Designed to help individuals protect their personal data, the General Data Protection Regulation concerns all those who handle personal data in Europe, whether for themselves or on behalf of third parties. 

Recruitment is affected by this new law because it involves collecting, processing and storing personal data from applicants.

In practical terms, it directly concerns Welcome Kit, the ATS (Applicant Tracking System) operated by Welcome to the Jungle and all recruiters who process applications and recruit using our technology day-to-day.

Some key GDPR principles

  1. A clear purpose: the data controller must inform the data subject exactly what use will be made of their personal data after it is collected
  2. Relevant data: the data controller must only collect data strictly required for processing: this is the principle of data minimisation
  3. Retention period: personal data should be retained for sufficient time for the data controller to achieve their purpose; after this, the data must be deleted
  4. Human rights: individuals can assert their rights regarding personal data held by the data controller i.e. the rights of access, correction and deletion

The GDPR and recruitment: to begin, some definitions

The GDPR sets out three main stakeholder categories.

  • The data subject is the applicant: those revealing their personal data.
  • The data controller is the company recruiting (this is you): you determine how you use the data collected and you process it.
  • The data processor is Welcome Kit (this is us): we collect and manage applicant data on behalf of the data controller.

Protecting applicants’ personal data is therefore a crucial issue for us; it is at the heart of the trusting relationships we enjoy and hope to continue to enjoy with all our customers.

Welcome to the Jungle and the GDPR

For several months, we have been working internally to ensure our solution is compliant: this has involved adapting our internal processes and delivering new Welcome Kit features detailed in these FAQs.

Adapting our internal processes

  • Monitoring and benchmarking the recruitment market: we have reviewed the impact of the GDPR on recruitment, identifying priority areas we need to work on to ensure our applicant and customer data is secure.
  • Auditing our internal processes: we have reviewed all processing we do on behalf of our customers and created a processing register. 
  • Legal support: we have chosen a law firm to monitor Welcome to the Jungle and ensure we comply with the new regulation.
  • Appointing a DPO: we have chosen a DPO (Data Protection Officer) from our team. He is the contact for our customers for all issues around personal data protection and is also responsible for ensuring WTTJ remains compliant in future.
  • Adapting our legal documentation: we have reviewed all our legal and contractual documents. We have updated our terms of service, general terms and conditions and privacy policy; a data processing agreement (or DPA) will also be signed by all our customers; these documents are available on the Welcome Kit recruiter interface.

Developing new Welcome Kit features

The cornerstone of our compliance update is developing our Welcome Kit tool: our priority is improving our product to make it compliant.

  • Explicit applicant consent: in line with Article 6 of the GDPR, the recruiter is obliged to obtain the explicit consent of the applicant regarding the use of their personal data by clearly informing them about the purposes of this processing.

How is Welcome Kit supporting me with this? 

For each application, the applicant now explicitly gives their consent by ticking a box authorising the company to use their data for recruitment purposes for a given period it sets. Companies can customise the information message to suit their own requirements; they can also draw the applicant’s attention to their recruitment confidentiality policy. A specific procedure is also being developed for underage applicants, for whom we will ask for permission from legal representatives.

  • Data retention period: one fundamental aspect of the GDPR is that it limits the retention period for personal data. Although they do not indicate a precise period, the regulations specify: "Personal data must be retained for no longer than is necessary for the purposes for which the personal data are processed."

How is Welcome Kit supporting me with this? 

Companies can now set the retention period for applicant data on the dashboard. By default, the retention period for applicant data is set at two years, in line with the French Data Protection Authority CNIL’s 2002 recommendations. However, companies can also choose a longer retention period. This period is mentioned to the applicant when their consent is being obtaining. Two months before the data retention period ends, an email that can be customised by the company will be automatically sent to the applicant to suggest renewing their authorisation to allow the recruiting company to retain their personal data. If the applicant does not reply, their data will be deleted when the current retention period ends.

  • Respecting the individual rights of applicants (right to be forgotten, right of access, right to correct data, etc.): applicants must be able to find out what personal data is held by the company about them so they can correct it, have it deleted or retrieve it to share it with other companies.

How is Welcome Kit supporting me with this? 

If an applicant makes a request, the recruiter can delete application personal data from their database themselves, or export all stored personal data about the applicant to share it with them.

Did this answer your question?