GDPR – FAQ

GDPR – FAQ

As GDPR evolves, we will continue to update this information, please use this page as a useful reference point for any GDPR related queries that you may have.
If you would like to review further information surrounding GDPR, please click here to download the Tribepad GDPR Handbook – gdpr-handbook.  
# Question Answer
1 My company is in the UK and we’re leaving the EU, so this GDPR thing doesn’t include me, does it? Incorrect. The UK is adopting GDPR in full and is also extending it, so compliance is a must.
2 My company isn’t based in Europe, so I don’t need to worry about this, right? Incorrect. Every organisation around the world needs to comply with GDPR if they are going to process and/or store data about European citizens.
3 Do you encrypt data in transit? Yes, absolutely!
4 Do you encrypt data at rest? We encrypt candidate name by default. We can also encrypt address, telephone number and email address if required but there may be extra costs involved in this service and may impact the speed of your platform. We are more than happy to enable it for customers on request though.
5 What kind of data is considered sensitive and personal? Anything that can be used to identify an individual on its own or in combination. So this could be an email address, the person’s address or telephone number in
6 Where do you store the data? In the UK in our two data centres.
7 Can I have different data retention rules for internal candidates? Yes. You can keep internal candidate data for longer and you can anonymise rather than delete internal candidate data. You can have different settings for internal candidates and external candidates.
8 Can I have different data retention rules for different countries? Yes.
9 Do I have to let candidates delete their own profile? If a candidate wants their details removed then you have to provide a way for this to happen. You don’t specifically need to let the candidate delete their own profile, however you do need to let them know how they can have their details removed. This would be in your privacy policy.

Although not specifically required, Tribepad will offer the ability for candidates to delete their own profiles without intervention from you. You do not have to have this feature turned on as long as you give your candidates a way to request their details to be removed. We believe that providing the button will save you time. We are also allowing your super users to delete candidate records using the Manage tool – meaning you will no longer need to raise a ticket with us.
10 I want to add passive candidates but don’t want them to know. Is this ok? Probably not ok but it depends. If you are storing information that identifies the candidate then they have the right to know this, but if you are only storing a link to a LinkedIn profile and maybe the person’s name, then this is probably ok because the candidate has the ability to edit their LinkedIn profile. If you create a passive candidate and specify their email address, we will notify them and give them access to their profile though.

Users that you allow to create passive candidates should be versed in GDPR to ensure they are within the guidelines.
11 I only want to store LinkedIn links, can’t I do that? Yes, but you’ll probably need their name as well. If you store their email address we will let the candidate know about it.
12 Can I add my own opt-ins for my candidates if I intend to do something outside of Tribepad? Yes, we allow you to add your own bespoke opt-ins. Have a word with your account manager for details.  If a candidate has applied for a role but hasn’t selected to ‘opt-in’ to communications from you.  You may only communicate with them about that particular role.  You will not be able to apply them to other roles.
13 What about my existing candidates – do I have to get rid of them? This is the billion dollar question. The answer to this question is probably no, though.

A lot of this will depend on your existing terms and conditions and privacy policy that your candidates signed up to before GDPR.

The more of the following that is true, the more clear you are:

  • If your pre-GDPR terms were clear that users were signing up to the different kinds of communication then you are likely clear.
  • If you are not communicating with them unless they are applying for a job, and only communicating with them about that job, then you are also most likely clear.
  • If you are not keeping their data for longer than you have a proven need for then you are also most likely clear.

However, in all circumstances, you should speak to your legal representative.

If you are changing your terms and privacy policy quite significantly with new data processing and/or communication processes then you should get your candidates to opt-in to these asap preferably before May 25th. We can project manage a one-off email to your candidate database if you wish to get them to agree to your new terms / opt-ins – but please note that there may be costs associated with this. Please speak to your account manager if you are interested in this option.

But, don’t panic and don’t go deleting your existing candidate base right away. You are likely safe to keep it to a large degree. Just don’t over communicate to your existing base if they haven’t previously opted-in, and only keep candidate data for as long as you have a proven need.

I have heard of companies that have deleted their existing candidate base to be 100% safe. But this is very much a considered choice based on what your legal team say, and how transparent your existing terms/privacy policies were.
14 Can my system administrators delete candidate records without having to raise a Tribepad ticket? Yes, you’ll have access to do this within the Manage tool.
15 I have to keep data for Northern Ireland regulations. What can I do? You will be able to set retention policies and data anonymization rules differently for different countries.
16 What if a candidate record needs deleting and Tribepad has passed on that candidate’s details to a third party – such as SHL/TalentQ/Onfido etc? If we are integrated with the service and we know that the candidate has had their details sent over to your third party, then we can automatically send an email to an address of your choosing to let someone know that the candidate details need deleting from there too.
17 Is there standard text that you provide for our GDPR compliant privacy policy? No. This is a legal document between you and your candidates and every customer will have different interpretations of what they need and should do. Therefore, the document will need to be owned and created by each customer.
18 What are the penalties for non-compliance? They are big! Up to 20 million euros or 4% of your global revenue. It’s not worth the risk of not being compliant.
19 Do I need to seek legal advice? Yes. We recommend all customers speak to their own legal representatives to review your internal processes.

By