Recruiters will receive this email:

Subject: [Candidate First Name Last Name] deleted their profile


Text: [Candidate First Name Candidate Last Name], candidate for [JobTitle] in [JobLocation] has deleted their profile. You won't be able to access this candidate's profile anymore.  

 

Thank you, 
SmartRecruiters

Deleting a candidate profile for a particular company will also withdraw all applications to that company. If a candidate deletes their profile, this action cannot be undone and the profile cannot be retrieved.

Deleting a profile only affects the company's access to the profile. SmartRecruiters will retain the candidate's information until they delete their Candidate Portal account.