Request a demo

GDPR Compliant Applicant Tracking System (ATS)

Eploy is committed to complying with the GDPR as a data processor and helping you to comply with your obligations as a data controller. We have been, and are continuing to, work closely with our legal team to ensure we have an optimal understanding of the GDPR and the new responsibilities we share with you in protecting personal data. 

To help customers further with their GDPR preparations and ongoing compliance, Eploy has introduced a suite of new tools that focus on key aspects of the new regulations.

GDPR Consent Management

GDPR Consent Management

Getting the explicit, affirmative consent of your candidates, either active or passive, is essential to demonstrate your commitment to GDPR compliance. Some of the characteristics of a compliant consent management system include that it is:
  • Freely given
  • Specific
  • Informed & granular
  • Verifiable
  • Easy to withdraw
  • Time limited
Eploy’s new Consent Manager enables you to:
  • Introduce a Data Consent policy
  • Add additional specific consents for each use-case
  • Choose which checks on consent you want Eploy to enforce

Your GDPR Data Consent Policy

Typically, you will use the Data Consent Policy to define the consent that candidates give you to store and process their personal data to secure them a job. Your policy is completely customisable; you can define its’:

  • Name
  • Description
  • Duration (retention period)

Also, you can define how to handle candidates whose consent is approaching the end of its validity period – enabling you to send automatic reminders that encourage candidates to re-consent.

You can set reminders to start sending (x) days before the consent expiry and send further reminders every (y) days after that.  If the candidate still fails to respond, you can automatically send a final email confirming that their consent has expired and what will happen next with their data.

Your GDPR Data Consent Policy
Granular Consents & Preferences

Granular Consents & Preferences

Eploy’s Consent Manager lets you create any number of specific consent preferences – enabling you to offer candidates the ability to ‘opt-in’ for  granular usage of their personal data for specific purposes only.

For example, you could create separate consents for:
  • Receiving email newsletters
  • Joining a talent pool
  • Contacting by specific means – such as SMS
(Note: the above are just examples, you can create preference consents for whatever use-cases your business may require)

As with your core Data Consent policy, Preference consents each have a Name, Description & Help Text. Each of these preferences are set to expire at the same point as your core Data Consent policy – this prevents multiple consents expiring at different times – which could have a negative effect on your candidate experience – since candidates could end up receiving multiple reminder notifications.

Based on these preferential consents you can then control that communications, such as emails, are only sent to those candidates who have specifically opted-in to receive them. Meaning you can run multiple email newsletter lists – which is great for sending targeted, segmented emails to the right people. You can also set the valid consents within Email templates – this means that any emails created using the template will only be sent to those people who have explicitly opted-in to receive them.


Managing Exclusions - Legal Basis

You can also create exclusions for your Data Consent policy. An Exclusion is a filter that defines the criteria of the candidates that can be excluded – for example; you may want to create a filter that finds Non-EU candidates within your Eploy database and exclude them from your Data Consent policy or where you can show that you have a legitimate interest for processing candidate personal data.

You can use exclusions where you may have a different legal basis for storing and processing personal information – for example; retaining new hire information for a period or retaining applications can constitute valid legal basis under the GDPR. We advise that you talk to your Data Protection Officer (DPO) to understand the different legal basis you may have for storing and processing different categories of candidates and then create exclusions within Eploy’s Consent Manager.

Managing Exclusions - Legal Basis
Data Retention Periods

Data Retention Periods

As the GDPR requires that consent is time-limited, within your Data Consent Policy, you can define what should happen, automatically, when a candidate’s consent expires. Your choices here are:

  • Change the candidate’s Employment Status to “Consent Expired”
  • Anonymise the candidates personal data
  • Delete the candidate
  • Change the Candidate Status

    This option will give candidates whose consent has expired a specific Employment Status (“Consent Expired”) this ensures that such candidates are restricted from future searches and queries. This is a good choice where you want to review all candidates before deciding what to do next manually, but in the interim restrict them from further processing.

Candidate Data Anonymisation

There are good reasons why you might not want to completely delete all information stored about a specific candidate from your database. A good example of this is your metrics and analytics – consider, for example Candidate Source (where did they hear about the role?; which job board etc) – if you delete the candidate record you are likely to lose this important information – meaning your stats are less accurate. 

Rather than lose this ‘non-personal’ data – you can set expired candidates to be anonymised, automatically, within your Eploy database. With anonymisation, all personal data fields, notes and comments are anonymised, all CVs and other files associated with the candidate are deleted, leaving only pertinent, non-personally identifiable data. This will maintain the integrity of your stats, metrics and KPIs that do not rely on personally identifiable information

Anonymisation is set to take place on your preferred day of the month.  In addition, the candidate’s Employment Status will be set to ‘Sent for Anonymisation’. Please note, that once anonymised it will be irreversible.

Candidate Data Anonymisation
Candidate Deletion & The Right to be Forgotten

Candidate Deletion & The Right to be Forgotten

By selecting the ‘Delete Candidate’ option, your candidates will go into a holding pen that is then deleted from your Eploy database on your preferred day each month. This tool helps you manage the right to be forgotten - where the candidate requests deletion from your system, for example.

By putting them into a holding pen, you can give yourselves time to manually check and verify that you do not have another legal basis for retaining the candidate data. To assist with this, Eploy will automatically set the candidate’s Employment Status to ‘Sent for Deletion’ and optionally you can choose to notify specific individuals in your organisation before deletion so that they can review them if required.

Ensuring GDPR Compliant Candidate Communications

Eploy’s Consent Manager enables you to configure which specific checks you want your system to perform when contacting candidates in your database:

Checks can be created for:

  • Emailing the candidate
  • Sending SMS messages to the candidate
  • We’ve added consent tools that help you when working directly with Candidate data within the Eploy System.

    Within the Candidate Summary page we’ve added a new pop-over for consents – this will show which preferences each candidate has specifically opted in for.
  • However, as a fail-safe, Eploy also stores a history of all consent changes, so if a candidate challenges the validity of a consent you will be able to refer back to the history to identify who edited it and when.

Ensuring GDPR Compliant Candidate Communications
Give candidates self-service control of their data & privacy consents

Give candidates self-service control of their data & privacy consents

Your Data Consent policy and specific preference consents can each be presented to candidates through your careers site and (if you have one) your Eploy Candidate Portal.

Gaining consent at the point of registration

It’s important that, as a minimum you capture a candidates consent to store and process their personal information at the point of registration on your careers site.

Eploy’s Consent Manager also let’s you choose which preference consents should also be presented – enabling you to have specific consents to join your talent pools and be contacted about other roles, for example.

Candidate Self-service for data consent

When a candidate logs in to your Candidate portal they can also be presented with your data consent policy and manage their opt-in preferences.

For more information please also see this GDPR blog post and our general GDPR statement

Award-winning GDPR Applicant Tracking Technology

Eploy's comprehensive GDPR suite was crowned the 2019 OnRec Technical Innovation Award winner at the annual OnRec Awards in London, March 2019.

Award-winning GDPR Applicant Tracking Technology

GDPR & your candidates rights
Practical tips for managing candidate personal data


Request a demo

We believe

Finding candidates who are the perfect fit for your roles is always challenging. Fortunately Eploy’s world-class applicant tracking system and recruitment software makes it much, much easier. 

Eploy applicant tracking system & recruitment software is precision-engineered to work on every platform and add value to every stage of the recruitment journey. We automate and simplify processes to attract, engage and employ candidates quickly. With a high degree of measurability, you can track costs and identify performance gaps accurately.

Our software is reinforced with market-leading mentoring and cross-sector expertise so you get training and support to achieve a powerful commercial advantage.