FAQ on GDPR
At HireTeamMate, Inc. dba hireEZ (“HTM“), we believe personal information is important, valuable, and private to its owner (“data subject“). HTM is committed to taking serious policy and technical measures to protect data of our customers and the individuals involved.
As hireEZ builds advanced sourcing technology in our product in order to understand and serve customers better, we are keenly aware of our obligations with respect to data subjects’ rights to privacy and security. We have a mature process in place to respond to data subject requests to exercise their rights under privacy laws. In addition, hireEZ remains fully compliant with EU-US Privacy Shield Framework set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Although the Court of Justice of the European Union invalidated Privacy Shield as a transfer mechanism for EU personal information, discussions for a replacement are ongoing and we are actively monitoring developments related to cross-border transfers, as all as relying on alternative measures to safeguard transferred data such as standard contractual clauses.
Beyond EU-US Privacy Shield Framework, with General Data Protection Regulation (“GDPR“) taking effect in 2018, our partners and customers can count on the fact that HTM is committed to GDPR compliance.
Overview of GDPR
In essence, GDPR demands data controllers and processors provide greater transparency with E.U. residents on how their personal data is lawfully, fairly and transparently collected and processed, which means companies in, and outside of the E.U. if they handle personal data of E.U. residents, must make sure they comply with GDPR when processing personal information of EU residents. Entities may face harsh penalties for violations of GDPR obligations.
Who does GDPR apply to?
GDPR applies to both controllers and processors of personal information. The data controller determines the purpose and means of processing personal data from any E.U. natural person, who is called "data subject", while the processor processes personal data on behalf of the controller.
Examples of data controller and processor obligations include implementing appropriate security measures, both on a technical and organization level, to ensure that when personal data is collected it is only used for the specific purpose mentioned.
How does GDPR apply to hireEZ?
hireEZ is both a “data controller” and “data processor” under GDPR, and is responsible for meeting its GDPR obligations under each role.
HTM as a Data ControllerWhen we (i) collect candidate information (“Candidate Data”) and provide our customers with access to such information in our platform, and (ii) engage in marketing our platform to customers and potential customers, we act in the role of a controller.
HTM as a Data ProcessorWhen we receive our customers’ data and process it on their behalf, we are a processor. Our customers give us information about their recruiting teams and we are only authorized to use it as permitted by the customer. If an entity decides to no longer be a customer of ours, we lose the permission to use their information.
Our customersWhen our customers use the hireEZ platform to source and process E.U. job candidates, our customers are also considered data controllers and responsible for their GDPR compliance.
What personal data does hireEZ collect?
As a Data Controller, hireEZ collects the following data from public sources about potential job candidates:
Social profile picture
Social profile links
As a Data Processor, hireEZ may process the same kinds of data on behalf of its customers collected from customers and at customers' direction.
What rights do data subjects have under GDPR?
Data subjects' rights under GDPR include the following:
Right to Data Portability - the right to receive data from a controller and transmit such data to a new data controller, owning control of their personal data.
Right to be Forgotten - the right to have one’s personal data erased or removed if, among other possible reasons, there is no compelling reason for its continued processing.
Right to Restrict Processing - the right to block or suppress processing of personal data. If the personal data in question has been disclosed to third parties, they must be informed about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to Information Regarding Processing - the right to receive information that explains how a data subject’s personal data are to be used and for what purposes.
Right to Rectification - the right to have incomplete personal data corrected and/or completed.
Right of Access - the right to access their personal data so that they are aware of and can verify the lawfulness of the processing.
Right to Object - the right to object to the use of personal information in certain circumstances including profiling and marketing unless the data controller has compelling legitimate grounds.
Right to not be subject to automatic decision making or profiling if it would produce legal effects or significantly affects the data subject - the right is to safeguard against potentially damaging decisions taken without human intervention.
hireEZ’s compliance with GDPR
GDPR requires that personal data "may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes". hireEZ and our customers, as data controllers, will therefore need to pay extra attention to what personal data is being stored - and why. Both hireEZ and our customers will not store personal data that is not necessary or justifiable for that purpose, or use it for other purposes. In order to comply with GDPR, hireEZ has instituted the following:
hireEZ appointed a Data Protection Officer (DPO), who is properly and timely involved in all issues related to the protection of personal data and reports to the highest management at hireEZ.
The hireEZ platform includes a "consent" mechanism to collect proper consent from data subjects when required. GDPR requires that consent be freely-given, specific, informed, unambiguous and given via a clear affirmative action. Single opt-in methods, pre-ticked checkboxes, or "implied consent" do not meet these expectations. In addition, users are informed that the consent can be withdrawn at any time.
hireEZ provides a portal on our website where data subjects can submit requests to exercise their rights with respect to their data, such as access, removal, and correction.
hireEZ documents the locations where personal data, flowing to and from E.U., is located, processed, stored, or transmitted.
hireEZ has undergone a Data Protection Impact Assessment (DPIA), and reviews it annually.
hireEZ enhanced its ability to identify and report data breaches. GDPR requires us to report any breach to the GDPR supervisory authority and the appropriate controller when hireEZ is acting as a processor, without undue delay, and where feasible, no later than 72 hours after having become aware of the breach.
Under GDPR, a transfer of personal data to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection ("adequacy decision"). hireEZ puts appropriate legal safeguards in place, such as by entering into the most current standard contractual clauses adopted by the Commission, when it transfers E.U. personal data to the U.S.
hireEZ's ongoing commitment to data protection
In addition to its GDPR compliance actions above, hireEZ has taken many steps to both comply with GDPR and to maintain the privacy and security of its users’, customers’ and partners’ data. As part of our continuous efforts, we have implemented the following organizational measures:
hireEZ’s data protection policy sets out the technical and organization measures hireEZ employs to keep personal data secure based on the nature of the data we process and reasonably foreseeable threats. We review this policy regularly.
hireEZ follows the ISO/IEC 27001 standard, which sets out the standard requirements for information security management system (ISMS). ISMS manages sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
hireEZ follows the ISO/IEC 27018 standard. ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In addition, hireEZ uses Amazon Web Services (AWS) for platform hosting. AWS is ISO/IEC 27018 certified and has a system of controls in place that specifically address the protection of hireEZ's data.
hireEZ is SOC 2 certified. SOC 2 is an auditing procedure that ensures hireEZ securely manages data to protect the interests and privacy of customers.
hireEZ continuously evaluates and improves its internal and external system security for data protection with practices that include performing regular penetration testing and vulnerability scanning, improving the security of data processing, and reviewing and tightening endpoint security on hireEZ devices and platforms.
hireEZ has policies and practice in place to Improve our real-time ability to prevent, identify, and investigate security incidents.
All hireEZ employees undergo annual GDPR compliance training.
hireEZ is committed to GDPR compliance. Part of that commitment is providing tools that make it easier and more efficient for our customers to manage their compliance with privacy directives and legislation such as GDPR.
Please note that the information in this FAQ is not legal advice. hireEZ recommends that our customers seek their own advice from legal counsels with respect to GDPR.
hireEZ is happy to discuss with our customers questions about our compliance with applicable data privacy laws, including GDPR. Customers can reach out to their account manager or contact hireEZ's DPO at firstname.lastname@example.org with questions.