We have created this FAQ so that you can get an overview of the most common questions we receive about GDPR concerning our recruitment platform (the “Service”).
In this FAQ “Customer” means any company using the Service and “Data” means the personal data processed by Teamtailor on behalf of the Customer.
1. Who owns the data?
The Customer. Teamtailor is only processing Data on behalf of the Customer.
2. Where does teamtailor store the data?
Data collected through Teamtailor is stored and processed inside the EU / EEA, or in countries that are considered to have an adequate level of protection by the European Commission, or by suppliers that have entered into binding agreements that fully comply with the lawfulness of third-country transfers (Privacy Shield).
3. Is Teamtailor ISO27001 certified?
Teamtailor is not ISO27001 certified, however, our most important subcontractors are. The Service is hosted by Heroku. Heroku's physical infrastructure is managed by Amazon and has been accredited under ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley.
4. How do I know that the data is secure on your servers?
The Service is secured on multiple levels. All communication between the Customer and the server is encrypted using 128 bit SSL encryption, including session cookies. All uploaded documents are secured using 256-bit Advanced Encryption Standard. The hosting platform we use (Heroku) applies security controls at every layer, from application to infrastructure. Both Teamtailor and Heroku do regular penetration tests via independent and reputable third parties to ensure that our web application isn’t vulnerable on any level.
5. Does Teamtailor process any sensitive data?
Processing of Sensitive Data is usually not necessary to perform recruitment through the Service. However; Teamtailor, can’t guarantee that candidates will never submit sensitive data.
6. Who has access to the data?
Within Teamtailor, access to the Data is based on the least privilege principle - the Product Team and the Customer Success Team have access to the Data with the clearly defined purpose of troubleshooting.
7. Is active consent required when applying for a job?
8. For how long is Teamtailor allowed to save the data?
According to the GDPR, Data can only be stored for as long as it is necessary for the purpose of Data processing. We have developed functions in the system that give our Customers control and flexibility over storage time. In Settings, you can, for instance, send emails to candidates regularly to keep storing their Data, e.g. every 6th, 12th or 24th month. When Data is no longer required for the specified purpose, you must delete it.
9. Does Teamtailor need to inform about how long data is stored?
When a candidate applies for a certain job, he/she does not need to be informed about how long the Data will be stored, provided it is only stored during the process of the job application, and only for that specific purpose. If you wish to use the Data for other purposes, such as future recruitments, the applicant should be informed accordingly. Such information should preferably include the purpose and storage time.
10. How can a candidate erase its personal data?
Every person has the right to request that a company or authority delete that person’s Data. Deleting Data from Teamtailor is done primarily by the user requesting and/or deleting the relevant Data him/herself, without the Customer’s involvement. All our customers career sites include a section where the candidate can manage their own data
11. If anyone wants to be forgotten, will the information be deleted automatically?
When a candidate is deleted from Teamtailor, it is deleted immediately from a readable/accessible location, and within 30 days from our backups, whereby it is permanently deleted. In certain situations, however; we may be obliged to store the Data during a longer period in accordance with the current regulations in force.
12. What happens when a candidate is removed from the system?
Any identifiable Data of the candidate will be removed from the system, however; numeric data that is used for analytics purposes will not be affected. The candidate is not re-identifiable and the integrity and accuracy of the analytics the Teamtailor application provides is not affected.
13. Has Teamtailor entered a Data Processing Agreement (DPA) with its suppliers?
Yes, Teamtailor has entered into DPAs with all its subcontractors. These agreements are in accordance with the GDPR.
14. How can Teamtailor ensure that candidates have control over their own data?
Teamtailor applies "Privacy by Design". This means that candidates always have access and information on how they can control their Data. This communication takes place in all contacts with the Customer via career pages as well as through email communication. The candidate can easily manage their Data through your ”Privacy center”.
15. Is it required to obtain consent from a person recommending a candidate?
No explicit consent is required. A person who is asked to recommend a candidate ( "Recommending Person") will receive an email with information about how long his/her Data will be stored, for what purpose, and how it will be used, etc.. The Recommending Person can then choose if he or she wishes to recommend the candidate. The Data will only be kept during the relevant application process, or, if the Recommending Person click ‘I don’t want to participate’, or just ignore the email, we will remove the Data automatically within 30 days.
16. How does Teamtailor register user activity?
Basic user activity is logged and saved for 14 days (i.e. login, updating profile information, etc.). All system changes are logged and managed by a third-party service and saved for a longer period of time - primarily for traceability and troubleshooting purposes. Only members of the Teamtailor Product Team have access to all the logs.
17. Can the customer access the logs?
Yes, the customer can enable the audit log feature that keeps track of activities in the system. This makes it easier to follow up on different actions taken on candidates in an environment where many recruiters are involved with the same job process.
18. What measures does Teamtailor take regarding pseudonymization and encryption of data.
Pseudonymization and encryption can be used simultaneously or separately. The GDPR mentions both but doesn’t mention which method is preferred. In our opinion encryption is better than pseudonymization. All our data is encrypted - data at rest is encrypted with 256 bit SAE encryption and data in transit is encrypted via 128 SSL encryption.
19. What measures does Teamtailor take regarding their ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services?
All Teamtailor employees have signed a Non-Disclosure Agreement in connection to their employment, the Teamtailor platform is GDPR compliant, and we have set internal processes and policies to ensure the availability and resilience of our systems and the Service.
20. What measures does Teamtailor take to restore the availability and access to data in a timely manner in the event of a physical or technical incident?
We have a clearly defined incident response plan in case of a physical or technical incident, a clearly defined back-up system as well as tested restore practices to prevent any Data loss and restore access to the system in a timely manner.
21. Does Teamtailor have a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing?
In terms of technical measures, we do regular penetration testing and extensive systems testing to ensure the security of Data processing. In terms of organizational measures, we have a yearly review of internal processes and procedures to ensure legal compliance, alignment with ISO standard principles and the effectiveness of said processes. Additionally, we continuously revise our processes to reflect the environment we operate in and changes in legislation.
keywords: authority, authorization, authorize, authorized, authorisation, authorise, authorised,