How is Lever supporting our customers’ GDPR compliance efforts?


In an increasingly digital age, the General Data Protection Regulation (GDPR) gives EU residents more control over their personal data. The GDPR is a comprehensive privacy framework that affects any company that does business in the EU. What does that mean for hiring? If you collect personal data from candidates who reside in the EU, the GDPR applies to you.

Lever is committed to, and actively preparing to support our customers’ compliance with the GDPR when enforcement begins on May 25, 2018. Below we address the key areas of the GDPR, and Lever’s plans to help our customers achieve compliance.

To best understand your role and Lever’s role under the GDPR, it’s critical to first understand three key terms as they relate to hiring: data subjects, data controllers, and data processors. The data subjects are candidates and your employees residing in the EU using the Lever application. As the company deciding the purposes for which you need to collect personal data from data subjects and how to collect it, you are the data controller. Lever is a processor because we process data on behalf of our customers.

Please note, all materials below have been prepared for general information purposes only. We provide the information below to help you learn more about Lever’s position on the GDPR and how we will be supporting your GDPR compliance. The information presented below is not legal advice.

With that in mind, here is how Lever will help its customers meet their new obligations under the GDPR.

Is Lever taking any steps to assist its customers with their GDPR compliance efforts?

Yes, absolutely. We’re currently adding various features to our product that will help customers with their GDPR compliance efforts. Among other things, these added features will assist customers in meeting their notice and consent obligations, and retention obligations.

As described in more detail below, some of the tools that Lever is adding will enable customers to:

  • Identify candidates in the database beyond the customer-specified retention period;
  • Quickly email candidates to refresh their consent;
  • Easily delete candidates who have not provided their consent;
  • Provide notice and/or add links to their Privacy Policy on the Lever services; and
  • Collect consent, where appropriate, from their candidates through the Lever services for different data processing activities.

Notice & Consent: How will Lever handle notice and/or consent for candidates?

Lever is committed to providing its customers with the tools to meet their notice and consent obligations. Under the GDPR, companies are required to provide notice to data subjects whenever they collect personal data from the data subject. In the notice, companies need to identify the lawful basis for processing personal data (see Article 6 of the GDPR).

As a processor, Lever does not and cannot determine the lawful basis for processing candidate data on behalf of its customers. Lever allows for customers to customize the personal data they collect. Since customers decide what candidate data is collected, it is up to the customer to determine or seek legal advice regarding the lawful bases for processing a candidate’s personal data.

Depending on the purposes for processing, a company’s recruiting function may rely on a number of different lawful bases for processing personal data, including consent; performance of a contract or to take steps at the request of the candidate prior to entering into a contract; compliance with a legal obligation; or legitimate interests pursued by the customer.

How Lever will support compliance: We are currently adding features that will help customers manage their notice and consent obligations. Our services will be configured to allow our customers to provide notice and/or add links to their Privacy Policy, and to collect specific, unbundled consent, where appropriate, from their candidates through the Lever services for different data processing activities as relevant to their business (e.g., to process application data, to contact candidates for relevant future job opportunities that they did not explicitly apply for, etc.).

Individual Rights Requests: How will Lever help customers with candidate’s individual rights requests (e.g., rights to access, rectification, deletion, etc.)?

We recognize that many organizations are extremely concerned about data subject’s increased individual rights under the GDPR. EU candidates will now have the right to know which personal data a company is processing on them; to restrict the processing of personal data; to correct incomplete or inaccurate personal data; to have their personal data deleted; to object to their data being used for certain purposes; or to have their data in a format that they may share it with another company.

Companies will need to be prepared to respond to and honor individual rights requests from candidates in a timely manner. As a processor, Lever’s role is to support customers responding to an individual rights request via appropriate technical and organizational measures.

How Lever will support compliance: Rest assured, Lever already has processes in place that permit customers to honor candidates’ requests to correct or delete their personal data, and we are streamlining this process to allow our customers to quickly and easily respond to a candidate’s deletion request. For other individual rights requests, Lever is able to and prepared to assist customers on a case-by-case basis to respond to candidates.

Although we are set up to work with our customers on the individual rights requests, we believe there is always room for improvement. Thus, we are working on and finalizing streamlining features to help our customers meet different types of individual rights requests that are commonly encountered in the recruiting world. Some of the features include opt-outs to help customers respond to the right to restriction and/or objection to processing.

Retention: How will Lever help customers meet retention requirements?

Under the GDPR, the general rule of thumb for keeping personal data is “no longer than is necessary for the purposes for which the personal data are processed.” As GDPR does not define specific maximums, it is the responsibility of the data controller to determine the appropriate time period for which to retain candidate data. Each customer’s retention schedule is unique because retention periods for personal data depend on a number of factors, including other legal obligations.

How Lever will support compliance: Lever is finalizing how to help its customers with meeting retention requirements. To help customers comply with this obligation, some of the tools Lever is building will enable customers to:

  •  Identify candidates that have been in the database beyond the customer-specified retention period;
  • Quickly email candidates to refresh their consent; and
  • Easily delete candidates who have not provided their consent.


Lever now provides the ability to configure data retention periods based by country. To learn more about this feature, refer our help article on configuring data compliance settings.

Security: How will Lever help us securely process candidate data?

In accordance with Article 32 of the GDPR, controller companies are obligated to work with processors who can provide sufficient guarantees that they will implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The GDPR lists some security measures to be considered, as appropriate, including:

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

How Lever will support compliance: Lever has been invested in ensuring the security of its customers’ data before GDPR and will continue to do so. Not only do our Data Processing Agreements (“DPAs”) contain contractual assurances on security, we are also SOC 2 compliant because we recognize the sensitive nature of the data we process on our customers’ behalf. We follow industry standards to safeguard our customers’ data in an evolving internet services landscape.

The American Institute of Certified Public Accountants (“AICPA”) has developed the Service Organization Controls (“SOC”) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. SOC 2 compliance means Lever’s security is founded on five principles: Security; Availability; Processing Integrity; Confidentiality; and Privacy. All of these principles overlap with GDPR requirements. Lever’s services are audited annually for SOC 2 compliance by independent third-party auditors. The availability of our SOC 2 report is restricted to customers that have signed nondisclosure agreements (“NDAs”) with Lever.

International Transfers: How will Lever transfer personal data to countries outside of the EU?

Transfers of personal data outside of the European Economic Area (EEA) are not permitted under the GDPR if a country does not ensure an “adequate” level of data protection as determined by the European Commission. However, the GDPR allows companies in countries outside of the EEA that do not have adequate levels of data protection (like the U.S.) to transfer personal data as long as certain safeguards are in place. Such safeguards include Privacy Shield certification, Standard Contractual Clauses, Binding Corporate Rules, and approved Codes of Conduct or Certifications. Both the European Commission and the European Digital Single Market have been vocal in their support of free movement of EU personal data with adequate protection and safeguards.

How Lever will support compliance: Lever has, and will continue to rely on the transfer mechanisms approved under the GDPR for the transfer of EU personal data outside of the EEA to jurisdictions without adequate levels of data protection. Where needed, Lever enters into Data Processing Agreements and Standard Contractual Clauses (aka Model Contracts) with customers who are seeking candidates in the EU. Additionally, Lever is certified under the EU-U.S. and Swiss-U.S. Privacy Shield framework.

Processing Record: How will Lever help us maintain a record of processing activities?

Finally, a critical measure of GDPR is that companies with more than 250 employees are required to maintain records of their processing activities (see Article 30). Companies must be able to provide this data upon request to a supervisory authority. Companies that recruit in spreadsheets and multiple tools may have a more difficult time maintaining a record of processing, thus increasing their GDPR compliance risk.

How Lever will support compliance: Lever’s application handles multiple recruiting processes in one place which supports your company’s ability to provide an easy record for your recruiting processing activities. Instead of multiple tools in multiple places, Lever is uniquely positioned to help you easily maintain your records of processing activities. For example, Lever provides:

  • Lever Nurture: Lever is the only ATS with built-in sourcing automation so your sourcing outreach and analytics can live with the rest of your recruiting processing activities in one system of record.
  • Dedicated leads pipeline: Lever eliminates the need for tracking sourced candidates in spreadsheets with dedicated workflows for managing your passive candidates.
  • Automatic two-way email sync: Any emails anyone on your team sends to a candidate through Gmail or Microsoft Office O365 can sync in Lever without having to manually bcc an email address.
  • Deep calendar integrations: Customers can manage 100 percent of their scheduling from within Lever with our native scheduling tools, Easy Book and Availability Finder.


As a premium applicant tracking system (“ATS”) with global customers, data security and compliance are a top priority at Lever. If you are a customer with questions around GDPR, please reach out to our support team. If you are seeking an ATS to help support your compliance efforts by the deadline on May 25, 2018, please submit a demo request and we will be happy to address your questions.

Was this article helpful?
0 out of 0 found this helpful