Workable’s data processing activities are governed by a contract that complies with EU and UK law. We are already compliant with existing data protection laws, and many of these remain the same under GDPR. Like Workable, organisations that come in contact with personal data from EU or UK residents must be compliant with the General Data Protection Regulation (GDPR), the UK GDPR, or any other data protection law applicable. The GDPR aims to strengthen people’s rights to privacy and protect their personal data.
Under General Data Protection Regulations organizations should ensure that:
- candidates are aware that their data is processed by your organization
- candidates can request deletion of their data at any time
You can maintain GDPR compliance in your Workable account by enabling and using the GDPR automation features.
To get started and adjust the GDPR settings, visit the Compliance section of the user icon menu.
The GDPR settings apply to jobs based in the EU, UK, Norway, Iceland, Switzerland & Liechtenstein, where residents are protected under the laws of the General Data Protection regulation (GDPR), as well as to jobs based in Switzerland and Liechtenstein. Since the GDPR directly applied to the UK prior to Brexit, the GDPR setting also applies to jobs based in the UK. Jobs in other locations will not be affected.
Candidates understand that when they submit their personal data as part of a job application then their data will be processed (reviewed) as part of the hiring process. The only caveat to this is if you are requesting sensitive information, for example, information about a disability, cultural, genetic or biometric information, information gathered from an EEO survey or a background check. In most cases you must request and record explicit consent to process this information. If a criminal background check is required by law (e.g. for working at a nuclear power facility), no consent is required.
While you may not need to collect explicit consent in all cases, you should always share your recruitment Privacy Notice with candidates. As the data controller of your Workable account, the above responsibilities rest with your organization.
If a candidate contacts you at any stage to delete their data from your files you should carefully verify whether you must comply. Having enabled the GDPR compliance settings on your Workable account, the data will be permanently deleted. You must also inform candidates if you wish to use their data for anything other than the initial purpose outlined.