SmartRecruiters is committed to helping our customers ensure compliance with local compliance regulations. Our GDPR compliance tools provide the ability to manage candidates' personal information and consent to the use of that information for recruiting purposes.
SmartRecruiters' GDPR tools helps companies to:
- Displaying privacy policies to job applications so that candidate can review.
- Collect explicit consent on the application
- Identify whether candidates have provided consent by looking at the candidates profile
- Request consent if the candidate hasn't already provided it
- Automatically delete candidate information if the candidate hasn't provided consent when asked
SmartRecruiters also helps companies ensure compliance by providing candidates with the ability to manage their applications, personal information and consent.
Candidates need to understand how companies and SmartRecruiters will use their personal information before consenting to that use.
During the application process, all candidates who apply to a SmartRecruiters job ad have the opportunity to review the job's privacy policies and explicitly provide consent to those policies:
Candidates who submit their resume/info via the Field Recruiting App also have the opportunity to review applicable policies before submitting their interest:
By checking the consent box on a job’s application or when submitting their information via the Field Recruiting App, candidates can explicitly and actively agree to any privacy policies that apply to the job.
In all cases, candidates who apply to a job must provide consent before they can submit the application. Candidates who are referred will also be asked to provide consent when they complete the application.
Referrers are also asked to confirm that they have permission from the candidate to submit their information:
SmartRecruiters does not collect consent for candidates added by external recruiting agencies.
Application API and consent
Companies and partners who have built a custom application experience using our Application API should also ensure that they present candidates with the appropriate privacy policies and collect the candidate's consent. Make sure to specify the candidate's consent by setting the
consent property to true in a POST request to the /postings/:uuid/candidates endpoint. The property is false by default.
Consent is stored on the candidate profile. Recruiters can check the candidate’s profile to verify whether they’ve provided consent for the use of their application.
Candidates who’ve applied numerous times, to different jobs at your company, will provide consent on each application. You’ll be able to see the date for the most recent record of collected consent.
Candidates can withdraw this consent from a particular company at any time.
Since candidates who apply must provide consent, if you see on a candidate’s profile that they have not provided consent, it’s likely because they were added to SmartRecruiters by some other method, such as manually by a recruiter, or via some kind of integration (e.g., LinkedIn).
Anyone with full access to a candidate can request consent by clicking Request Consent on the candidate’s profile.
The date of request is noted on the candidate profile. SmartRecruiters supports only one pending request, so if the candidate has not yet provided consent, you’ll be unable to re-request.
The candidate will receive this request email:
Hi [Candidate First Name],
You can view, update, or delete your profile at any time.
[Company] Recruiting Team
Clicking Review Policy will take the candidate to their Candidate Portal, where they can review the job's privacy policies, and accept or decline to provide consent.
Declining to provide consent is essentially identical to the candidate deleting their profile at your company. If they decline, SmartRecruiters will delete their candidate profile at the company and all applications associated with that profile.
Candidates who are added to SmartRecruiters, e.g., via Add Candidate, aren’t automatically notified, so if a company is subject to GDPR, someone on the hiring team with full access to the candidate will need to request consent.
It's important to remember two things when requesting consent:
- Consent is associated with a candidate's profile, not their applications. If the candidate has already consented, there's no need to re-request consent when adding the candidate to another job.
- When someone on a job's hiring team requests consent from a candidate, and the GDPR retention rule is active for that job, the candidate's profile will be deleted if the candidate declines the request or fails to respond to the request.
- Candidate applies to Job A, and provides consent in the application.
- Recruiter on Job A reassigns candidate to Job B, and requests consent.
- Candidate does not respond to the request, because they have already provided consent.
- The company has the GDPR retention setting active. After 30 days, the candidate's profile is automatically deleted because they did not respond to the request, even though the candidate may still want to be considered for employment.
GDPR retention rule
In the event that a candidate doesn't provide consent when requested, companies who are subject to GDPR should delete the candidate's information. This can be done manually, or by activating the GDPR Settings option in the Global Compliance configuration that applies to the job associated with the candidate's application.
If activated for a particular configuration, candidates have 30 days from the date that consent was requested to provide consent for their application. (All candidates who apply must provide consent, so this setting is intended for candidates who enter SmartRecruiters by a method other than direct application.)
If they do not, SmartRecruiters will remind candidates twice to provide consent:
- 7 days before and
- 48 hours before.
If they do nothing, or decline, SmartRecruiters will delete their profile when the deadline arrives.
Remember, Global Compliance configurations are applied based on the job’s location, not the candidate’s location.
The GDPR setting overrides any other data retention rules. If the GDPR setting is not active, then SmartRecruiters will follow the data retention rule set in the configuration.