Get ready for GDPR with us
Your applicants’ personal information is safe with us
On May 25, 2018, a new EU regulation regarding the protection of personal information will come into effect. This will also affect companies that are seeking and recruiting new employees. Teamio is ready: we are doing everything we can to make your work on GDPR compliance as easy as possible.
Our responsibility
We process the personal information of applicants who respond to job vacancies. The administrators for this information are, however, the employers who publish job vacancy ads.
Data Controller
I.e. the employer who collects information on applicants during recruitment.
The administrator is responsible for ensuring that:
- Adequate technical and organizational measures are implemented to make it easy to prove that your data processing is GDPR-compliant.
- You process only such personal information as is necessary for the given, predefined, specific purpose (for example, the job selection process).
- When two companies share a registration in Teamio, these two companies are considered joint administrators in terms of GDPR. They must decide among themselves which of them is responsible for which part of data processing, especially in connection with the exercising of data subjects’ rights.
The Data Processor
I.e. Teamio/LMC. They process applicants’ personal data for employers (administrators).
The Processor is responsible for:
- Managing the platform that enables you to process applicant information.
- We process this data based on your instructions and on a contract with you as its administrator.
- We take into account the nature of applicant-data processing by utilizing suitable technical and organizational measures to ensure that our data processing complies with GDPR requirements and ensures the protection of applicants’ rights.
- We ensure that, on the processor’s side, applicant data is processed solely by persons bound by a non-disclosure agreement.
- We provide the cooperation needed to ensure the adequate processing of personal information by the administrator.
Data Subjects
The applicants are the “data subjects” because we can (in)directly identify them using their personal information.
Personal information
Information connected with a data subject. This might be their name, email, telephone number, CV, notes, labels, or recorded actions.
Data Processing
Actions performed on personal information by the administrator or processor; these are fully or partly automated (collection, recording, organizing, storing, and deleting).
GDPR – evolution, not a revolution
“The GDPR does introduce some changes, but all of those are perfectly understandable and necessary, given the current circumstances. Teamio is more than ready for the GDPR, so there is nothing to be worried about.”
Product changes
All the changes are valid for Free, Easy and Smart edition.
New personal data processing regimes
We have introduced a new response form (pictured below) that complies with information obligation and includes a voluntary consent.
A new notice
We have added a notice containing information on purpose of data processing, data controller, data processor, an HR company, or a request on the processing of the data outside the EU into our response form.
Two separate personal data processing regimes
Processing of personal data based on a purpose, in this case a response to a job vacancy. This purpose is valid for a maximum period of 6 months. During this period, you can include the applicant in the selection procedure for the vacancy they applied for or offer them another relevant job. We will also let the applicants know how their data are going to be processed for you. Our lawyers have already approved the wording of the notice that will be included in the ads.
Processing of personal data based on a voluntary consent, above the scope of processing for the recruitment purposes. This will allow you to process personal data of your applicants for 3 years. The new consent forms have already been polished by our lawyers and we are now testing them directly with the applicants.
Illustration picture
We will adjust the wording of the notice on the purpose of data processing (information obligation)
First Level (displayed in full on the answer form)
For the purpose of the selection procedure for this position, [name, ID No., and registered office acc. to Commercial Register], as the controller, shall process the data you provided (or publicly obtained) in accordance with the General Data Protection Regulation (EU) 2016/679. The controller will assign the data processing to LMC s.r.o., ID No. 264 41 381, which will do so using its electronic systems. [The data may be transferred outside the EU] [see more]
Second Level (after clicking in the modal or similar)
By replying to this advertisement, you provide the controller with your personal data for the purposes and the duration of the selection procedure. In connection with processing your data, you have the respective right: (i) to access the data, (ii) to correct or complete inaccurate or false data, (iii) to delete the data if it is no longer needed for the purposes for which it has been collected or processed, or if it has been collected illegally, (iv) to limit the data processing in special cases, (v) to transfer the data, (vi) to object to the data processing which will therefore be terminated, unless there are serious legitimate grounds for processing which outweigh your interests, rights, and freedoms, especially if the reason is an enforcement of legal claims, and (vii) to contact The Office for Personal Data Protection.
[Your data may be transferred to a non-EU employer which does not provide adequate data protection. The transfer is necessary for the purpose of the selection procedure under Art. 49 (1b) (EU) 2016/679]. Please ask your controller for further details on the data protection guarantees.
For more information on data processing by [name, ID No. and registered office according to Commercial Register] including potential recipients, contact the Data Protection Officer [●], e-mail: [●].
For more information on data processing by LMC s.r.o., ID No. 264 41 381, registered office at Jankovcova1569/2c, 170 00 Prague 7, contact the Data Protection Officer [●], e-mail: [●] or visit [link to LMC Privacy Policy].
We will adjust the wording of the voluntary consent for employers and Recruitment Agencies
New GDPR-compliant wording of consent to the processing of personal data has already been approved by our lawyers.
Consent for the employer
First Level (the user-friendly part; may be changed while preserving the meaning)
Second Level (after clicking in the modal or similar)
I wish to increase my chances of future employment and therefore, I hereby agree that [company name, ID No. and registered office acc. to the Commercial Register] further processes my personal data, even beyond the selection procedure for said job position, for the purpose of keeping my records and sending me similar job offers. I grant my consent for [●] years. I may withdraw my consent at any time. Your data will be disclosed to authorised employees of the company(-ies) only to the extent necessary for the processing purposes.
Consent for a Recruitment Agency
First Level (the user-friendly part; may be changed while preserving the meaning)
Second Level (after clicking in the modal or similar)
I hereby agree with processing of my personal data for the purpose of keeping my records and sending me job offers by the [company name, ID No. and registered office acc. to Commercial Register] recruitment agency. I grant my consent for 3 years from the day of granting the consent, or until such consent shall be withdrawn. The personal data shall be only disclosed to authorised personnel of the recruitment agency and to the employers which seek to fill the corresponding job positions; however, only to the extent necessary for processing purposes. I may withdraw my consent to personal data processing at any time.
We will mark “non-consenting” applicants and establish special rules for them
In Teamio, the “non-consenting” applicants will be recognizable right away. We are currently working on some changes to the Candidate’s profile and Agenda.
New filters will introduce the possibility of bulk processing.
You will still be able to offer a different suitable job to a “non-consenting” applicant within the scope of the recruitment process and the related purpose (with the assumption being that they are interested in working at your company).
All data of “non-consenting” applicants will be deleted irreversibly. When?
- After the vacancy has been archived (because that means the recruitment process is over).
- 6 months after the applicant’s response to the job posting.
Why 6 months after the applicant’s response?
We have established a six-month period as the appropriate amount of time for the given purpose (taking part in the selection process).
All users marked with the stop sign will be deleted – no more hidden data in Teamio
We have decided to take an important GDPR-related step and irreversibly delete all users marked with a red stop sign in the Easy and Smart subscription plans.
A red stop sign means that their consent to the processing of personal data, based on the Act no. 101/2000 Sb. (further referred to as “101 consent”), has expired. Unfortunately, stricter GDPR rules do not allow for us to keep them in the Teamio database.
What is the process going to be?
- First, we will deactivate all users marked with a stop sing over the next couple of days (you will no longer be able to use the “Extend consent” function).
- Then, we will gradually delete them.
The database clearing process will be divided in several stages, and the entire process will be completed before the 25th of May 2018.
We will analyze the existing “101” consents
We have analyzed the impact of the GDPR on personal data of the candidates who replied to job postings before the GDPR came into effect.
Our lawyers have confirmed the following:
- You can keep candidates with a valid “101” consent in your Teamio database after the GDPR comes into effect.
- Candidates whose “101” consent has expired (marked in Teamio with a red stop sign) will be soon deleted from Teamio database.
We will adjust the wording of General Terms and Conditions (T&Cs)
We have created a new, GDPR-compliant version of the General Terms and Conditions.
We have already e-mailed them to you on the 24th of April 2018 to give you enough time to read them and familiarize yourselves with them.
For our existing customers, such as yourself, these will come into effect on the 25th of May 2018.
You can find and read them here:
We are also working on new contracts and contract addendums (both online and in printed form).
How did the contracts work up until now?
There is a contract between us and your company that was made when you purchased our services and accepted our Terms and Conditions. According to article 10 of the T&Cs, the contract was concluded the moment we started providing the services that you purchased.
After we introduce our new Terms and Conditions containing a section on personal data protection, your can simply accept them online – that will be completely sufficient.
We will keep you posted and notify you in good time.
Changes in the export of received replies
Do you use the Export received replies feature in Teamio? If you do, we have a favor to ask you.
Please send the following documents to your IT/ATS provider:
We recommend making the export changes as soon as possible, on the 25th of May 2018 at the latest.
If you run into any issues with settings, please contact our product manager Aleš Prágr at +420 723 060 255 or via e-mail at ales.pragr@lmc.eu
Active new features
We have added a couple of handy features into Teamio to make your life with GDPR easier.
27/03/2018
We have marked the applicants whose “101” consent to processing of personal data has expired with a red stop sign and we will delete them for you.
19/04/2018
A red exclamation mark sign will allow you to see the applicants whose consent is about to expire. We will notify you 2 months in advance to make sure you have enough time to send them a request to extend their consent.
27/04/2018
When you assign a candidate from the CV database to a certain job, we will remind you that you need to obtain their voluntary consent to processing of personal data. Otherwise, they will stay in Teamio database for 6 months before we automatically delete them.
27/04/2018
With the revamped Agenda, you can see the number of candidates in a company whose consent is about to expire at a glance. You can also send a mass consent request.
14/05/2018
Every time you send a request to extend their consent to a candidate they will now see a new, GDPR-compliant form.
You can also send a mass request to extend consent.
20/05/2018
Inbox and manual input are now both GDPR-compliant. Candidates who will be added to Teamio using one of these two methods will stay in the database for 6 months.
24/05/2018
An important milestone! Consent forms and notices included in the job adverts and the whole Teamio are now GDPR-compliant.
Coming soon
June
Filter candidates who already received a consent request but have not responded to it yet.
Training
Capacity has been filled
20 February 2018
Praha
Royal Theatre
Vinohradská 2165/48, Praha 2
Capacity has been filled
13 March 2018
Praha
Royal Theatre
Vinohradská 2165/48, Praha 2
Capacity has been filled
21 March 2018
Brno
FAQ
For how long can I keep a candidate in Teamio?
The amount of time is always limited.
A candidate who has not provided you with a voluntary consent can stay in the Teamio database for a maximum period of 6 months. They will then be automatically deleted after the job posting has been archived, or after 6 months have passed.
A candidate who has provided you with a voluntary consent (beyond the scope of the recruitment process) can stay in your database for to 3 years.
Plus, you will always know when a candidate’s consent to the processing of personal data is about to expire – we will notify you 2 months in advance.
How can I tell that the candidate has provided our company with a voluntary consent?
As long as the candidate remains in your Teamio database, you can always prove whether they have consented to personal data processing and find the text of their consent. One of the places you can find it is the candidate’s profile. Just go into Activity history – First activity details.
If you are using our paid Vacancy Export service, you will receive the text of the consent with each candidate automatically.
I unlock CVs from the Jobs.cz database and sometimes I assign candidates to vacancies right away – how does consent work for these candidates?
You can unlock data at will. The candidates who want to be in the database have agreed to their data being accessible for 1 month when they published their profile.
When you assign a candidate to a vacancy, Teamio will notify you that unless you obtain the candidate’s voluntary consent to processing of personal data (valid for 3 years), the candidate will only remain in Teamio database for 6 months. After that, they will be automatically deleted.
What about consent of the candidates who are added to Teamio by HR companies?
When you receive a candidate from an HR company or a headhunter via our module, you can keep the candidate in Teamio database for 6 months on the basis of a purpose.
That is because the candidate has given the external recruiter (HR company) the following permission to forward their data:
“Personal data will be only made available to authorized employees of the HR company and to employers whose job postings match the type of job I am looking for. The data shall be provided only within the scope necessary for their processing.” – source
If you would like to keep the candidate in your database for more than 6 months, use Teamio to ask them to provide you with their voluntary consent for 3 years.
How can I ask candidates for their consent when I add them to the Teamio database manually?
After manually adding the candidate, ask them to extend their consent. They will receive an e-mail asking them to respond to your request.
If the candidate does not confirm your request, their data will be automatically deleted after 6 months.
Getting additional confirmation of consent to processing of personal data is not mandatory since the employer can obtain the candidate’s consent before adding their data to the Teamio database.
A candidate wants to exercise their right to be forgotten. How can I delete them from Teamio?
You can delete a candidate in Candidate search results or via the Candidate’s profile in every version of Teamio.
This way, you will completely delete a candidate from Teamio, including all related data like notes or tags. The candidate will no longer be in your database and they will also disappear from all vacancies connected to them.
Sometimes, the candidates may ask for a proof of being forgotten. Jan Svoboda (DPO) comments on the issue:
According to our knowledge, the Office for Personal Data Protection has repeatedly acknowledged that a simple statement, such as “Your personal data have been deleted and are no longer stored in our systems”, is enough proof. If there was a record of the deletion, it would mean that the deletion was, in fact, incomplete, and that the data controller is still processing some personal data of the person in question. However, in time, keeping some sort of a log that will retain basic data (such as name, e-mail address, date of consent to processing of personal data, date of deletion of personal data) might very well become necessary.
Looking for a security audit resources? You can find information on data centers, backups, and monitoring by navigating to Security and technical specifications page.
Didn’t find the answer to your question?
Ask Honza, our specialist on personal data protection.
Jan Svoboda
Data Protection Officer