Skip to main content
SmartRecruiters

Compliance and GDPR Tools for Companies

Included in:
  • SmartStart
  • SmartRecruit

 

SmartRecruiters is committed to helping our customers ensure compliance with regulations. Our GDPR compliance tools provide the ability to manage candidates' personal information and consent to the use of that information for recruiting purposes. 

Introduction

SmartRecruiters' GDPR tools helps companies to:

SmartRecruiters also helps companies ensure compliance by providing candidates with the tools to manage their applications, personal information and consent.

Setting up Compliance Configurations

Under “Settings > Administration > Global Compliance”, you can setup your default compliance settings where you can control:

Candidate's right of data erasure

How you would like to manage a candidate initiated request to delete their profile.

The second option (where the administrator reviews the request) requires that the candidate has job application(s). For instance a candidate who only has a community application - via filling out a lead capture form - will not be able to request erasure.  

Privacy Policy Sentence

The wording you would like to use when your privacy policy is displayed at the end of a job application. These options will depend on whether the customer chooses a single or separated consent approach. More on this later. The below wording is an example of single consent. 

clipboard_efd936148a2dda704a07d3abb37eb85c4.png

Default and Country level policy settings

You can make changes to the below fields in your Global Compliance settings:

  1. Data Retention : how you would like to treat candidates that have either been rejected, withdrawn, removed from the job or hired

  2. Privacy Policy : adding a URL link of your company privacy policy

  3. GDPR settings : toggle to remove candidate's application if they do not provide consent within 30 days of a request.

By default, SmartRecruiters adds a default configuration ruleset to your account, and will apply these default compliance rules to jobs in any country for which you don't set up a specific configuration.  

You can also add country-specific configurations with differing privacy policies and data retention periods.

Screen Shot 2020-04-22 at 9.38.41 AM copy 2.png

SmartRecruiters will use a job's location to determine which configuration applies to that job.

  • If you post jobs in only one country, either modify the default configuration, or just set up a new configuration for that specific country.
  • If you post jobs in more than one country, it's a good idea to set up a configuration for each country.

Kindly note that any changes to the GDPR settings does not retroactively apply to consents that have been sent to candidates. Please ensure you take the necessary steps to manage candidates accordingly based on the changes made.

Configuring candidate consent

Consent best practice recommends that separate data scopes have separate consents which allows candidates to control how their data is used in alignment with GDPR. The data scopes align with SmartRecruiters modules:

  • SmartRecruit job applications
  • SmartCRM communities and
  • SmartMessage - both SMS and WhatsApp.

Customers will select the consent approach which best meets their business needs - these are categorized as “single consent” and “separated consent”. 

Single Consent

Candidates will see a single checkbox, privacy statement and a link to the customers’ privacy policy regardless of how many data scopes (SmartRecruit, SmartCRM, SmartMessage) the customer has. When a candidate ticks the checkbox, s/he is consenting to all data scopes. It is not possible for the candidate to consent to some but not others. 

Separated Consent

Candidates will see multiple checkboxes alongside multiple privacy statements and a link to the customers’ privacy policy. The visibility of checkboxes and privacy statements will depend on which modules the customer has enabled - if a customer has SmartRecruit and SmartCRM then only those checkboxes and privacy statements will be visible.

Changing the consent model

Single consent is the default setting. 

  1. Administrator selects the Company Policy tab within the Global Compliance setting.

    clipboard_e1613d0893144310a15094332f7c43e8b.png

  2. Administrator decides whether to change the consent model. If SWITCH TO SEPARATED CONSENT is clicked, then a warning appears along with the privacy policy sentences which need to be reviewed.

    clipboard_ed19b456c298a4e8188320b0eaf2744e3.png

  3. Administrator saves the changes. 

Obtaining candidate consent

There are four ways to obtain consent from your candidates:

  1. Default or country level privacy policy settings

    Once setup, all Candidates who apply to a SmartRecruiters job ad or who fill our a Community Lead Capture Form will see a check box at the bottom to review and consent to your privacy policy. The below screenshots align to single consent. 

    Default, when nothing is configured With the privacy policy set up
    clipboard_e18cf24bb70b97cffe3faea25e35adcaa.png clipboard_e07ff897d6abda436d91cc91bf94147dd.png
  2. Recruiter uploads a resume into the system

    System identifies if the candidate already exists in the system. If yes, it will pick up the same consent status as the existing candidate profile.

    If a new profile is created, then consent will be required and the recruiter will need to send the consent request to the candidate via SmartRecruiters (details below under managing candidate consent).

    This is the SmartRecruiters default template that the candidate will receive:

    For jobs with GDPR settings turned off: For jobs with GDPR settings turned on:

    Hi [Candidate First Name] [Candidate Last Name],

    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes.

    [Review policy] 

    You can view, update, or delete your profile at any time.

    Thank you,

    [Company] Recruiting Team”

    Hi [Candidate First Name] [Candidate Last Name],

    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes. If you do nothing, your profile will be deleted in 30 days.

    [Review policy] 

    You can view, update, or delete your profile at any time.

    Thank you, 

    [Company] Recruiting Team

    These templates are configurable under “Settings > Templates > Custom Consent Request”. 

  3. Employee refers a candidate to a job in your company

    Referrer is asked to confirm that they have permission from the candidate to submit their information prior to submitting a referral.

    Once the referral is made, the candidate is added in the Lead status to a job, and will receive the following email:

    For jobs with GDPR settings turned off: For jobs with GDPR settings turned on:

    Dear [Referral First Name] [Referral Last Name],

    [Referrer First Name Referrer Last Name] referred you to the position of [JobTitle] in[JobLocation] at [Company]. If you're interested in the position, you can apply by viewing the job ad here [link] and clicking "I'm Interested".

    Thank you,

    [Company] Hiring Team

    Dear [Referral First Name] [Referral Last Name],

    [Referrer First Name Referrer Last Name] referred you to the position of [JobTitle] in[JobLocation] at [Company]. If you're interested in the position, you can apply by viewing the job ad here [link] and clicking "I'm Interested".  If you do not, your information will be deleted from[Company] in 30 days.

    Thank you,

    [Company] Hiring Team

  4. Application API

    Companies and partners who have built a custom application experience using our Application API should ensure that they present candidates with the appropriate privacy policies and collect the candidate’s consent. Make sure to align the integration according to whether single or separated consent is selected in configuration. Also make sure to specify the candidate’s consent by setting the consent property to true in a POST request to the /postings/:uuid/candidates endpoint. The property is false by default.

Kindly note the retention period of each application is based on the GDPR setting used at the time the consent is sent. 

For example, if the GDPR setting is turned on when the consent is sent to the candidate, the candidate profile will still be deleted after the retention period if no consent is obtained even if the GDPR setting was changed to off within that period.

Managing Candidate Consent

Consent is stored on the candidate profile - not on each application. Recruiters can view consent status from next to the candidates’ name. 

clipboard_eb59868c2a7b5ccb0dc0f057a6ae51f11.png

Clicking on the icon displays a modal which shows off consent statuses and pending consent requested date (if a consent request has been sent recently). The modal also allows the user to request a new consent if required. Doing so sends the candidate an email - which is no different than the existing feature.

clipboard_e491713c5befafdf7a7a383ad1aa1eed5.png

Candidates who’ve applied numerous times, to different jobs at your company, will provide consent on each application. You’ll be able to see the date for the most recent record of collected consent. 

Candidates can withdraw consent from a particular company at any time.

Anyone with the permission to do so (as defined in the custom hiring team roles)  can request consent by clicking “Request Consent” on the candidate’s profile, triggering an email to be sent to the candidate.

It's important to remember that consent is associated with a candidate's profile, not their applications. If the candidate has already consented, there's no need to re-request consent when adding the candidate to another job.

Managing Candidate Response  

If the candidate accepts the consent request, this sets the date of the latest consent on their profile.  This consent date is visible to users with access to any of the applications of this candidate.

For jobs with GDPR setting turned on, if the candidate does not respond OR declines to grant consent within 30 days from the consent request date, their profile, including all applications associated with that candidate, can be removed from the system or removed from the module. The outcome depends on whether the candidate provided consent in the past. Please refer to the table in the FAQ for a breakdown. 

When a candidate’s application is deleted, the system sends notifications to the Recruiters assigned to the hiring teams of the roles where the candidate had an application. If there are no Recruiters then emails are not sent.

Find out more on the process of Automatically Removing Candidate Data.

 

Requires:
  • SmartRecruit

In the January 2019 release, we've further globalized our GDPR management tools by adding the ability to create a library of custom templates for the consent request email, and send the right template based on the company's GDPR Setting.

What's changed:

Previously, SmartRecruiters sent the same consent request email to all candidates. Companies could not customize the email's text.

What's new:

We've added the ability to create three types of templates for the consent request, each with different content and purpose (GDPR Setting Off, GDPR Setting On, and Reminders). Admins can also set up language-specific templates and add custom text in that language.

This new feature is found in the Templates list of Settings / Admin. By default, the feature is set to use SmartRecruiters' default templates. Admins can choose deactivate the Use SmartRecruiters Default Template option to activate Custom Request Email Templates and create their own templates.

ActivateCustomConsentTemplates.png

Creating templates

  1. When the Default Templates option is deactivated for the first time, Admins will be prompted to select a default language for the custom templates. This language will be the default for any new template at time of creation, but can be changed during the customization process.ChooseDefaultConsentTemplateLanguage.png
  2. To add a new template, click Add Template.ConsentTemplateList.png
  3. In the editor, choose the template's type and language, and add its content. Available languages correspond to the list of candidate-facing languages so that SmartRecruiters can match templates to job ads by the job ad language.  ​​​​​​CustomizeTemplate.png

    Like other email template editors in SmartRecruiters, the Consent Request template editor supports rich text formatting, merge fields, and links, and allows customization of the text in the email's call-to-action button.

There are three types:

  • Two request template types: No Deletion and Deletion after 30 days.
  • One reminder type: Reminder

Request template types

The two request template types correspond to the two default request template types:

Default type Custom type Sent when:
GDPR Setting On Deletion after 30 days A user requests consent from the candidate, and the company has activated the GDPR setting for that candidate's country.
GDPR Setting Off No Deletion A user requests consent from the candidate, and the company does not have the GDPR setting activated for that candidate's country.

SmartRecruiters will send a specific template based on three factors:

  • Job Ad Language (latest application; if no application then language of default job ad, if general application then English)
  • Company's GPDR setting for the candidate's country

Let's look at an example:

  • The company has a Custom Request Email template with the type Deletion after 30 days and Polish language.
  • The candidate has a location in Poland, and applied to a job ad in Polish (i.e., the job poster chose Polish when creating the ad).
  • The company has a Global Compliance configuration for Poland. In this configuration, the GDPR setting is active, and the candidate's profile would be deleted if they did not provide consent within 30 days of the request.
  • When a recruiter at the company requests consent from the candidate, the candidate would receive the Deletion after 30 days template in Polish. 

If there is no matching Custom Request Email, then SmartRecruiters will send the appropriate default email. 

​​​​​​For reference, here are the GDPR default request templates:

  • GDPR Setting On: Sent when a user requests consent from a candidate, and the company has activated the GDPR Setting in Global Compliance for the candidate's country.
    Hi [Candidate First Name] [Candidate Last Name],
     
    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes. If you do nothing, your profile will be deleted in 30 days.
     
    [Review policy] 
     
    You can view, update, or delete your profile at any time.
     
    Thank you, 
    [Company] Recruiting Team 
  • GDPR Setting Off: Sent when a user requests consent from a candidate, and the company has not activated the GDPR Setting in Global Compliance for the candidate's country.
    Hi [Candidate First Name] [Candidate Last Name],
     
    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes.
     
    [Review policy] 
     
    You can view, update, or delete your profile at any time.
     
    Thank you, 
    [Company] Recruiting Team

Reminder template type

With the Custom Request Email option active, Admins can choose the Reminder type for each template to set up a custom reminder email on a country-by-country basis.

As with the two request email types, SmartRecruiters will choose the correct template based on the candidate's country, and will fall back to the default reminder emails if there is no matching custom reminder email.

​​​​​​For reference, here are the two default reminder emails:

  • Reminder: 7 Days before deletion
    Hi [Candidate First Name] [Candidate Last Name],
     
    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes. If you do nothing, your profile will be deleted in 30 days.
     
    [Review policy] 
     
    You can view, update, or delete your profile at any time.
     
    Thank you, 
    [Company] Recruiting Team 
  • Final Reminder: 2 days before deletion
    Hi [Candidate First Name] [Candidate Last Name],
     
    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes.
     
    [Review policy] 
     
    You can view, update, or delete your profile at any time.
     
    Thank you, 
    [Company] Recruiting Team

 

Data Retention available on the application level

Data retention rules allow companies to decide whether to delete all of a candidate's information at once, or at the applications level.

What's changed:

Previously, the data retention configuration acted on the profile level. Therefore, if the candidate had applications across different countries, the system was waiting for all applications to be inactive (i.e., Rejected or Withdrawn) before triggering the data retention rule and deleting the profile.

What's new:

Customers can decide whether they want their data retention configuration to operate on the candidate level or application level.

If customers decide to have it configured on the application level, then:

  • The application will be deleted in accordance to the country’s configured data retention rule as soon as the candidate has been marked as rejected or withdrawn from this specific application.

  • If an application is deleted, then all information about it (reviews, notes etc) will be deleted as well and thus, not visible on the candidate profile.

Please refer to our Global Compliance Administration article on how to configure country specific data retention rules.

To activate this feature, please reach out to your Hiring Success Manager or Support Team.

FAQ 

What are the consent outcomes? Examples of consent outcomes when a recruiter manually requests consent after a candidate has applied or been manually added. The assumption is that the customer has enabled the following modules: SmartRecruit, SmartCRM and SmartMessage. 

Scenario

Model

Consent status by module

Recruiter action

Possible candidate driven choices

Outcomes in SmartRecruiters

1

Separated

Required for all

Recruiter requests consent

Leave all unchecked / Ignore the consent request

Candidate profile is deleted. Recruiter and candidate receive emails.

Check some

Profile shows a mixed status of acquired and declined with the new consent date. Where declined, profile is removed from that data scope - e.g. if consent was removed for SmartCRM then candidate is removed from all community applications.

Check all

All consent statuses shows acquired with the new consent date.

2

Separated

Acquired for all

Recruiter requests a new consent

Uncheck all

Candidate profile is deleted. Recruiter and candidate receive emails.

Leave all checked

All consent statuses shows acquired with the new consent date.

Uncheck some

Profile shows a mixed status of acquired and declined with the new consent date. Where declined, profile is removed from that data scope - e.g. if consent was removed for SmartRecruit the candidate is removed from all job applications.

Ignore the consent request Profile will not be deleted. The original consent acquired date will still be displayed.

3

Single

Required

Recruiter requests consent

Accepts consent

Status is shown as acquired with the new consent date.

Declines consent / Ignore the consent request

Candidate profile is deleted. Recruiter and candidate receive emails.

4

Single

Acquired

Recruiter requests a new consent

Accepts consent

Status is shown as acquired with the new consent date.

Declines consent

Candidate profile is deleted. Recruiter and candidate receive emails.

Ignore the consent request Profile will not be deleted. The original consent acquired date will still be displayed.

Does consent related reporting reflect this feature? Not entirely. There will be additional work in Q3 on separated consent.

Does consent work with the Field Recruiting Application? Yes. While on the Field Recruiting App, the candidate needs to consent to the customers’ privacy policy as part of expressing interest. Once that is done, the candidate will receive an automated email with a link to the job ad to complete their application. At this point, the candidate will make consent choices.

What happens if the customer does not set a privacy policy? A message to that effect is displayed along with a checkbox to ensure the candidate understands the situation. The candidates’ consent status will be Required. This is because the candidate has not provided consent as the privacy policy is not visible. Where GDPR = On, the candidates' profile will not be deleted as there is no privacy policy.

Will consent status be updated in the Audit API and the activity stream? Not at this time. We plan future delights to address this.  

Why can’t an administrator change from separated consent back to single consent? Switching from single consent to separated is a 1-way activity. It is not possible to switch back from separated to single. This is because once candidates start choosing separate consents - for instance SmartRecruit-AcquiredSmartCRM-DeclinedSmartMessage-Declined; then the system cannot know how to convert those three values back into a single consent model.  

Can customers choose their own privacy statements? No. Customers will have a choice between “read and understand” and “read and agree” statements. 

Will the new consent feature work for customers who have built custom careers sites and use Candidate APIs? Yes. A customer moving to separated consent will need to update their career site UI to account for the additional checkboxes and privacy statements. It will work as it does today.   

How does SmartRecruiters treat statuses where consent has switched from single to separated? Where candidate consent has been acquired, and the customer has multiple modules enabled (SmartRecruit, SmartCRM) switching to separated consent will be displayed as SmartRecruit-Acquired, SmartCRM-Acquired.

Where candidate consent has been acquired, and the customer has a single module (SmartRecruit) and the customer then adds additional modules before switching to separated consent, then the system will assume consent has been acquired for the additional modules also. If the customer subscribes to a new data scope after switching to separated consent (e.g. by adding SmartMessage), then the consent status for all existing candidates (for that new data scope) will be displayed as Required.

What needs to happen if the customer wants to switch to separated consent, but uses the apply API to integrate with a custom careers site? Whoever is handling the integration between the custom careers site and SmartRecruiters will need to make updates to the application page in order to properly list the consent choices. There is more information HERE. For reference, these are the rules which will are enforced in this scenario:

  • company is on SINGLE and apply api sends SINGLE - SINGLE is saved on in SmartRecruiters. 
  • company is on SINGLE and apply api sends SEPARATED - error is thrown (internally), we cannot transform SEPARATED into SINGLE, nothing is saved in SmartRecruiters. 
  • company is on SEPARATED and apply api sends SINGLE - SINGLE gets transformed into RECRUIT part of SEPARATED and only this consent is saved in SmartRecruiters. 
  • company is on SEPARATED and apply api sends SEPARATED - all SEPARATED parts (validated against company’s subscriptions) are saved.

How can a candidate control consent after granting it? The candidate can reach out to the recruiter and the recruiter can send another consent request so that the candidate can make updates. This approach is a good one as the recruiter can advise on the implications of removing consent if that is what the candidate wants to do.

Where a consent request is manually sent to a candidate, are email reminders sent? Yes. The system reminds the individual twice to provide consent: 7 days prior to the deadline, and 48 hours prior.