This article will guide you through enabling GDPR features. Check below to learn more about Workable's approach to GDPR. The GDPR settings apply to jobs in the EU, UK, Norway, Iceland, Switzerland & Liechtenstein.
GDPR features include:
- Right to erasure
- Privacy notice setup
- Application consent to your Privacy Notice
- Data retention automation
Manage these options from your Compliance settings page.
Candidates’ right to erasure
By default, once you enable the GDPR features, the system will provide candidates with a way to withdraw from the application process and delete their data automatically.
The application confirmation email that candidates receive automatically after applying will include an option to withdraw from the application process and delete their data.
This is what the candidates receive:
Furthermore, this feature means that candidates and account members can permanently delete their data from an individual job or your full Workable account (all active and archived jobs and the Talent Pool). Also, Workable account members can permanently delete a candidate’s data from Workable if they are requested to do so. Once they do that, the profile will be hard-deleted, so there is no need for any further actions.
Privacy Notice setup
You can create a Privacy Notice from our legally approved template or use a link to your own pre-written notice. The first time you email a sourced candidate or invite them to an event, a footer will be automatically added to the email/event, including a link to your Privacy Notice and an option for the candidate to delete their data and withdraw from your process. The details in the footer can be edited if needed.
These details ensure that you won’t forget to notify the candidate when you first contact them. You can also set up an automation to delete sourced candidates who have not been sent a link to the disclaimer within 30 days.
Standard privacy notice (Workable-provided)
Fill in the template with your organization’s information. We’ll use it to generate a pre-written Privacy Notice. You can preview this notice to ensure it meets your organization's standards. The pre-written details in the Privacy Notice have been vetted by legal professionals for GDPR compliance.
Your company's logo will appear at the top of the notice:
The sample data we’ve included in this example is not comprehensive and may not align with the guidelines your organization chooses to set. When completing the template, you may want to speak with your executive or legal team to ensure that you have addressed everything that candidates should be informed of and that your data retention timeframe makes sense for your organization.
Custom Privacy Notice
If you prefer to use your own fully custom Privacy Notice, click the link to the upper right of the form, "I want to use our existing Privacy Notice".
Simply include a link to your Privacy Notice in the form that appears. Click Save Changes and the bottom of the section once you’ve set up the Privacy Notice.
- The custom Privacy Notice should address how you use candidate data. Simply linking to a generic or overall Privacy Notice or Policy that your company has may not be sufficient. Consult with your legal or executive team before implementing this option.
- We recommend using the Workable-provided option due to the ease of setup or checking our GDPR privacy policy template as a guide about what your privacy policy should look like.
A link to the Privacy Notice will appear in application confirmation emails automatically. It can also appear on application forms and in emails to sourced candidates.
Updating your Privacy Notice
You can update the details of your Privacy Notice template or change the custom link at a future date if necessary. When a change is made to the template, it will be reflected for all candidates who access your Privacy Notice. Candidates who initially received an older version of the template will be directed to your updated version.
Applicant consent option
You can add a checkbox item to application forms that will appear automatically for any job located in the EU, UK, Norway, Iceland, Switzerland, or Liechtenstein, where residents are protected under the laws of the General Data Protection Regulation (GDPR) and the UK GDPR, as well as to jobs based in Switzerland and Liechtenstein. Candidates must check the box to apply and will be shown a link to your Privacy Notice.
To enable this option:
- Click your user icon in the upper right of Workable and then click on Settings.
- Navigate to Compliance.
- Flip the Applicant consent switch to ON.
Enabling this switch is not a requirement. As a recruiter, you have a legitimate interest in collecting data from candidates who want to work at your company. Candidates choose the information they submit and should understand that their data will be used for hiring purposes.
Additionally, candidates will automatically receive a link to your Privacy Notice on the application confirmation page that appears after they apply and an application confirmation email that contains a link to it.
Automated data retention management
Automating the deletion of candidate data will save time and ensure GDPR and UK GDPR compliance. Candidates who have applied to a job with a location being subject to GDPR will be deleted if any of the job locations are in the GDPR area.
- Click your user icon in the upper right of Workable, click on Settings, and select Compliance.
- In the GDPR section, locate the Data retention menu.
- Flip the switch to ON to get started.
First, you’ll be able to set the length of time your organization would like to store candidate profiles. The clock for this starts ticking the day the candidate profile is created in Workable. If you set your timeframe for 24 months, for example, candidate profiles in active jobs, archived jobs, and the Talent Pool will be automatically deleted 24 months after they were created in Workable.
Next, you’ll be able to exclude active profiles from automatic deletion. This means that candidates in active jobs and your Talent Pool will not be deleted automatically if there has been any recent activity—like comments, emails, or evaluations. You can set the period of time for exclusion. For example, changing the setting to 6 months means that if there has been any activity on a candidate profile in the last 6 months, it will not be deleted. Candidates in archived jobs will be deleted based on their creation date, even if they have been updated recently.
Snoozed candidates will not be deleted automatically, no matter how long they’ve been in your account. When a snoozed candidate wakes up, this automatically counts as an update to their profile. In this example, a candidate who is unsnoozed would then only be deleted after 6 months if there are no other updates to their profile.
You can also choose to have sourced candidates automatically deleted after 30 days if they have not received a link to your Privacy Notice or been contacted in any way.
If you’ve uploaded (sourced) a candidate and have not contacted them, they will be deleted after 30 days. If you do contact them, you should inform them of your Privacy Notice and their right to erasure. Check here for more details on how to notify sourced candidates about your Privacy Notice. After contacting a sourced candidate, the automation filters for the first switch will apply to that candidate.
When you first enable a data retention option, candidates may be deleted from your account right away (in the example above, candidates who are older than 24 months would be deleted). This will only occur when you click Save changes at the bottom of the GDPR section. An alert will let you know how many archived and active candidates are about to be deleted. Click Save changes to confirm the details and initiate the automation.
When a candidate meets the deletion criteria, they will be deleted from your Workable account. Their candidate profile will be removed and will not be recoverable. You will not be notified when this occurs.
Updating remaining candidates
Enabling the switch for automated data retention management will provide an option to email any remaining candidates with your Privacy Notice and a link that would enable them to delete their own data.
We recommend that you choose this option and email the remaining candidates. This will ensure that the candidates who applied before your GDPR Privacy Policy was set up in Workable receive a link to view it. You’ll have a clean slate and will not need any further planning or communication around notifying your existing candidates about GDPR.
If you choose to ignore the candidates you should follow up at a later date with more details.
Sourced candidates who have been in your account for more than 30 days can be emailed before deletion. If you choose this option, they will all be classified as ‘contacted’ and thus will not be deleted as ‘non-contacted’ sourced candidates after 30 days.
Non-contacted sourced candidates who are less than 30 days old will not be contacted at this time. The first time you email a sourced candidate or invite them to an event, a footer will be automatically added to the email/event that contains a link to your Privacy Notice.
If there are candidates in your account without email addresses, you cannot share the Privacy Notice with them. These candidates will be treated as non-contacted sourced candidates and deleted after 30 days.
Impact in reports
- Candidates who withdraw their application, delete their own data via the link, or are deleted by our automated data retention options, will be kept for the Historical reports but not for the Status reports. Learn more about report types here.
- Hired candidates' names are kept and displayed in Time to Hire and Hiring Plan reports, even if the candidates have been GDPR-deleted.
- Any candidates deleted by an explicit action by the user in the account (single or bulk deletion) are not retained in any of our reports.