Please note: This article describes how to configure GDPR settings in AviaHire to support your company’s compliance needs. For help determining which configuration settings are best for your business, it is best to consult legal counsel.


AviaHire is committed to providing flexible tools to allow our customers to configure our GDPR features to best meet their compliance needs. If the GDPR does not apply to you, then no need to set anything up! This article shows how to configure AviaHire to support GDPR compliance by:


  • Collecting upfront consent from candidates when they apply & providing notice of processing activities
  • Setting how long you want to keep candidate data
  • Surfacing consent status on the candidate profile
  • Choosing to rely on legitimate interest instead of consent


Once set up, you'll be collecting consent from candidate, and will be able to:


  • Filter your candidates list by GDPR status
  • Reach out to existing or sourced candidates to get consent
  • View candidates consent status on their profile
  • Provide a notice of cookies on your AviaHire hosted job site 


Configuration


All of these are configured through one tab in AviaHire. To set up your account for GDPR compliance, start by navigating to the Company Settings page:


Click on the "GDPR Compliance" tab to be brought to the General Data Protection Regulation section. 


1. Who is protected?



First, you’ll need to specify which candidates to apply GDPR protections to. Your three options are:


  • Only candidates located in the EU
  • Candidates located in the EU and unknown locations
  • All candidates (regardless of their current location)


For GDPR purposes, AviaHire uses IP address geo-locating to determine where candidates are when they submit their application. This information is then used to determine if they are in the EU, and apply your settings accordingly. Candidates that do not apply through a job posting (i.e. are sourced, referred, or manually added) likely will not have a location set on their profile, and anyone with access to the profile will be able to set this value on the candidate profile itself.


Tip: If no location is detected, they’ll fall into the “Unknown locations” category. You may want to reach out to these candidates to explicitly get consent to process their data


Once you’ve set who the GDPR protections apply to, you’re ready to define what those protections actually are.


2. How do I set my lawful basis to process candidate data?


The GDPR requires that companies have a 'lawful basis' to process an individual's data. Within the context of AviaHire, that could be either explicit consent, or legitimate interest. Once your organization has determined which lawful basis you'll rely on, all you need to do is select the appropriate option:



Depending on your selection, navigate to the correct section below to complete setup.


Legitimate interest


Your legal team may have decided to rely on legitimate interest instead of consent. If that's the case, you'll want to select "Rely on legitimate interest" under "Lawful basis":



Once that's done, you'll need to determine how long your 'legitimate interest' lasts for. This represents the amount of time after a candidate becomes inactive. Once legitimate interest for a candidate expires, you'll be prompted to anonymize or delete their data.


After you set the expiration period, the last thing is to add in your privacy policy that will appear on your postings. The link will appear as a link just above the "Submit Application" button. For further guidance, here’s a helpful article about Privacy policies under the GDPR.


Please note: Make sure to include the https:// before your link!



Please note: This privacy policy will also be added as a link on the 'consent link' page candidates are brought to. More here 


Now you're all set! If relying on legitimate interest, you do not need to complete the remaining steps.


Collecting consent


This setting determines how long the consent you gather from candidates lasts for:


This time starts the moment the candidate provides consent, and ends when your set timeframe expires. The text to the right of the consent checkbox on the posting’s application page will display the timeframe:



If a candidate applies when you have AviaHire set to store consent for a specific timeframe, changing your settings will not impact the retention time for that candidate. Any settings changes will not retroactively update candidates who have already given their consent.


Please note: If you use AviaHire's Postings API to power a custom jobs site, you can submit candidate consent using the 'consent' and 'ip' fields. See our Postings API documentation for more information.  


 Adding a privacy policy when collecting consent:


Next, you’ll be prompted to add the URL for your privacy policy that will serve as notice of your processing activities. It will appear directly under the checkbox asking for consent. For further guidance, here’s a helpful article about Privacy policies under the GDPR.



 


Please note: This privacy policy will also be added as a link on the 'consent link' page candidates are brought to. More here


Here’s a screenshot of what your job posting applications will look like once you’ve set your consent timeframe and privacy policy link:


GDPR_Project_1.3.png


Keeping data after consent expires:



If you are collecting consent, it’s time to set the data retention timeframe. This can be a bit confusing as it is different from the consent timeframe. Once a candidate’s consent timeframe lapses, or they are archived, the GDPR mandates that you can only keep the data if you have a valid legal or business reason.


If your organization determines that you do have a valid reason to preserve the data after the consent period has lapsed, you’ll need to determine how long you will keep the data and enter that into your GDPR configuration settings.


Under “Data retention”, simply click into the “Additional retention period” dropdown, and select one of the options. At the end of this timeframe, the candidate