Privacy Policy

GDPR Privacy Policy – Recruitive (Our Commitment to GDPR)

The EU General Data Protection Regulation (GDPR) came into effect in May 2018. The new legislation applies to all businesses processing the personal data of EU citizens, whether they are inside or outside of the EU.

What is personal data?

In recruitment, we collect lots of data about our candidates – but which of it is deemed ‘personal’ or ‘sensitive’?

The GDPR applies to that data which could identify or make identifiable, a living individual – whether directly or indirectly by ‘all means reasonably likely to be used’.So, names, addresses, email addresses etc. would automatically fall into the remit of GDPR.

But the recitals of the GDPR also highlight that certain categories of online data may be personal including:

Online identifiers

Device identifiers

Cookie IDs and

IP addresses

Helping you meet your obligations as a Data Controller

The legislation places new obligations on you as a Data Controller and on our relationship with you as your Data Processor.

Recruitive are committed to complying with the GDPR as a data processor and helping you to comply with your obligations as a data controller. We will continue to work closely with our legal team to ensure we have an optimal understanding of the GDPR and the new responsibilities we share with you in protecting personal data. New GDPR features, particularly in the area of consent management and data anonymisation have also been introduced.


How are we working toward best practice compliance?

Adopting the highest level of Information Security Standards

Our Information Security Management System has been assessed to the IASME standard. Based on ISO27001 and international best practice, the certification is risk-based and includes aspects such as physical security, staff awareness, and data backup. The IASME standard was recently recognised as the best cyber security standard for SMEs by the UK Government.

Helping your candidates to exercise their rights under GDPR

Many of the rights of data subjects are already supported by Recruitive Candidate Portal . For example:

Secure, online self-service

Providing secure, online self-service is considered to be Best Practice by the EU.

We are committed to assisting our customers in meeting their requirements under the GDPR and, where possible, making the process easy to manage – particularly enabling secure ‘self-service’ for candidates to access their GDPR rights.

The Right of Access

Candidates can see what personal data you hold on them

The Right of Rectification

Candidates can easily request that incorrect data is rectified.


Other GDPR compliant features of the Recruitive Software System

Right to be forgotten

A candidate should be able to request being deleted – System users with the appropriate access rights can delete candidates.

Ongoing Compliance and new GDPR compliant features

We have introduced additional features to support and simplify the ways in which our customers can manage their GDPR responsibilities.

Consent

One area where we have introduced new tools is for management of consents. The GDPR greatly extends the responsibilities for gaining consent to use personal information beyond that which is required under existing data protection legislation.

Under GDPR consent needs to be freely given, specific, informed & granular, verifiable, easy to withdraw and time limited.


Data Security

Encrypted Data in Transit

Recruitive Software is accessed via https:// which means data is encrypted in transit between the browser and the server – this includes candidate portals as well as the Recruitive Software System (back end)

Encrypted Data at Rest

Recruitive Software offers data Encryption at Rest, where the database is encrypted, as an optional service – this is our preferred / recommended option for customers.

Un-decryptable User Passwords

Option to have user passwords that are un-decryptable.

User Permissions

Recruitive Software has permissions, so that you can restrict access to specific categories of data to only those users who require access.

Two-Factor Authentication

Recruitive supports if requested Two-Factor Authentication (2FA), meaning you can control how your users login and implement a 2FA approach either completely (all logins) or, for example, when logging in to the system from outside your company IP range.


Recruitive only use UK Datacentres

GDPR imposes restrictions on the transfer of data outside of the EU.

Recruitive only use UK based datacentres and we have appropriate data processing agreements in place with our suppliers. Our Datacentre suppliers are ISO27001 certified.


What should Customers be doing now?

Customers need to take GDPR seriously and will need to look at where they should be updating their own policies and procedures to be compliant. A good place to start is the Information Commissioner’s Office:  https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/. There is no ‘one size fits all’ solution, your business’ obligations under the GDPR may well be different to your competitors.

With the additional rights Candidates will have under the GDPR, Customers will need to start updating their Privacy Policies to ensure that each time they collect personal data from Candidates that they provide information in a clear and understandable form about, amongst other things: what data is being held; how it is used (e.g. if there is automated decision making); who the data might be shared with (including Recruitive Limited); how long it is stored for; whether the data is transferred between systems; and, how Candidates can exercise their rights under the GDPR.


Our ICO Data Protection Registration

Recruitive is registered for Data Protection with the Information Commissioners Office (ICO).


Facebook Data

Within our software, we record the following information when you allow our application to communicate with Facebook (No personal data is held i.e. Name, Email Address, Date of Birth or Phone Number)

  • Page ID
  • Person ID
  • Facebook Token


If at any time you would like to remove this information from our system and revoke the opportunity to post to your Facebook page we have provided an “Unlink” button within the software which will remove this information.