We support you in making your recruiting process GDPR-compliant. This information applies to onlyfy customers and relates to joint processing within a customer's corporate account.
You can find the shared responsibility agreement as part B of the onlyfy GTC.
1. How do you manage the applicant data in your company account in a GDPR-compliant way?
This is how you map the most important GDPR principles in your recruiting process with onlyfy .
1.1 Storage limitation
The storage period for personal data should be limited to the absolutely necessary minimum and expire when the purpose of the data storage is fulfilled. The storage period is limited to 12 months, but we recommend a setting of 6 or 7 months. Deactivation of deletion after the set periods is not possible.
Within your company account you have the possibility to map the settings regarding your candidates in the settings area "Privacy & data processing".
1.1.1 Erase function when applying for a specific job ad
That means that if an application has received either the status of "Hired", "Rejected" or "Rejected by candidates", the candidate should be deleted after the individually defined deletion period. For a completed application status, the date the status was set is used to calculate the removal date.
For applicant profiles that have not been assigned one of these statuses, the deletion period begins after the last change in the profile. What changes can these be?
- Update of the candidate tags
- Update of the candidate´s skills
- Updating general information, additional information, or other information in the applicant's resume (by the applicant or recruiter).
- Finishing a questionnaire
- Creating an appointment with a candidate (with Cronofy)
- A candidate sends a message to a recruiter
- A recruiter sends a message to a candidate (manually, not via an automated workflow!)
- Invitation of a candidate to an assessment
- Updating the rating of the candidate
- Request for deletion of the candidate (request for erasure)
- Request for longer data storage
- The request for deletion of a candidate is withdrawn (request for erasure)
- Comment on an activity in the candidate profile
- Uploading new files to the candidate profile
- Application is withdrawn
- Application is finished
- New application status is set
- Confirmation of an email application
- Invitation to a questionnaire
- Assignment of a candidate to a job
- Personal data of the candidate is exported (as recruiter)
- Candidate profile will be exported
- A note is added/updated to the candidate profile
- Invitation to apply for another job
- Uploading a new resume (as a recruiter)
- Custom fields are added/edited (as a recruiter)
- Application source is set
- Updating the avatar of the candidate
[tip]
You don't want to lose track of good candidates, and be allowed to contact them in case of further suitable job offers?
Activate the notification email to candidates two weeks before the deadline for erasing. With this email, the candidate can agree to a longer data storage for your company or, if there is no active application, delete his or her data directly. Alternatively, you can send this invitation to individual candidates directly in the candidate profile or to several candidates in the candidate list at the same time.
[/tip]
1.1.2 Storage of data for potential job offers
If you want to keep storing candidates in your candidate pool not in relation to a specific application, but as interested parties for potential job offers, you must specify a set data storage period. To do this, onlyfy one gives you the following options:
- Activate the checkbox for extended data retention when you are recruiting.
- Specify a set period for extended data retention.
- Activate the notification email to be sent out to candidates two weeks before the deadline for erasing. Alternatively, you can offer certain candidates a longer data storage period on an individual basis using the corresponding function in the candidate’s profile.
1.2 Data minimization
Decide which data is required for the recruitment process and structure your application forms accordingly. Ask only for the data that has absolute relevance to the job. You can specify the type of job application process under "Settings" > "Applications" > "Application process".
1.3 Transparency
- Each of your applicants always has the possibility to view and edit their stored data in the candidate center.
- To provide a candidate with information about the personal data stored, select the download function "Download stored personal data" in the candidate’s profile. You can then forward the file to your candidates. Applicants can also generate the data information themselves. To do this, click on "Download personal data" in the "Download" section of the Candidate Center.
- Information regarding privacy policy/privacy notice for candidates can be found in this article under the point "Privacy notice and declaration for candidates & data protection contact of your company".
1.4 Accuracy
You always have the possibility to update and correct the stored personal data of the applicants. Applicants can also make changes themselves at any time in the candidate center.
1.5 Request for erasure
Candidates have the right to be forgotten (request for erasure).
1.5.1 Requesting your right to erasure as a candidate
Candidates can request deletion in their own profile by clicking on the arrow next to their name (1), selecting "Settings" in the list (2), going to the bottom to "Delete account" (3) and clicking on the "Request deletion" button (4).
The period mentioned in the text depends on the "Timeframe for application related data retention" you have set – 6 month is only exemplary here. This text can be customized.
In the following dialog, the candidate is again reminded of the deadline until final erasure. Here, too, the date of final erasure is calculated from the "Timeframe for application related data retention" specified by you and begins with the submission of the application.
Receipt of the request for erasure is displayed in settings after confirmation.
1.5.2 Requesting your right to erasure as a recruiter
You can submit the request for erasure in the candidate’s profile at the candidate's request. You will find a button for this at the end of the candidate’s profile.
After requesting erasure, you must confirm this request and can also provide a reason for your choice. Like with the candidate, the deadline depends on the settings of the "Timeframe for application related data retention".
1.5.3 Effects of the request for erasure
Implications for the candidate
The candidate will not receive any automated messages from the system during this period, such as job newsletters, mass emails or messages sent due to automated workflows.
The candidate will also not be able to apply for another position with your companies while the request for erasure is still in effect. The following information is displayed once the candidate clicks the "Apply Now" button: "You can no longer apply to any open position as you requested your data to be removed."
Implications for the recruiter
You cannot send the candidate any questionnaires, invitations to assessments or invitations to extended data storage (talent pool). You also cannot assign the candidate to new jobs.
However, you can send candidates a manual message, so that in case of any clarifications regarding the request for erasure, you can send them in a well-documented manner. You will, however, be informed once the candidate has initiated the request for erasure.
Please note that candidates are no longer displayed in the regular candidate list. In the candidate list, however, you can use a special filter to display the candidates who have requested for their data to be erased. To do this, click on the "More" button (1) and activate the "Only candidates in the data erasure process" filter (2).
1.5.4 Final automatic erasure
After the deadline expires, the candidate's personal data will be automatically erased. The candidate will optionally receive an email notification (text can be customized).
1.5.5 Withdrawing the request for erasure
The request for erasure can be revoked by both the candidate and the recruiter.
As a candidate: Withdrawing the request for erasure
Candidates can withdraw their request for erasure in their own user profile (1) in the "Settings" (2) at the very bottom of the page under "Remove account" (3) by clicking on the "Revoke data erasure" button (4):
Once this withdrawal has been confirmed, the candidate can actively participate in job application processes again.
The candidate can receive a confirmation email once you have activated this setting (see above). Furthermore, this process will be recorded in the activity log and also, if activated, a notification will be sent out to all recruiters.
As a recruiter: withdrawing the request for erasure on behalf of the candidate
At the candidate's request, the deletion request can also be revoked within the deadline. This option is available directly at the top of the candidate's profile.
The candidate can participate in the application process again after confirming the revocation (optionally with a reason).
The candidate can receive a confirmation email once you have activated this setting (see above). Furthermore, this process will be recorded in the activity log and also, if activated, a notification will be sent out to all recruiters.
1.5.6 Communication in the context of the request for erasure
Activity log
The request for erasure is recorded in the activity log. The activity log shows the person who requested for erasure and, if the person was a recruiter, the optional reason given. It is also recorded if the request for erasure has been withdrawn.
Confirmation email
The content of the emails to the candidates can be freely defined at "Settings" (1) > "Messaging" (2) > "Notifications to applicants" (3). There you can also deactivate the notifications (4).
For example, the candidate will receive the following confirmation email upon their request for erasure. The content corresponds to the default text.
Notification to the recruiter
You can also receive a notification if you request and equally withdraw your request for erasure. To do so, go to "My Profile" (1) > "Notifications" (2) > "GDPR" (3).
This way all recruiters who have access to the candidate can be notified.
2. Privacy policy and notice for candidates & data protection contact
Under "Settings" (1) > "Privacy & data processing" (2) > "Privacy policy/privacy notice for candidates and data protection contact" (3) you can
- view the information on data processing by onlyfy (4) and
- the information on data processing by onlyfy (5) and
- add the data protection contact of your company (6).
2.1 Information on data processing
Here you can view the information on data processing by onlyfy . This forms the first part of the privacy policy for candidates and cannot be edited.
The second part is information on the data processing of your company. We will show you the details of the second part in the next chapter.
Both parts are part of the privacy policy for candidates.
2.2 Information on data processing of your company account & data protection contact
Enter your company's privacy policy for candidates under "Information on data processing by NAME OF YOUR COMPANY" or adapt the sample template already entered.
This will be linked on all pages visible to candidates, such as in the candidate center under your-subdomain.onlyfy.jobs/policy, application process, as well as in email notifications. By default, a sample privacy policy template for candidates is already stored. You must adapt this template or upload your own privacy policy. You can also upload the privacy policy in different languages.
In the data protection declaration, you can add placeholders for the company name as well as the contact details of your data protection officer (name, address, phone number and email address). Please fill in the contact details of the data protection officer in advance under "Data protection contact of your company".
You can now find the current sample privacy policy template here or directly in onlyfy Application Manager under "Settings" (1) > "Privacy & data processing" (2).
Resetting the privacy policy will take you directly to the latest version.
[hint]
Please note: As soon as you click the "Reset to default" button, your changes will be lost and you will have to reinsert them.
[/hint]
2.3 Data protection notice in the case of manually created candidate profiles
Please always inform your candidates who do not apply directly via the application link for a position and are therefore created manually by you in advance about the data processing.
In addition, manually created candidates will be automatically notified via email about the profile creation.
In general, we recommend that instead of creating your candidates manually, you forward them the link to the online application and ask them to apply online. In this way, you ensure that the candidates are informed about data protection in any case.