Configuring General Data Protection Regulation (GDPR) settings

Jess Berg

May 05, 2025 15:56

Available for	Roles	Super Admin
	Permissions	• Manage company settings
	Packages	Lever Basic, LeverTRM, LeverTRM for Enterprise

This article will walk you through the steps for configuring GDPR in your Lever environment to support your organization’s data compliance procedures. We advise consulting legal counsel to help determine which configuration settings are best for your organization.

In this article

GDPR overview
Configuring GDPR settings

GDPR overview

General Data Protection Regulation (GDPR) is a data protection and privacy regulation that applies to European Union (EU) countries. To maintain compliance with GDPR for roles for which you hire in the EU, Lever allows you to configure settings related to data handling, including:

Capturing candidates' consent for data collection when they apply for jobs and notifying them of processing activities
Defining retention periods for candidate data
Surfacing candidates' consent status on their profile
Using legitimate interest as a lawful basis for data handling in place of consent

Configuring GDPR settings

To configure GDPR settings in your Lever environment:

Navigate to Settings > Company > Compliance and scroll to the 'General Data Protection Regulation' heading
Click the Set up GDPR button
- If you have already set up GDPR and are returning to change your existing configuration, click the Edit configuration button on the GDPR tile.

Close up of set up GDPR button in Lever Settings

Suppose you have any country-specific data compliance configurations enabled in your 'Data compliance' settings when you set up GDPR. In that case, those configurations will be automatically disabled once GDPR is enabled. To learn more, refer to our help article on understanding the difference between Data compliance and GDPR settings.

In the GDPR editor, configure the following fields:

Who does it apply to?

Define which candidates are protected by GDPR. Select from the following options:

Only candidates and jobs located in the EU
Candidates and jobs located in the EU & unknown locations
All candidates (regardless of their current location)

Configure GDPR policy application field

For GDPR purposes, Lever uses IP address geolocation to determine where candidates are when they submit their application. Depending on the candidate's location, this information is then used to determine if GDPR should be applied. Candidates who do not apply through a job posting (i.e., candidates that are sourced, referred, or manually added) likely will not have a location set on their profile. If this is the case, anyone with access to the profile can set the location value for the candidate. If Lever does not detect a location for the candidate, their location value will be recorded as "Unknown location." Depending on the candidates you have defined as protected by GDPR, you may want to reach out directly to candidates with unknown locations to get explicit consent to process their data.

Lawful basis

GDPR requires that your organization have a lawful basis to process candidates' data. You always have a legitimate interest in processing candidates' data in the active part of your pipeline. For archived candidates, you must specify the lawful basis for handling their data. Select from the following lawful basis options for handling archived candidate data:

Use candidate consent - candidates must explicitly consent to your organization's processing of their data
Rely on legitimate interest - your organization's legal counsel has determined that you have a legitimate interest in storing archived candidate data without their consent

Lawful basis radio buttons

For each option, you must define the point at which consent or legitimate interest expires. You can also include a link to your organization's privacy policy when determining the lawful basis. This link will appear to candidates above the 'Submit Application' button on the application form.

Preview of how the consent prompt and privacy policy appear on the application form when candidate consent is used legally.

Candidate consent

If you use candidate consent as your lawful basis, owners of opportunities associated with candidates whose consent is about to expire will receive a reminder one month before the expiration date to refresh consent. Note that changes made to the consent timeframe after a candidate has applied to a job will not be reflected retroactively. For example, if you were to define a consent timeframe of 2 years and then later change the timeframe to 1 year, the consent of candidates that applied before the change was made would still have an expiry date of 2 years from their time of application.

Consent expiry timeframe field

If you use Lever's Postings API to power a custom job site, you can submit candidate consent using the 'consent' and 'ip' fields. For more information, refer to our Postings API documentation.

Suppose your organization needs to retain candidates' personal information for an additional period beyond consent expiration. In that case, they can configure this by selecting a time period from the 'Additional retention period' menu.

Additional retention period menu

Legitimate interest

If you use legitimate interest as your lawful basis, owners of opportunities associated with candidates whose interest has expired will receive a reminder to anonymize the candidates' data.

Legitimate interest timeframe field

Anonymized candidates

Configure the degree of anonymization that you want Lever to apply to candidates' email addresses by selecting one of the following options:

Store a hashed value of the anonymized candidate's email address
Do not store a hashed value of the anonymized candidate's email address

Anonymized candidates radio button options

Selecting the option not to store a candidate's email address as a hashed value will result in the complete and permanent deletion of candidates' email addresses when anonymized. Storing a candidate's email as a hashed value keeps the candidate's email on file in an unreadable format. It will only resurface if a new opportunity is created with the same email address associated with a candidate who previously requested the deletion of their data. For a detailed breakdown, refer to our help article on anonymizing opportunities.

Additional Information

If a candidate applies for an opportunity, subject to GDPR, and later applies for a new opportunity that does not require GDPR, the GDPR status from the original opportunity carries over to the new one. However, if the original opportunity is deleted or anonymized, the GDPR status is not removed from the new opportunity.

This rule applies only when the candidate applies to a new posting (not subject to GDPR) while the original opportunity (subject to GDPR) is still active. Suppose the original opportunity is deleted or anonymized before the new opportunity is created. In that case, GDPR will not retroactively apply to the new opportunity, so long as the new opportunity does not meet GDPR criteria. The GDPR status cannot be transferred if the candidate has already been deleted.

Example 1 - GDPR does not carry over to the new opportunity:

A candidate applies to Posting 1. Candidate and/or posting is subject to GDPR based on your company's GDPR configuration.

Opportunity 1 is created.

Opportunity 1 is deleted or anonymized.

Candidate applies to Posting 2. Candidate and/or posting are NOT subject to GDPR based on your company's GDPR configuration.

A new opportunity is created. GDPR does not apply to this opportunity.

Example 2 - GDPR carries over to a new opportunity:

Candidate applies to Posting 1. Candidate and/or posting is subject to GDPR based on your company's GDPR configuration.

Opportunity 1 is created and remains active.

Candidate applies to Posting 2. Candidate and posting are NOT subject to GDPR based on the company's GDPR configuration.

Opportunity 2 is created.

Opportunity 1 is then deleted or anonymized.

GDPR, which was carried over from Opportunity 1, remains active on Opportunity 2.