We have created this FAQ to give you an overview of frequently asked questions about GDPR with respect to Teamtailor’s recruitment service (the “Service”), available on www.teamtailor.com
In this FAQ, “Customer” means any company using the Service, “Candidate” means a job applicant, “User” means an employee, consultant or other third party of the Customer using the Service, and “Data” means the personal data processed by Teamtailor on behalf of the Customer i.e. User Data and Candidate Data.
The opinions expressed in this FAQ are in good faith, and while every care has been taken in preparing this document, Teamtailor AB makes no representations and gives no warranties of whatever nature in respect of these documents, including but not limited to the accuracy or completeness of any information, facts and/or opinions contained therein.
Teamtailor AB, its subsidiaries, the directors, employees and agents cannot be held liable for the use of and reliance of the opinions, estimates, forecasts and findings in this document.
Content of this FAQ:
1. DATA PROCESSING
1.1 WHAT ROLE DOES TEAMTAILOR HAVE?
Subject to the General Data Protection Regulation (“GDPR”), each Customer is the ”Controller” of their respective Data (submitted by Users and Candidates) and Teamtailor is engaged as a ”Processor” acting under the authority, and on behalf of the Customer.
1.2 WHO OWNS THE DATA?
The person the Data represents owns the Data. In case of the Service, each Candidate and User owns its own Data.
1.3 WHAT KIND OF DATA IS PROCESSED?
1.4 WHAT ARE THE PURPOSES OF PROCESSING DATA?
Data of Candidates is processed for the purpose of recruitment; to allow Candidates to apply for jobs, ‘Connect’ with the relevant Customer, and/or to be considered for potential future jobs. Data of Users is collected to administer job applications and job processes.
The appointed system Admins can configure their setup to collect permission in the Service for different purposes. Click HERE for more information. If the Customer wishes to use a Candidate’s Data for other purposes, the Candidate should be informed accordingly.
1.5 WHAT HAPPENS WHEN THERE IS NO LONGER A PURPOSE TO PROCESS DATA?
Anyone who collects and stores Data is required under the GDPR to delete such Data when it is no longer necessary to process it. This includes the chain of sub-contractors and other relevant parties. For more information on Teamtailor’s Data removal processes, see section 3 of this FAQ.
1.6 DOES TEAMTAILOR PROCESS ANY SENSITIVE DATA?
Teamtailor values personal integrity and takes adequate measures to only process relevant Data in a correct manner. Processing of sensitive data is usually not necessary to perform recruitment through the Service. Teamtailor cannot however guarantee that sensitive data will never be submitted by Candidates. If a Customer processes sensitive data, they should take the necessary measurements to ensure data privacy and security.
2. DATA ACCESS
2.1 WHO AT TEAMTAILOR HAVE ACCESS TO THE DATA?
Within Teamtailor, access to Data is based on the least privilege principle, which means that Teamtailor limits access rights for employees to access data to the bare minimum. Therefore, only key employees such as the Product Development, Key Account Management and Customer Success teams have access to Data with the clearly defined purpose of troubleshooting. Those processing Data will only do so in an authorised manner and are subject to undertakings of confidentiality.
2.2 HOW CAN TEAMTAILOR ENSURE CANDIDATES’ CONTROL OVER THEIR OWN DATA?
Teamtailor applies Privacy by Design which means that processing Data is in accordance with data protection and privacy regulations. Candidates can request their Data to be deleted, corrected and receive access and information on the Data stored. The Candidate can easily manage its own Data and their consents through their account available on the Customer career site. The account is accessed via a unique login link sent to the Candidate’s email. The Candidate can manage its Data through the Customer’s Data & Privacy page, as demonstrated HERE.
3. DATA STORAGE AND DELETION
3.1 WHERE DOES TEAMTAILOR STORE THE DATA?
Data collected through the Service is stored within the EU-West1 region of Amazon Web Services (AWS), more specifically in Ireland.
3.2 HOW LONG IS CANDIDATE DATA STORED?
According to the GDPR, Data can only be stored for as long as it is necessary for the purpose of Data processing. At Teamtailor, we have developed functions in the Service that give our Customers control and flexibility over storage time. Under the Data & Privacy Settings, Customers can add and edit for how long a Candidates’ permission is valid. The Customer can also add automatic emails to inform Candidates that their permission has expired, with the option for them to opt-in or opt-out. For more information, click HERE.
3.3 HOW TO REQUEST DATA TO BE DELETED?
Every person has the right to request a company or authority to delete that person’s Data. When a Customer, User or Candidate requests to delete Data stored in the Service, Teamtailor, with the help of its sub-processors who also store Data through the Service, will remove the Data permanently within 28 days of the request. For Data to be deleted in a safe manner, Teamtailor and our sub-processors comply with obligations set out in the GDPR and other privacy regulations.
Depending on who requests the erasure of the Data, the following process takes place:
3.3 a) DATA DELETION REQUEST FROM CUSTOMER:
If a Customer requests Teamtailor to erase Data of a Candidate or a User, Teamtailor undertakes to comply with such request either by (a) directly deleting the Data and/or (b) if applicable, notifying relevant sub-processors of the deletion request whereby the sub-processor automatically deletes the Data.
3.3 b) DATA DELETION REQUEST FROM CANDIDATE:
If a Candidate requests Teamtailor directly to delete his or her Data, Teamtailor shall advise the Candidate to submit his or her request to the relevant Customer. The Candidate may then either (a) request deletion of Data at the Customer’s career site, or (b) request deletion of his or her Data via system-generated emails, whereby, in each case, the Customer is automatically notified of such deletion and deletes the Data in accordance with their respective setup of the Service (automatic or manual).
3.4 WHAT’S THE DELETION PROCESS AFTER TERMINATION OF THE SERVICE?
If the service agreement between Teamtailor and a Customer is terminated, Teamtailor will, at the Customer’s request, export all Data to the Customer. Back-ups, for all Data, will be saved for an additional 28 days before it is permanently deleted.
3.5 DOES THE SERVICE PROVIDE AUTOMATIC DELETION OF CANDIDATE DATA?
Depending on the Customer’s Data & Privacy settings, Candidate Data can either be automatically or manually deleted by the Customer from the Service. For more information on how to add settings for automatic removal of Candidate Data, please click HERE.
3.6 UPON DELETION OF DATA, IS IT DELETED EVERYWHERE?
Yes, when deleting Data we follow a deletion policy to make sure that the Data is safely and completely removed from our servers or retained only in anonymized form. Teamtailor is responsible for ensuring that sub-processors either comply with a request to delete the specified Data from any medium where it is stored, in a way that cannot be restored, or that it is anonymized in such a way that it is not possible to connect to an individual or recreate. This process is set in Teamtailor’s DPA’s with our sub-processors.
4.1 DOES TEAMTAILOR HAVE A DATA PROCESSING AGREEMENT WITH THEIR SUB-PROCESSORS?
Yes, Teamtailor has entered into DPAs with all our sub-processors.
4.2 WHERE ARE TEAMTAILOR’S SUB-PROCESSORS LOCATED?
Teamtailor’s Data is hosted in the EU and processed either within the EU or such third country deemed to offer an adequate level of security by the European Commission, or by service providers that have entered into binding agreements that fully comply with the lawfulness of third country transfers. Teamtailor’s sub-processor list is available upon request.
4.3 DOES TEAMTAILOR HAVE ANY CERTIFICATIONS?
Teamtailor has not yet obtained any certifications, however our most important sub-processors have. The Service is hosted by Heroku. Heroku's physical infrastructure is managed by Amazon Web Services, and has been accredited under ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley.
4.4 DOES TEAMTAILOR’S SUB-PROCESSORS RELY ON PRIVACY SHIELD FOR DATA TRANSFERS OUTSIDE OF THE EU?
In 2020, the Court of Justice of the EU issued a decision in the “Schrems II” case, which confirmed that standard contractual clauses can be a legitimate mechanism for transferring data from the EU to the US, while invalidating the Privacy Shield framework. As a result, sub-processor’s appointed by Teamtailor that previously relied on Privacy Shield, have entered into standard contractual clauses or binding corporate rules as the legitimate mechanism for transferring data between the EU and the US, as well as undertaken necessary security measures to safeguard such transfer.
5. LEGAL BASIS
5.1 ON WHAT LEGAL BASIS CAN A CUSTOMER PROCESS DATA?
The processing of Data is necessary in order to be part of a recruitment process. There are different legal bases to rely on when collecting and processing Data and it is up to Teamtailor’s Customers, depending on their assessment, to decide which legal basis is applicable for them in order to be compliant. For more information on these settings, click HERE.
5.2 DO I NEED TO COLLECT CONSENT TO SHARE MY REFERENCES DATA?
When a Candidate has applied for a job with a Customer, the Candidate is given the option to add people who can recommend the Candidate for the job. It is up to the Candidate to contact the references beforehand to ask for their consent to add their contact details. Once the details have been submitted, the added reference(s) will receive an email with the option to recommend the Candidate, information about how long his/her Data will be saved in each case and for what purpose etc.
6.1 WHAT ARE COOKIES?
A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. Cookies may store user preferences and other information to enhance your experience on the Career site. Overall, cookies are used to help make websites work in a better and more efficient way.
To keep the Data safe, Teamtailor and our sub-processors take adequate measures and comply with obligations set out in the GDPR and other privacy regulations. In addition, the Service is secured on multiple levels. All communication between the client and server is encrypted using 256-bit encryption and 2048-bit RSA key. Latest certificate details and SSL report for our API can be found HERE. All uploaded documents and Data at rest are encrypted securely using 256-bit Advanced Encryption Standard. Passwords are always encrypted and never stored in cleartext.
Full backups are done daily, and kept for 4 weeks (28 days). Backups are transferred off-site for an additional layer of security. Restores are performed regularly to test data integrity and backup practices.
7.3 IS THERE ANY ACTION LOG AND ARE THEY ACCESSED BY THE CUSTOMER?
Teamtailor offers our Customers direct access to user activities in the Audit logs and the logs can be accessed by the system admins. User activity is logged and saved (i.e. login, updating profile information, etc.) for upto 30 days (longer period could be added upon request).
The information provided in the Audit logs includes; Actor, Source, IP-adress, Action and Timestamp. For more information of the aforesaid, please click HERE. All system changes are logged and managed by a third-party service and saved for 28 days - primarily for traceability and troubleshooting purposes. Only members of the Teamtailor Product Team have access to all the system and server logs.
7.4 WHAT MEASURES DOES TEAMTAILOR TAKE REGARDING THEIR ABILITY TO ENSURE DATA CONFIDENTIALITY AMONG THEIR EMPLOYEES?
All Teamtailor employees have signed a Non-Disclosure Agreement in connection to their employment and the Teamtailor platform is regularly updated to stay GDPR compliant. In addition, we have set internal processes such as continuous training and policies that are frequently updated to ensure the availability and resilience of our systems and services.
7.5 WHAT MEASURES ARE TAKEN IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT?
Teamtailor has a defined incident response plan in case of a physical or technical incident, a clearly defined back-up system as well as tested restore practices to prevent any Data loss and restore access to the system in a timely manner. Such a response plan includes, inter alia measures to identify the incident, take reasonable steps including to report and follow up.
keywords: authority, authorization, authorize, authorized, authorisation, authorise, authorised, GDPR