Skip to main content

Configure compliance rules

Included in:
  • SmartStart
  • SmartRecruit


SmartRecruiters helps automate the compliant management of candidates' personal data by following configurations that you can set up with the Global Compliance tool. 


A compliance configuration consists of two parts:

  • A Data Retention period for rejected candidates. When the period ends, SmartRecruiters will delete the identifying personal information stored in the candidate’s profile.
  • A Privacy Policy url, which is added to the candidate application. This URL will link to your corporate privacy policy privacy. If you have separate policies for different countries, just add URLs for each policy within the configuration for the appropriate country.  

Some countries, such as the USA and UK, have additional guidelines or requirements on collecting demographic information about candidates. When you add configuration for these countries, it will include a summary of the requirements for the country.

Multiple configurations

By default, SmartRecruiters adds a default configuration ruleset to your account, and will apply these default compliance rules to jobs in any country for which you don't set up a specific configuration.  

You can also add country-specific configurations with differing privacy policies and data retention periods.

Note that data retention rules for applicants to the General Application pool will apply the default configuration ruleset. 

Screen Shot 2020-04-22 at 9.38.41 AM copy 2.png

SmartRecruiters will use a job's location to determine which configuration applies to that job.

  • If you post jobs in only one country, either modify the default configuration, or just set up a new configuration for that specific country.
  • If you post jobs in more than one country, it's a good idea to set up a configuration for each country.

Edit configurations

To edit or create new compliance configurations:

  1. Navigate to Settings / Admin.
  2. Click Global Compliance in the Administration list. 
  3. Click on a configuration to edit it.Screen Shot 2017-03-01 at 1.57.28 PM.png
  4. If you'd like to add a new country-specific configuration, start typing the country into the search field, and select it.Screen Shot 2017-02-02 at 5.03.11 PM.png

Choose retention period

Once you've opened the Default configuration or added a new country configuration, choose the data retention period.

Screen Shot 2020-04-22 at 9.38.41 AM copy 3.jpg

From the list, choose a data retention period for the country. These periods begin after candidates are rejected/withdrawn/removed from job, or hired.

By default in the system, data retention are all managed on a candidate level.  However as part of the April 2019 release (section: Data Retention available on the application level), customers now have the option to submit a request via your Hiring Success Manager or Support team to have this activated on an application level.

Here's a full explanation of when SmartRecruiters will delete candidate data, and a list of the data that's deleted.

In the case for communities, the country value of a community (which a prospect is a part of) will determine the data retention period. When the prospects’ status becomes inactive (Not Selected, Not Interested or Transferred), the persons’ data will be deleted accordingly.  Please find more details in CRM Data Retention FAQ (here).

Available periods for data retention

  1. Don't delete
  2. (Delete) Upon Rejection
  3. 1 months later
  4. 2 months later
  5. 3 months later
  6. 6 months later
  7. 1 year later
  8. 2 yeas later
  9. 3 years later
  10. 4 years later
  11. 5 years later
  12. 10 years later

Data retention requirements by country

Some countries have explicit requirements on the minimum or maximum period for retaining candidates’ data. 

D = Duration of employment.

  In Process/Hired Rejected
  Min # years Max # years Min # years Max # years
Austria 3 30   0
Belgium       0
Denmark   D   0
Finland D+10   2  
France 5     2
Germany 10     0
Hungary   3   0
Ireland D+7   1.5  
Italy 10     0
Netherlands 7     1
Poland 50     0
Romania 10      
Spain D+4   3  
Sweden 7     0
Switzerland 10     0
UK   D+6   0.5
US   EEO: 2 

When you create a new policy for a specific country, SmartRecruiters defaults the value to Don't delete. Customer administrators are expected to choose the appropriate duration. The count starts on the date that the candidate is hired (or rejected), and depends on the location of the job, not the candidate’s location.

SmartRecruiters will observe whatever data retention policy you set, and will not enforce any regulations. If you choose a duration other than the default for the countries in the table below, it’s up to you to make sure you’re compliant. Data retention periods are subject to change by local compliance authorities.

GDPR settings

In the event that a candidate doesn't provide consent when requested, companies who are subject to GDPR should delete the candidate's information. This can be done manually, or by activating the GDPR Settings option in the Global Compliance configuration that applies to the job associated with the candidate's application.

Screen Shot 2020-04-22 at 9.38.41 AM copy.png

If activated for a particular configuration, candidates have 30 days from the date that consent was requested to provide consent for their application. (All candidates who apply must provide consent, so this setting is intended for candidates who enter SmartRecruiters by a method other than direct application.) 

If they do nothing, or decline, SmartRecruiters will delete their profile when the deadline arrives. 

Remember, Global Compliance configurations are applied based on the job’s location, not the candidate’s location. 

The GDPR setting overrides any other data retention rules. If the GDPR setting is not active, then SmartRecruiters will follow the data retention rule set in the configuration.

Add privacy policy 

By default, SmartRecruiters adds a disclaimer notifying candidates that that their personal data is bound by your privacy policy at the end of the candidate application. The disclaimer looks like this:

Please be informed that your application to this job offer will trigger some processing of your personal data by the recruiting company, the data controller. SmartRecruiters, the data processor, has no control over such personal data processing. For more information on these personal data processing, please refer to the recruiting company’s privacy policy.

In the Global Compliance setting, you will now be able to decide which line of wording you would like to use in the consent sentence for your privacy policy. Administrators will be able to choose between “read and understand” versus “read and agree”. Depending on what you choose, the change will be propagated in the application experience and the consent request screen. 

Once setup, "privacy policy" will be linked to the URL you have added in your country settings in addition to their Imprint (aka, Impressum or Corporate Information) as is commonly required in Austria, Germany and Switzerland among others.