FAQ on GDPR
At HireTeamMate, Inc. dba hireEZ ("hireEZ"), we believe personal information is important, valuable, and private to its owner ("data subject"). hireEZ is committed to taking serious policy and technical measures to protect the data of our customers and the individuals involved.
As hireEZ builds products that may involve the processing of personal information, we are keenly aware of our obligations with respect to data subjects' rights to privacy and security. We have put in place a process to respond to data subject requests to exercise their rights under various privacy laws, including the General Data Protection Regulation (GDPR). (For the purpose of this FAQ, "GDPR" references both EU GDPR and UK GDPR.) In addition, hireEZ adheres to the EU-US Data Privacy Framework and the UK Extension set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and the United Kingdom. We also rely on alternative measures to safeguard transferred data such as standard contractual clauses. hireEZ is committed to GDPR compliance.
Last Update: February 02, 2024
Overview of GDPR
GDPR demands that data controllers and processors provide greater transparency to EU and UK residents about how their personal data is lawfully, fairly, and transparently collected and processed. This means companies in and outside of the EU and UK that handle personal data of EU and UK residents must make sure they comply with GDPR when processing this personal data. Entities may face harsh penalties for violations of GDPR obligations.
Who does GDPR apply to?
GDPR applies to both controllers and processors of personal information. The data controller determines the purpose and means of processing personal data of EU and UK natural persons, who are called "data subjects", while the processor processes personal data on behalf of the controller.
How does GDPR apply to hireEZ?
hireEZ is primarily a "data processor" and in limited situations a "data controller" under GDPR, and is responsible for meeting its GDPR obligations under each role.
hireEZ as a Data Processor
hireEZ is primarily a "Data Processor" as to its customers. Through hireEZ's Candidate Relationship Management ("CRM") platform, customers can upload, or through application integrations, export their job applicants' personal data to hireEZ to process, manage and maintain that data in one centralized platform.
When we receive and process a customer's personal data, which include their users' personal data (such as name and email) and job applicants' personal data (such as resumes containing personal information), hireEZ is a Processor for that customer. hireEZ will only process that customer's personal data strictly in accordance with such customer's instructions and under obligations assigned to Processors under GDPR.
hireEZ as a Data Controller
When we (i) collect passive candidate information from various data sources and provide our customers with access to such information in our proprietary Talent Database, and (ii) engage in marketing our products to customers and potential customers, we act in the role of a controller.
What personal data does hireEZ collect?
As a Data Controller, to build and maintain its Talent Database hireEZ collects the following data about passive candidates:
Estimated Location (City and Country)
Social media profile picture
Social media profile links
As a Data Processor, hireEZ may also process this data on behalf of its customers. Personal Data processed by hireEZ as a Data Processor is not used to build and maintain its Talent Database.
What rights do data subjects have under GDPR?
Data subjects' rights under GDPR include the following:
Right to Data Portability - the right to receive data from a controller in a commonly used and machine-readable format and transmit such data to a new data controller.
Right to be Forgotten - the right to have one's personal data erased or removed if, among other possible reasons, there is no compelling reason for its continued processing.
Right to Restrict Processing - the right to block or suppress processing of personal data.
Right to Information Regarding Processing - the right to receive information that explains how a data subject's personal data are to be used and for what purposes.
Right to Rectification - the right to have inaccurate personal data corrected and/or incomplete personal data completed.
Right of Access - the right to access their personal data.
Right to Object - the right to object to the use of personal information in certain circumstances including profiling and marketing unless the data controller has compelling legitimate grounds.
Right to not be subject to automatic decision making or profiling if it would produce legal effects or significantly affects the data subject - the right is to safeguard against potentially damaging decisions taken without human intervention.
hireEZ's efforts to comply with GDPR
GDPR Article 5 requires that personal data may only be collected "for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes." hireEZ and our customers, as data controllers, will therefore need to pay extra attention to what personal data is being stored and why. Both hireEZ and our customers will not store personal data that is not necessary or justifiable for that purpose, or use it for other purposes. In order to comply with GDPR, hireEZ has instituted the following:
hireEZ appointed a Data Protection Officer (DPO), who is properly and timely involved in all issues related to the protection of personal data and reports to the highest management at hireEZ.
hireEZ sends out notices to data subjects informing them of their rights under GDPR and how they can exercise them through channels created by hireEZ.
hireEZ provides a portal on our website where data subjects can submit requests to exercise their rights with respect to their data, such as access, removal, and correction.
hireEZ enters into Data Processing Agreements with customers and data suppliers to contractually safeguard data processing activities.
hireEZ undergoes Data Protection Impact Assessments (DPIA) whenever there is a substantial change to our processing activities.
hireEZ has undergone a legal basis analysis, and reviews it whenever there is a major process change.
hireEZ appointed TRUSTe LLC, a subsidiary of TrustArc, to conduct an independent audit of our data protection practices against GDPR requirements. For more information on our TrustArc GDPR validation, please click here.
hireEZ's ongoing commitment to data protection
Data security is one major component for GDPR compliance. As part of our continuous efforts, we have implemented the following organizational measures to secure and protect the data of candidates and customers:
hireEZ's data protection and security policies set out the technical and organizational measures hireEZ deploys to keep personal data secure based on the nature of the data we process and reasonably foreseeable threats. We review these policies regularly.
hireEZ is certified for being compliant with the ISO/IEC 27001 standard, which sets out the requirements for information security management system (ISMS). The ISO/IEC 27001 auditing evaluates the ISMS supporting the assets, technologies and processes employed by hireEZ for processing, management, and delivery of services to our customers.
hireEZ uses Amazon Web Services (AWS) for platform hosting. AWS is ISO/IEC 27018 certified and has a system of controls in place that specifically address the protection of hireEZ's data. ISO/IEC 27018 established commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
hireEZ is SOC 2 certified. SOC 2 is an auditing procedure that ensures hireEZ securely manages data to protect the interests and privacy of customers.
hireEZ continuously evaluates and improves its internal and external system security for data protection with practices that include performing regular penetration testing and vulnerability scanning, improving the security of data processing, and reviewing and tightening endpoint security on hireEZ devices and platforms.
hireEZ has policies and practices in place to improve our real-time ability to prevent, identify, and investigate security incidents.
All hireEZ employees undergo annual security training.
hireEZ is committed to GDPR compliance. Part of that commitment is providing tools that make it easier and more efficient for our customers to manage their compliance with privacy directives and legislations such as GDPR.
Please note that the information in this FAQ is not legal advice. hireEZ recommends that our customers seek their own advice from legal counsel with respect to GDPR.
hireEZ is happy to discuss with our customers questions about our compliance with applicable data privacy laws, including GDPR. Customers can reach out to their account manager or contact hireEZ's privacy team at email@example.com with questions.
Learn more about hireEZ's TRUSTe GDPR Validation Letter.