GDPR
GDPR (General Data Protection Regulation) is a piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation came into effect and be enforceable on May 25, 2018.
General Data Protection Regulation (GDPR) replaces the Data Protection Directive (DPD 95/46/EC) and enhances the rights of EU individuals over their data and strengthens data privacy. GDPR will fundamentally change the way organizations across the planet approach data privacy.
Despite being a European Union regulation, GDPR impacts all businesses across the world that process or control data of European citizens.
What is the Aim of GDPR?
The main purpose of the GDPR is to offer EU citizens (including the UK) a high level of protection from data breaches and strengthening the privacy of an individual’s personal data. Under GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
GDPR grants people i.e the customers, citizens etc, a range of data subject rights, which they can exercise in certain conditions or situations, albeit a few exceptions.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
-
- Expanded rights for individuals The GDPR provides expanded rights for individuals in the European Union by granting them, among other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
-
- Compliance obligations The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records of data activities and enter into written agreements with vendors.
-
- Data breach notification and security The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
-
- New requirements for profiling and monitoring The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
-
- Increased enforcement Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
How CVViZ Complies with GDPR?
CVViZ fully complies with GDPR in our role as a data processor. GDPR is a complex piece of legislation and we’ve been working with privacy experts and our attorneys to be sure we’re completely compliant with GDPR.
Here’s a high-level overview of what all we have done in order to be GDPR compliant.
- Appoint a Data Protection Officer.
- Thoroughly research the areas of our product and business impacted by GDPR.
- Rewrite our Data Protection Agreement (Privacy Policy)
- Develop a strategy and guidelines for how to address the areas of our product impacted by GDPR.
- Perform the necessary changes/improvements to our product based on the requirements. (You can find the details in the “Acknowledging Data Rights” section)
- Implementing the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR.
- Thoroughly test all of the changes to verify & validate compliance with GDPR.
- Communicate our compliance through our website.
Acknowledging Data Rights
Here’s a detailed log of the eight essential data subject rights and what we have done in order to facilitate the rights in accordance with GDPR, to ensure the privacy and security of our customers:
1. Right to be Informed
What does it mean?
Individuals have the right to receive clear and accurate information about how a business has acquired their data, who is processing the data and why, and how will it be stored and used.
How CVViZ complies?
When candidates use the job application page to apply to jobs, CVViZ gives candidates an opt-in button with a privacy document that tells candidates how data will be used. When you manually add candidates into the system it is your duty as a “Data Controller” to inform your candidates about how you will use their data.
2. Right to Access
What does it mean?
Individuals will have the right to request access to the personal data that the organizations own about them.
How CVViZ complies?
Our Update Resume functionality allows you to send your candidates a link they can use to access all the information you have stored about them.
3. Right to Rectification
What does it mean?
Candidates will now also have the ability to edit, update and rectify any missing or incorrect or outdated information that has been stored about them.
How CVViZ complies?
With our Update Resume functionality you can send your candidates a link that they can use to update their information or resume/CV.
4. Right to Erase
What does it mean?
Candidates will be able to request the organizations to delete their personal data or submit a “request to be forgotten” at any time if they no longer want their data to be stored or processed.
How CVViZ complies?
If a candidate or client requests that you delete their information, you can simply select their record in CVViZ and click on delete. We erase the record and all associated files immediately.
5. Right to Restrict Processing
What does it mean?
Individuals have the right to request a restriction on the processing of their personal data, pertaining to certain conditions or circumstances. When processing is restricted, data controllers are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing. Organizations will have one calendar month to respond to the request for restriction.
How CVViZ complies?
CVViZ lets their customer change candidate status to inactive/suspended so that they are no longer send to companies for open job opportunities.
6. Right to Data Portability
What does it mean?
Individuals have the right to transfer data from one electronic processing system to and into another electronic processing system at will, and if requested, companies have the new GDPR standard of 30 days to comply to the request. For eg: switching from one social network to another or from one cloud provider to another.
How CVViZ complies?
To extract your data from CVViZ, User can select the candidate information and click on Export Data to export that data.
7. Right to Object
What does it mean?
Under GDPR, candidates have the “right to object” i.e the data controllers can say that they no longer want the personal data processing to be carried out. In practice, the data subject can exercise the right to object more so with things related to direct marketing.
How CVViZ complies?
We let users attach an unsubscribe button with all the emails they send. This allows candidates and clients to opt-out from any communication from the recruiter.
8. Rights in Relation to Automated Decision Making and Profiling
What does it mean?
GDPR has provisions on making a decision based solely on automated means without any human involvement. And also automated processing of personal data to evaluate certain things about an individual i.e profiling. Profiling can be part of an automated decision-making process. GDPR applies to all automated individual decision-making and profiling.
How CVViZ complies?
All activity in CVViZ, from the submission of eligible candidates to job openings to emailing contacts is done by a ‘human’ user who makes the decision to perform that specific action.
Advanced Security
In case your data is stolen or lost, and if the concerned data breach could harm you, then it is the job of the data processor to inform you about the data breach without any undue delay. In the light of recent malware attacks like WannaCry, Meltdown this right is of utmost importance to the individuals.
As a software company, we take our customers data and its security very seriously. All your data is encrypted and stored in world class data centers managed by Amazon Web Services (AWS), Europe region. We also use many services provided by AWS to ensure that data is frequently backed-up and available.
We have implemented dozens of changes and taken lots of steps in order to help you embrace changes brought about by GDPR, as easily as possible, while continuing to focus on our mission of making recruiters lives simpler with awesome software.
Disclaimer:
This information should serve as background information to help you understand how CVViZ has addressed some important GDPR requirements, that you are legally obliged to comply with, under EU laws.
If you have any queries, you may send them to hello@cvviz.com
Last updated 18.05.2022